Calming the Privacy Waters: Navigating your organization’s privacy maturity journey with a GAPP Analysis

Recently I had the privilege of co-presenting at the IAPP Canada Privacy Symposium on the topic of GAPP analyses. A GAPP analysis – an analysis of the Generally Accepted Privacy Principles – is a comprehensive assessment of an organization’s privacy maturity.

While privacy impact assessments (PIAs) – and we do a lot of those – are essential and provide a deep-dive into specific areas, kind of like scuba diving, where you can explore all the nooks and crannies of a specific program or initiative, a GAPP analysis offers a broader view, which I think is more akin to snorkeling. When you’re snorkeling, you stay closer to the surface, giving you a wide picture of the underwater world. Similarly, a GAPP analysis allows you to see what is in good shape and what may need more work across your entire organization.

The process of conducting a GAPP analysis involves a few key steps. We start by gathering and reviewing relevant documents and policies. We then hold a series of departmental interviews to fully understand existing privacy practices across nine main domains that are congruent with the privacy principles. We analyze and provide a scoring related to what we’ve learned and determine where the organization falls on maturity continuum for a long list of criteria, ranging from ad hoc, through defined, to optimized practices.

This structured approach, which was originally established by the accounting associations in both Canada and the US, helps identify strengths, weaknesses, and areas for improvement. It provides a good, clear picture of where an organization stands in its privacy journey and helps them to prioritize efforts as they move forward. Additionally, we like the fact that GAPP analyses are flexible and adaptable, allowing them to be tailored to fit the modern context and specific needs and realities of any organization. The final report includes an assessment against the maturity model, ratings, and recommendations and advice for addressing any gaps identified.

There are so many benefits to undertaking a GAPP analysis. It not only enhances organizational awareness of privacy needs and strengthens data governance, it also helps identify potential compliance risks and showcase accountability in privacy management. It makes for a handy roadmap for advancing an organization’s privacy maturity, fostering continuous improvement. We have found that it also helps identify and empower new privacy champions. Additionally, a project like this can help highlight areas where additional resources may be needed, which can potentially lead to collaborations and even improved resourcing for privacy work.

In putting forward the idea that GAPP analyses can be a great way to assess and continually improve privacy maturity, I think it would also be great to see more regulatory guidance that includes some type of maturity scale, which would make that guidance even more relevant, adaptable and scalable to organizations of different shapes, sizes and contexts.

If you’re wondering whether a GAPP analysis might be useful for your organization, reach out to us. We’re always happy to explore how we can help enhance your privacy program.