In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance and maintain it. We will focus on tools that are easy to implement, most are free or have very reasonable pricing levels. You may already have access to some of the software tools within your current software stack and just need to make use of them. We have also included a list of best practices and tips that should be considered when building your own toolkit.
Table of Contents
First things first: what is GDPR?
GDPR stands for General Data Protection Regulation and it came into force on May 25, 2018. The goal of GDPR is to provide users with more control over their personal data. This privacy regulation aims at giving individuals more transparency and awareness about how companies use their personal information and to make sure they are not misused or abused. The provisions of GDPR apply to any company that holds data on EU citizens.
What is GDPR compliance software?
GDPR compliance software is a set of tools that allows to comply with main principles of the GDPR. Such could be audit tools, personal data mapping tools, consent management software, security software, assessment tools, data minimisation and data subject request management tools.
Principles of GDPR you should know before choosing the software
GDPR also introduced seven data protection principles businesses and public organisations must follow to be compliant.
Principle 1 – Lawfulness, fairness and transparency
Principle 2 – Purpose limitation
Principle 3 – Data minimisation
Principle 4 – Accuracy
Principle 5 – Storage limitation
Principle 6 – Integrity and confidentiality (security)
Principle 7 – Accountability
Lawfulness, fairness and transparency
This principle requires that all organisations must ensure that any processing activities comply with applicable laws and regulations. In other words, if you process people’s personal data, you must ensure that you follow the rules set by the legislation.
The main components of this principle are:
- Demonstrating a lawful basis for obtaining and processing personal data. GDPR defines six lawful bases: consent, the performance of a contract, legitimate interest, vital interests, legal requirement and public interest. You can read more on lawful bases in our article here.
- The collection of personal data must be conducted in a fair manner. Fair means that the way in which data is collected must be transparent and fully explainable to the person who provides his/her personal data.
- Transparency means that an individual must always be informed whether he/she is being asked to provide his/her personal data. The “right to be informed” is a core element of this principle. Examples of transparency principles could be privacy policies and notices located on your website, cookie policy and other documents providing the data subjects with a clear understanding of how personal data is being collected and processed.
Purpose limitation
Purpose limitation means that the organization must limit its processing activity to what is necessary to fulfil the purposes for which the data were originally collected. For example, if you collect email addresses from people to send them offers, then you cannot keep those emails forever and use them for marketing campaigns without their permission.
Data minimisation
Data minimisation means that the organization must minimise the amount of personal data processed. If you ask someone to fill out a form, you don’t need to store every single detail about him/her. Keep only the minimum data needed to fulfil the purpose of the request.
Before approaching personal data minimisation, a proper analysis of personal data should be performed. First of all, it would be good to start with data discovery to understand what kind of personal data you store in which IT systems.
Accuracy
GDPR requires that personal data has to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation
Data storage limitation means that the organisation must limit the period of time for which personal data is stored. The length of time depends on the type of personal data and its sensitivity. For example, if you collect financial data, you may keep it for up to 6 years. However, if you collect health data, you should keep it for no longer than necessary.
Integrity and confidentiality (security)
“Integrity and confidentiality” means that you must ensure that you have appropriate security measures in place to protect the personal data you hold. Personal data must be protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
Accountability
The accountability principle requires organisations to take responsibility for what they do with personal data and how they comply with the other principles. To comply with the principle, an organisation must have appropriate measures and records in place to be able to demonstrate compliance at the first request of the authorities. This means that there has to be concluded a set of documents.
Here is the (non-extensive) list of GDPR documents you may need to have to demonstrate your compliance:
- Records of Processing Activities;
- Personal Data Protection Policy;
- Privacy Notices (for employees, website visitors, etc.);
- Data Processing Agreements signed with your service providers;
- Data Retention Policy and schedules;
- Consent forms;
- Data breach response and notification procedures;
- Data Breach register;
- Data subject request processing procedures;
- Data Protection Impact Assessments;
- Legitimate Interest Assessments;
- Vendor Assessments;
- Data Transfer Impact Assessments.
GDPR compliance software
As you may have found from the GDPR principles described above, compliance with such requirements is not an easy task. It will require a lot of work and you will require some tools to achieve and maintain compliance with the GDPR.
There are many different types of GDPR software solutions available on the market today. Some of them are very simple while others are complex and require a lot of maintenance. So, before choosing one of these tools, it is important to understand the specifics of personal data processing happening in your organisation, assess risks related to it and choose the appropriate solution which will properly mitigate such risks.
To simplify this task we will try to look at some specific examples for each of the GDPR principles we described above.
GDPR audit tools
The first task in the GDPR compliance project is to understand the current situation of the organisation in terms of personal data protection and perform a gap analysis. Audit tools can be used to check whether your organization processes personal data according to the requirements of the GDPR. They usually contain a number of checks that are required to be performed during audits.
ICO data protection self-assessment
UK Information Commissioner’s Office (ICO) has put together a set of self-assessment tools for controllers and processors. Those simple questionnaires are meant for small to medium-sized organisations. The assessments include guidance and recommendations. As a result, you will find what you will need to do to ensure your personal data processing is in accordance with the GDPR. The toolkit includes the following checklists:
- small business owners and sole traders checklist;
- data protection assurance checklists for controller and processor;
- information security checklist;
- direct marketing checklist;
- records management checklist;
- CCTV compliance checklist.
Find more information about the ICO’s data protection self-assessment tool.
Gartner GDPR compliance audit checklist
Gartner has published a bit more formal, but well-structured self-assessment checklist meant to prepare for GDPR compliance audits. Each requirement is related to a relevant GDPR article. With this tool, you can track items where you are compliant or not and track the compliance progress. The checklist covers the following requirements:
- accountability governance;
- processing principles;
- privacy by design and default;
- data protection impact assessment;
- records of processing;
- data subject rights;
- consent and notices;
- breach management;
- processors;
- data transfers.
GDPR Register allows performing personal data mapping and maintaining records of processing activities, which will include the most essential information about your personal data, purposes of the processing, lawful bases, incident management and much more. It’s suitable both for a small companies and has advanced features much needed by multi-national corporations. It is a GDPR compliance solution that does not require any complicated setup and saves time by providing professional templates for different types of records and documents.
Read more about the benefits of GDPR Register’s software tool
Consent management tools
Another important component of the transparency principle is consent. Consent should not only be obtained when collecting users’ personal data, but also whenever there is a change in the terms of service or conditions of personal data processing.
We have picked for you the two best ones in our opinion. They are both available as free and paid versions, have capabilities of blocking the loading of cookies until the consent is collected, customisation of banner appearance and other useful tools which make them stand out from other cookie banner GDPR compliance software tools.
CookieHub
CookieHub is a simple and cost-effective GDPR compliance tool for cookie consent management. Includes cookie scanner, consent management, cookie blocker, customisable user interface, multiple languages and cookie summary information. The cookie declaration can be easily integrated into your cookie policy allowing you constantly keep the cookie information up to date.
Learn more about CookieHub’s GDPR compliance software.
Privacy policy generators
Here we would like to surprise you – we don’t recommend using automated privacy policy generators due to the high risk of mistakes resulting in being not compliant with the lawfulness, fairness and transparency principles.
The correct approach to producing a privacy policy requires first producing a structured view of your personal data collections and processing, which should be achieved through compiling records of processing activities. As soon as such records are created, you can be sure that you don’t miss anything in your privacy policy. Unfortunately, existing privacy policy generators don’t allow the creation of records of processing activities and therefore the result will be very questionable.
There are plenty of privacy policy templates you can find and you will be in control of the information you provide to your data subjects.
- pre-built assessment tool
- risk assessments and compliance score
- guidance
- data classification
- data control
Learn more about how Microsoft Purview Compliance Manager can help you get compliant with the GDPR and other regulations.
Azure Information Protection
If your business runs on Microsoft Azure stack, then Azure Information Protection is probably the easiest way to achieve all of these principles. AIP provides you with a set of features allowing you to:
GDPR Compliance software for data minimisation, accuracy, storage limitation and security principles
Microsoft Purview Compliance Manager
If you use Microsoft 365 (formerly Office 365), then Microsoft Purview Compliance Manager is a data tracking system designed to help you comply with GDPR. It allows making an inventory of your data protection risks, performing different assessments, managing the complexities of implementing controls and staying current with regulations and certifications. The use of a Microsoft compliance manager requires an Office 365 E5 (or for education A5) or a Microsoft E5 or A5
subscription license.
Microsoft Purview Compliance Manager features include:
- enforce data minimisation and storage limitations;
- perform data classification based on the sensitivity level of the data;
- identify sensitive data and protect it accordingly;
- automatically delete sensitive data after a certain period of time;
- protect your data against accidental disclosure;
- detect unauthorized access attempts;
- monitor changes made to your data.
Learn more about Azure Information Protection tools for your GDPR compliance.
Amazon Macie
If you are using AWS, then Amazon Macie is a great solution for protecting your data. It allows you to:
- identify sensitive data;
- protect it automatically;
- delete sensitive data after a specified retention period;
- block unwanted access to sensitive data;
- prevent unauthorized disclosure of sensitive data;
- detect and prevent malicious activity.
Learn more about Amazon Macie here.
ARX Data Anonymization Tool
One of the most effective security measures to ensure data minimisation and storage limitation is anonymization. If you have sufficient technical knowledge to implement software tools into your software stack, then ARX Data Anonymization Tool will be a solution to consider. It supports a wide range of de-identification techniques including:
- Removal of personally identifiable information such as names, addresses, phone numbers, etc.
- Reduction of PII to non-personally identifiable information ;
- Replacement of PII with non-PII;
- Replace PII with random strings or other unique identifiers;
- Generation of synthetic data sets.
Learn more about ARX Data Anonymization Tool.
Software for technical security measures
The security software subject is a completely separate one and it’s not an aim of this article to cover this. Here we will bring some important types of security software that you may consider looking at to improve the protection of personal data in your organisation.
Here is the list of various types of security software types that may give your organisation the protection it needs:
- anonymistation and pseudonymisation;
- encryption;
- endpoint security;
- anti-spyware;
- anti-malware;
- network security;
- email security;
- firewalls;
- password managers;
- encryption software;
- log management software;
- monitoring tools;
- intrusion prevention software;
- bot protection;
- internet of things (IoT) security.
It is worth consulting with your IT department to find the best suitable security tools for your organisation.
Software for organisational security measures
There are also organisational security measures that have to be considered when talking about the security of personal data. According to a research Psychology of Human Error performed by Stanford University Professor Jeff Hancock and security firm Tessian, nine of 10 (88%) data breach incidents are caused by employees’ mistakes.
Organisational security measures shall include:
- audits and reviews;
- awareness and training of employees;
- information security policies;
- business continuity plan;
- risk assessments;
- vendor assessments.
GDPR compliance software for accountability principle
Accountability as the focus of GDPR software refers to the readiness of an organisation to be able to demonstrate, at the first request of the authorities, that it complies with GDPR requirements.
GDPR Register
GDPR Register’s GDPR compliance software solution covers most of the accountability principle requirements. It has helpful tools you can implement from the very beginning f your compliance project till ongoing monitoring of compliance of your organisation.
It includes the following features:
- Templates for all required documents above;
- Records of processing activities;
- Register of data processing agreements and agreement templates;
- Breach register and incident management;
- Registry for Data Subject Requests;
- Data retention rules;
- Plenty of reporting and exporting tools;
- Task management and other collaboration tools features for your team;
- Complex organisation structure management and information scaling through the group.
GDPR Register’s compliance software offers a free 14-day trial with most features fully functional.
CNIL’s Privacy Impact Assessment tool
If you’re looking for a Data Protection Impact Assessment (DPIA) software, French regulator CNIL has made available PIA (Privacy Impact Assessment) tool, which might be a great option for you. This privacy risk assessment tool relies on a user-friendly interface and will simplify the management of your PIAs. Despite its name, CNIL’s tool provides risk assessment and mitigation measure planning capabilities.
It unfolds the privacy impact assessment methodology step by step. Several visualisation tools offer ways to quickly understand the risks. It includes guidance information, multi-step approval procedures and it’s free. Learn more here.
Of course, this list is not an extensive list of all possible GDPR software solutions. If you have any questions about which one is suitable for your business, please contact us. We will help you choose the right software which will meet your needs.
