The GDPR Gap Assessment is a structured maturity evaluation tool within Venvera that helps your organization measure its compliance posture against the General Data Protection Regulation. It consists of 48 questions organized into 8 chapters, each targeting a key area of GDPR compliance. Every question is scored on a 0–4 maturity scale, weighted by importance, and supports notes and evidence attachments for audit readiness.
The gap assessment is not a one-time exercise. It is designed to be repeated periodically (quarterly or semi-annually) to track your compliance maturity over time. Each completed assessment creates a historical snapshot, allowing you to visualize trends and demonstrate continuous improvement to regulators, auditors, and the board.
Accessing the Gap Assessment
From the sidebar, expand GDPR and click Gap Assessment. The assessment page loads showing all 8 chapters in a collapsible accordion layout. If a previous assessment exists, the most recent scores are pre-populated.
If you are conducting a new assessment cycle, click New Assessment in the top-right corner. This creates a fresh assessment record with the current date. You can also continue editing an in-progress assessment or review a previously completed one by selecting it from the assessment history dropdown.
Click on a chapter header to expand it and reveal its questions. Answer each question by selecting a maturity score, optionally adding notes and uploading evidence documents. You can save progress at any time — the assessment does not need to be completed in a single session.
Once all 48 questions are answered, review the chapter scores and overall score displayed at the top. Click Complete Assessment to finalize the assessment and lock the scores. A completed assessment cannot be edited but can be used as a baseline for the next cycle.
The 8 Chapters
Each chapter contains 6 questions, for a total of 48 questions across the entire assessment. The chapters are designed to cover every major area of GDPR compliance:
| Chapter | Focus Area | Example Topics |
|---|---|---|
| 1. Rights & Compliance | Data subject rights and legal compliance mechanisms | Right of access procedures, rectification workflows, erasure capabilities, restriction mechanisms, portability infrastructure, response time tracking |
| 2. Privacy by Design | Embedding privacy into systems and processes | Default privacy settings, data minimization in system design, pseudonymization capabilities, privacy-enhancing technologies, DPIA integration into project lifecycle, privacy requirements in procurement |
| 3. Data Minimization | Collecting and retaining only necessary data | Purpose limitation enforcement, data collection scope reviews, retention period definitions, automated deletion mechanisms, storage limitation controls, data inventory completeness |
| 4. International Transfers | Cross-border data transfer safeguards | Transfer mechanism selection, adequacy decision tracking, Standard Contractual Clauses management, Transfer Impact Assessments, supplementary measures, sub-processor chain visibility |
| 5. Incident Response | Breach detection, assessment, and notification | Breach detection capabilities, 72-hour notification readiness, data subject notification procedures, breach documentation, root cause analysis, supervisory authority communication channels |
| 6. Organizational Measures | Governance, training, and awareness | DPO appointment and independence, staff training programs, privacy awareness campaigns, role-based access controls, confidentiality agreements, regular compliance audits |
| 7. Third-Party Management | Processor and sub-processor oversight | Processor due diligence, DPA completeness, sub-processor approval mechanisms, audit rights enforcement, processor compliance monitoring, data return and deletion on termination |
| 8. Accountability & Documentation | Records, policies, and demonstrable compliance | ROPA completeness, policy documentation, consent records, DPIA records, processing agreement archives, compliance evidence repository |
Maturity Scoring Scale (0–4)
Each question is scored on a 5-point maturity scale. The scoring criteria are designed to be objective and measurable:
| Score | Level | Description |
|---|---|---|
| 0 | Non-Existent | No process, control, or measure exists. The organization has not addressed this area at all. There is no awareness of the requirement. |
| 1 | Initial / Ad Hoc | Some awareness exists but processes are informal, inconsistent, and undocumented. Compliance depends on individual effort rather than organizational capability. Actions are reactive, not proactive. |
| 2 | Developing / Repeatable | Basic processes are in place and documented. The organization follows a defined approach but it may not be consistently applied across all business units or processing activities. Some gaps remain. |
| 3 | Defined / Managed | Processes are well-documented, consistently applied, and monitored. The organization has clear ownership, regular reviews, and measurable controls. Compliance is proactive and systematic across the organization. |
| 4 | Optimized / Continuous Improvement | Processes are fully mature, continuously improved based on metrics and feedback, integrated with other governance frameworks, and regularly validated through internal or external audits. Best practices are followed and the organization leads in this area. |
Question Weights (1–3)
Not all questions carry equal importance. Each question is assigned a weight from 1 to 3 that reflects its significance to overall GDPR compliance:
| Weight | Significance | Impact on Score |
|---|---|---|
| 1 | Standard importance — good practice but less likely to attract regulatory scrutiny on its own. | Contributes its raw score to the chapter average with no multiplier. |
| 2 | High importance — directly relates to a core GDPR obligation and is commonly reviewed by supervisory authorities. | The question's score is counted twice in the weighted chapter average. |
| 3 | Critical importance — a fundamental GDPR requirement where non-compliance could result in significant fines or enforcement action. | The question's score is counted three times in the weighted chapter average. |
The chapter score formula is: Chapter Score = Sum(question_score * question_weight) / Sum(question_weight * 4) * 4. This normalizes the score back to the 0–4 scale while respecting weights. The overall assessment score is the average of all 8 chapter scores.
Notes and Evidence per Question
For each question, you can provide two types of supporting information:
Notes Field
A free-text field where you can document:
- The rationale for the selected maturity score
- Current state of controls and processes relevant to the question
- Known gaps or planned improvements
- References to internal policies, procedures, or systems
- Observations from internal audits or reviews
Evidence Attachments
You can attach one or more evidence documents to each question. Supported formats include PDF, DOCX, XLSX, PNG, JPG, and TXT. Evidence might include:
- Screenshots of technical controls or system configurations
- Copies of relevant policies or procedures
- Training completion records
- Audit reports or assessment findings
- Process flow diagrams
- Meeting minutes demonstrating governance oversight
Attaching evidence at the question level creates a structured compliance evidence repository. When a supervisory authority or external auditor requests evidence of GDPR compliance, you can export the gap assessment with all attached evidence as a comprehensive compliance dossier, saving significant time in audit preparation.
Chapter and Overall Scores
As you answer questions, scores are calculated and displayed in real time:
- Chapter Score: Displayed next to each chapter header, showing the weighted average of all answered questions in that chapter on the 0–4 scale. Unanswered questions are excluded from the calculation until answered. The chapter header also shows a progress indicator (e.g., "4/6 questions answered").
- Overall Score: Displayed prominently at the top of the assessment page, calculated as the arithmetic mean of all 8 chapter scores. This is the score visualized in the GDPR Dashboard ring chart.
Both chapter and overall scores are color-coded using the same scale as the dashboard ring chart (Red for 0–0.9 through Green for 3.5–4.0).
Remediation Plan Auto-Generation
One of the most powerful features of the GDPR Gap Assessment is automatic remediation plan generation. When you complete an assessment, Venvera analyzes all questions that scored below a maturity level of 3 ("Defined / Managed") and generates a structured remediation plan:
Any question with a score of 0, 1, or 2 is flagged as a gap. Questions with higher weights (2 or 3) are prioritized in the remediation plan, as they represent more critical compliance obligations.
For each identified gap, Venvera generates a recommended remediation action based on the question's topic and the current maturity score. The action describes what needs to be done to raise the score to at least level 3. Actions are specific and actionable, not generic statements.
Each remediation item is assigned a priority based on the combination of the question's weight and the gap severity (how far below 3 the score is). A weight-3 question scored at 0 receives the highest priority ("Critical"), while a weight-1 question scored at 2 receives the lowest priority ("Low").
You can review the generated remediation plan, edit the recommended actions, assign each item to a responsible person, and set target completion dates. The remediation plan then becomes a living action tracker that you can monitor from the GDPR Dashboard.
The threshold for remediation is a score below 3. This means that even a score of 2 ("Developing") will generate a remediation action. This is intentional: GDPR compliance requires a systematic, consistent approach (level 3) as a minimum. Organizations should aim for level 3 across all areas and target level 4 for critical areas.
Assessment History and Trend Tracking
Every completed assessment is saved with its full data — all 48 question scores, notes, evidence, chapter scores, and the overall score. You can view a historical timeline of assessments showing how your overall score and individual chapter scores have changed over time. This trend data is invaluable for demonstrating continuous improvement to regulators and the board, and it fulfills the accountability obligation under Art. 5(2).
Exporting the Assessment
The gap assessment can be exported in PDF format, producing a detailed report that includes chapter-by-chapter breakdowns, individual question scores with notes, evidence references, the remediation plan, and historical trend charts. This export is designed for sharing with senior management, the DPO, external auditors, or supervisory authorities upon request.