Over the past decade, we have seen an unprecedented revolution in the manner and extent of collection and processing of personal data, enabled by advances in technology and its accessibility. This revolution, along with the growing concern among individuals for their privacy, has led to more comprehensive regulations in the area of protecting individuals’ rights to privacy, which include the GDPR (General Data Protection Regulation) and the Law on Personal Data Protection of the Republic of Serbia (which is largely aligned with the GDPR, considering the connection Serbia and companies based in Serbia have to the market of the European Union).
Given the complexity of these regulations and their application beyond the EU and Serbia, it has become crucial for companies to ensure their operations follow standards such as the GDPR and the Law on Personal Data Protection. This is particularly important as individuals place increasing value on their privacy, and violations can have dire consequences. Hence, companies must regularly evaluate whether they are adhering to these stringent privacy laws.
Such checks and assessments of compliance are conducted through so-called GAP analyses. They serve to ascertain the current state in various areas, find shortcomings (the “gap”), and propose solutions to eliminate those shortcomings and/or improve operations.
In the context of personal data protection, a GAP analysis stands for a complex process of legal and technical monitoring of the methods and processes of processing personal data, highlighting deficiencies and issues, proposing and implementing measures for the safe and lawful processing of personal data.
In this regard, to find whether personal data is being processed lawfully and securely enough, it is no longer sufficient to rely solely on legal expertise, but also requires the involvement of technical specialists with knowledge in the field of hardware and software used for data processing as well as cybersecurity. This has become particularly clear after the adoption of new legal and technical requirements in the field of personal data processing and the simultaneous emergence of technologies and jobs based on mass processing of personal data (which also includes the increasingly prevalent use of artificial intelligence (AI)-like systems). Therefore, the GAP analysis must be conducted by a team made up of both legal experts and IT specialists.
Forming such a team from existing employees who are already engaged in their current jobs (most of whom do not have the necessary experience in the field of data protection) is not a simple task. Thus, it is advisable for companies to hire external legal and technical consultants for conducting GAP analyses in the field of personal data processing. This approach allows for a more precise identification of shortcomings, thanks to the consultants’ earlier experience and their ability to objectively assess data processing processes, without disrupting the company’s daily operations.
A properly conducted GAP analysis and the implementation of the measures based on it enables companies to better manage the risks associated with the processing of personal data of individuals, whether it is about employees, associates or users of services / products.
This text is written for informational purposes only and does not constitute legal advice. We are at your disposal for any additional information.