Our approach to GAP Analysis under the Law on Personal Data Protection and the General Data Protection Regulation (GDPR)

Personal Data Protection

Why PwC?

A Multidisciplinary Team

Personal Data Protection is not just a matter of law. The Law on Personal Data Protection (the Law) and the General Data Protection Regulation (GDPR) require from managers and data controllers to implement certain organisational and technical measures to secure full compliance with the requirements of the new regulation.
PwC provides Clients with a wide range of personal data protection specialists. Our Specialist Team comprises attorneys-at-law, and risk management and data analysis specialists.

GDPR and Data Analysis Tools

PwC’s GAP Analysis Tool (G.A.T.) is a tool developed by PwC intended for GDPR. The tool can also be applied to the Law to test if your organisation is ready to comply with the requirements of both the GDPR and the Law.

Our report provides insight into enterprise architecture compliance and its readiness to follow the principles of data protection.

Our experience in GDPR projects

We have experience with GDPR projects across numerous industries. Our experts provide in-house training to employees, build new solutions, and work side by side with experts within PwC’s Global Personal Data Protection Network.

PwC Global Personal Data Protection Network

We are proud to be part of PwC’s Global Personal Data Protection Network. Being part of our Global Network, we are able to gain experience, draw on our resources and share knowledge within the Network.

Considering that both the GDPR and the Law prescribe a unique approach to managers and data controllers, we are able to take advantage of our Global Network.

A Multidisciplinary Team

The risk approach is an essential element of the Law on Personal Data Protection (the Law) and GDPR. It is vital that a detailed risk analysis is performed with a view to identifying an appropriate need for protection and to prioritizing the requirement of both the Law and the GDPR for your organization.

The requirements of the Law and the GDPR and their implementation are inseparable. Our team of legal experts deal with variety of issues, such as consent to the processing of personal data, the legitimate basis for data processing, data subject rights, appointment of a Data Protection Officer (DPO), and other issues.

Integrated Data Protection is a new principal of the Law and the GDPR requiring greater focus on cyber-security. Personal data must be appropriately protected based on the results of a previous carried out risk analysis.

Understanding the source of personal data, the data flows, and the data structure form the basis for the Law and the GDPR. Such understanding enables proper data identification and processing under the new regulation.

The GDPR and the Law Compliance Project has an effect on numerous areas, teams and department sectors within the business. Appropriate project management ensures that you get essential cooperation at company level.

Project Phases

Mobilisation and Team Training

Understanding the key terms. Determining expectations and their synergistic effect. Training for employees participating in the Project.

Specifying the Scope of the Law and the GDPR

Collecting relevant documents. Identifying responsible officers. Collecting relevant information on personal data processing performed within relevant organisational units.

GAP Analysis

GAP Analysis between the current approach and the requirements under the Law on Personal Data Protection and the GDPR. Evaluations and classifications of established differences, based upon their importance and complexity.

Draft Measures

Planning for the fulfilment of the requirements of the Law on Personal Data Protection and the GDPR. Preliminary assessment of the steps for the removal of selected findings. Final report.

Key factors that lead to a successful project

Operating assumptions

The company is required to:

Provide premises for operations meetings,
File relevant data and project documentation,
Arrange for the attendance of project participants at scheduled meetings, as well as for their submission of required documentation within a maximum of 3 working days (except in the event of specific and unexpected situations).

All formal project communication will be between the Project Manager and PwC.
Project deliverables will be documented through the use of MS Tools (MS Word, MS Excel i MS PowerPoint), unless otherwise agreed for specific deliverables.

Key success factors

Thorough understanding of the scope, purpose and objective of analysing the current compliance status with the GDPR and the Law for all key participants in the Project,
Availability of resources and relevant documents,
Open communication on activities and processes,
Constructive communication on areas for improvement.

Conclusion

Limitations

Data Management: Collect only essential data, which are to be used only for the purpose they were supplied to you and kept no longer than it is necessary.

Protection

Data Protection: Restrict access to data to only those with the right-of-use, take care of the data when travelling and use only company equipment or letterhead, and think twice before sending data and/or emails.

Respect

Transparency: Be transparent with colleagues, clients and others regarding how their personal data are collected, stored, shared and used.

PwC's newsletter

Be Informed

Contact us

PwC

Belgrade office, PwC Serbia

Tel: (+381) 11 3302 100

© 2021 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.