top of page
Search
  • Writer's pictureAnne-Marie Hayden

Calming the Privacy Waters: Navigating your organization’s privacy maturity journey with a GAPP Analysis




Back in June, I had the privilege of co-presenting at the IAPP Canada Privacy Symposium on the topic of GAPP analyses. This blog post about the presentation was first posted on the nNovation LLP website. It highlights some of my work as a consultant with the firm, which includes both privacy communications and privacy compliance. I love doing both - it keeps my days diverse, my mind sharp and it's never boring!


Now, back to the topic at hand. A GAPP analysis – an analysis of the Generally Accepted Privacy Principles – is a comprehensive assessment of an organization’s privacy maturity. While privacy impact assessments (PIAs) are essential and provide a deep-dive into specific areas, kind of like scuba diving, where you can explore all the nooks and crannies of a specific program or initiative, a GAPP analysis offers a broader view, which I think is more akin to snorkeling. When you’re snorkeling, you stay closer to the surface, giving you a wide picture of the underwater world. Similarly, a GAPP analysis allows you to see what is in good shape and what may need more work across your entire organization.


The process of conducting a GAPP analysis involves a few key steps. We start by gathering and reviewing relevant documents and policies. We then hold a series of departmental interviews to fully understand existing privacy practices across nine main domains that are congruent with the privacy principles. We analyze and provide a scoring related to what we’ve learned and determine where the organization falls on maturity continuum for a long list of criteria, ranging from ad hoc, through defined, to optimized practices.


This structured approach, which was originally established by the accounting associations in both Canada and the US, helps identify strengths, weaknesses, and areas for improvement. It provides a good, clear picture of where an organization stands in its privacy journey and helps them to prioritize efforts as they move forward. Additionally, we like the fact that GAPP analyses are flexible and adaptable, allowing them to be tailored to fit the modern context and specific needs and realities of any organization. The final report includes an assessment against the maturity model, ratings, and recommendations and advice for addressing any gaps identified.


There are so many benefits to undertaking a GAPP analysis. It not only enhances organizational awareness of privacy needs and strengthens data governance, it also helps identify potential compliance risks and showcase accountability in privacy management. It makes for a handy roadmap for advancing an organization’s privacy maturity, fostering continuous improvement. We have found that it also helps identify and empower new privacy champions. Additionally, a project like this can help highlight areas where additional resources may be needed, which can potentially lead to collaborations and even improved resourcing for privacy work.


There is a movement toward regulatory guidance that is more plain language, meaningful, and concrete. As a communications professional this is music to my ears! I would love to see more regulatory guidance that also includes some type of maturity scale, which I believe would make that guidance even more relevant, adaptable and scalable to organizations of different shapes, sizes and contexts.


1 view0 comments

Comments


bottom of page