privacy-law-gap-analysis

Privacy Law Gap Analysis for Market Entry

Overview

When an organisation enters a new market, it must assess the target jurisdiction's privacy requirements against its existing compliance posture. A structured gap analysis identifies what additional controls, policies, and procedures are needed to achieve compliance before commencing operations. This skill provides a repeatable methodology for conducting such assessments, estimating remediation effort, and planning implementation timelines.

Gap Analysis Methodology

Phase 1: Target Jurisdiction Assessment

Step 1 — Regulatory Landscape Mapping

Assessment Element	Questions to Answer
Primary data protection law	What is the comprehensive data protection statute? When was it enacted and last amended?
Regulator	Which authority enforces the law? What is its enforcement track record?
Scope	Does the law have extraterritorial reach? What activities trigger applicability?
Registration/notification	Is regulatory registration or notification required before processing?
Local representative	Is a local representative or establishment required?
DPO requirement	Must a Data Protection Officer be appointed? What qualifications are needed?
Sector-specific rules	Are there additional sector-specific requirements (financial, health, telecom)?

Step 2 — Requirement Extraction

Extract detailed requirements across 12 compliance domains:

1. Lawful basis: Available bases; consent requirements; legitimate interest availability
2. Individual rights: Catalogue of rights; response deadlines; format requirements
3. Consent management: Form requirements; withdrawal mechanism; children's consent; sensitive data consent
4. Notice and transparency: Content requirements; language requirements; timing; format
5. Cross-border transfers: Mechanisms; adequacy status; data localisation requirements
6. DPO and governance: Appointment criteria; qualifications; reporting structure
7. Breach notification: Timeline; threshold; content; authority and individual notification
8. Impact assessment: Triggers; content; retention; review frequency
9. Security safeguards: Minimum standards; encryption requirements; access control
10. Retention and deletion: Limitation principles; destruction timelines; methods
11. Enforcement and penalties: Administrative fines; criminal penalties; civil liability
12. Record-keeping: Processing records; consent records; transfer records; breach records

Phase 2: Existing Compliance Mapping

Step 1 — Inventory Current Controls

Control Category	Inventory Items
Policies	Privacy policy, cookie policy, employee privacy notice, vendor privacy requirements
Procedures	DSR response, breach notification, DPIA, consent management, data deletion
Technical controls	Encryption, access control, logging, DLP, anonymisation/pseudonymisation
Organisational controls	DPO, privacy team, training programme, governance committee
Contractual controls	DPA templates, SCC templates, vendor agreements, intra-group agreements
Records	Processing register, consent records, transfer register, breach log

Step 2 — Map Current Controls to Target Requirements

For each target jurisdiction requirement, assess:

• Fully met: Existing control satisfies the requirement without modification
• Partially met: Existing control addresses the requirement but needs enhancement
• Not met: No existing control addresses the requirement; new control needed
• Not applicable: Requirement does not apply to the organisation's planned activities

Phase 3: Gap Identification and Prioritisation

Gap Classification

Classification	Definition	Priority	Remediation Timeline
Critical	Legal requirement with no existing control; enforcement risk is high	P1	Before market entry
Significant	Legal requirement partially met; enhancement needed to avoid enforcement risk	P2	Within 90 days of market entry
Minor	Best practice or low-enforcement-risk requirement not fully met	P3	Within 180 days of market entry
Enhancement	Existing control meets requirement but could be optimised	P4	Next annual review cycle

Phase 4: Remediation Planning

Remediation Effort Estimation

Effort Category	Small	Medium	Large
Policy drafting/update	1-2 weeks	2-4 weeks	4-8 weeks
Procedure development	1-2 weeks	2-6 weeks	6-12 weeks
Technical implementation	2-4 weeks	4-8 weeks	8-16 weeks
Training development and delivery	1-2 weeks	2-4 weeks	4-8 weeks
Vendor/contract update	2-4 weeks	4-8 weeks	8-16 weeks
Regulatory registration/filing	1-4 weeks	4-8 weeks	8-24 weeks

Phase 5: Timeline Planning

Standard Market Entry Privacy Timeline

Week	Activity	Deliverable
1-2	Regulatory landscape mapping	Jurisdiction assessment report
3-4	Requirement extraction	Detailed requirements document
5-6	Current control mapping	Control inventory and mapping
7-8	Gap analysis	Gap report with classifications
9-10	Remediation planning	Remediation plan with effort estimates
11-14	P1 critical gap remediation	Updated policies, procedures, technical controls
15-18	P2 significant gap remediation	Enhanced controls and procedures
19-20	Training and awareness	Staff training completion
21-22	Pre-launch compliance review	Compliance readiness assessment
23-24	Go-live with monitoring	Market entry with active compliance monitoring

Example: Zenith Global Enterprises — Vietnam Market Entry

Jurisdiction Assessment Summary

Element	Detail
Law	Decree 13/2023/ND-CP on Personal Data Protection (effective 1 July 2023)
Regulator	Ministry of Public Security (MPS) — Department of Cybersecurity and Hi-tech Crime Prevention
Scope	All personal data processing in Vietnam; extraterritorial for activities targeting Vietnamese individuals
DPO requirement	Required for certain processors (large-scale sensitive data processing)
Cross-border transfer	Mandatory impact assessment dossier; file with MPS before first transfer
Breach notification	72 hours to MPS
Key unique requirements	Transfer impact assessment dossier filed with MPS; consent required as primary basis

Gap Analysis Results

Domain	Current Status	Gap Classification	Remediation
Lawful basis	GDPR-compliant consent framework	Partially met — Vietnam consent requirements differ	P2: Adapt consent forms for Vietnam-specific requirements
Individual rights	Global DSR portal	Partially met — Vietnamese language required	P2: Add Vietnamese language support
Cross-border transfer	EU SCCs in place	Not met — Vietnam requires MPS-filed impact dossier	P1: Prepare and file transfer impact assessment dossier
DPO	Global DPO structure	Partially met — local representative may be needed	P2: Assess and appoint local privacy contact
Breach notification	72-hour global standard	Fully met	No gap
Privacy notice	Multi-language notices	Partially met — Vietnamese language needed	P2: Translate and localise privacy notice
Security	ISO 27001 certified	Fully met	No gap
Training	Annual global programme	Not met — Vietnam-specific content needed	P2: Develop Vietnam PDPD module

Remediation Timeline

Week	Activity	Priority
1-2	Prepare transfer impact assessment dossier	P1
3-4	File dossier with MPS	P1
5-6	Adapt consent forms and privacy notice (Vietnamese)	P2
7-8	Add Vietnamese to DSR portal	P2
9-10	Appoint local privacy contact	P2
11-12	Develop and deliver Vietnam training module	P2
13-14	Pre-launch compliance review	Final check

Gap Analysis Governance

Element	Detail
Gap analysis owner	Chief Privacy Officer
Approval	Privacy Steering Committee sign-off on remediation plan
Tracking	Gap remediation tracked in GRC platform
Review	Post-entry review at 90 days to verify all gaps remediated
Reuse	Gap analysis template stored for future market entries