In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance and maintain it. We will focus on tools that are easy to implement, most are free or have very reasonable pricing levels. You may already have access to some of the software tools within your current software stack and just need to make use of them. We have also included a list of best practices and tips that should be considered when building your own toolkit.
Table of Contents
First things first: what is GDPR?
GDPR stands for General Data Protection Regulation and it came into force on May 25, 2018. The goal of GDPR is to provide users with more control over their personal data. This privacy regulation aims at giving individuals more transparency and awareness about how companies use their personal information and to make sure they are not misused or abused. The provisions of GDPR apply to any company that holds data on EU citizens.
What is GDPR compliance software?
GDPR compliance software is a set of tools that allows to comply with main principles of the GDPR. Such could be audit tools, personal data mapping tools, consent management software, security software, assessment tools, data minimisation and data subject request management tools.
Principles of GDPR you should know before choosing the software
GDPR also introduced seven data protection principles businesses and public organisations must follow to be compliant.
Principle 1 – Lawfulness, fairness and transparency
Principle 2 – Purpose limitation
Principle 3 – Data minimisation
Principle 4 – Accuracy
Principle 5 – Storage limitation
Principle 6 – Integrity and confidentiality (security)
Principle 7 – Accountability
Lawfulness, fairness and transparency
This principle requires that all organisations must ensure that any processing activities comply with applicable laws and regulations. In other words, if you process people’s personal data, you must ensure that you follow the rules set by the legislation.
The main components of this principle are:
- Demonstrating a lawful basis for obtaining and processing personal data. GDPR defines six lawful bases: consent, the performance of a contract, legitimate interest, vital interests, legal requirement and public interest. You can read more on lawful bases in our article here.
- The collection of personal data must be conducted in a fair manner. Fair means that the way in which data is collected must be transparent and fully explainable to the person who provides his/her personal data.
- Transparency means that an individual must always be informed whether he/she is being asked to provide his/her personal data. The “right to be informed” is a core element of this principle. Examples of transparency principles could be privacy policies and notices located on your website, cookie policy and other documents providing the data subjects with a clear understanding of how personal data is being collected and processed.
Purpose limitation
Purpose limitation means that the organization must limit its processing activity to what is necessary to fulfil the purposes for which the data were originally collected. For example, if you collect email addresses from people to send them offers, then you cannot keep those emails forever and use them for marketing campaigns without their permission.
Data minimisation
Data minimisation means that the organization must minimise the amount of personal data processed. If you ask someone to fill out a form, you don’t need to store every single detail about him/her. Keep only the minimum data needed to fulfil the purpose of the request.
Before approaching personal data minimisation, a proper analysis of personal data should be performed. First of all, it would be good to start with data discovery to understand what kind of personal data you store in which IT systems.
Accuracy
GDPR requires that personal data has to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage limitation
Data storage limitation means that the organisation must limit the period of time for which personal data is stored. The length of time depends on the type of personal data and its sensitivity. For example, if you collect financial data, you may keep it for up to 6 years. However, if you collect health data, you should keep it for no longer than necessary.
Integrity and confidentiality (security)
“Integrity and confidentiality” means that you must ensure that you have appropriate security measures in place to protect the personal data you hold. Personal data must be protected against unauthorised or unlawful processing, accidental loss, destruction or damage.
Accountability
The accountability principle requires organisations to take responsibility for what they do with personal data and how they comply with the other principles. To comply with the principle, an organisation must have appropriate measures and records in place to be able to demonstrate compliance at the first request of the authorities. This means that there has to be concluded a set of documents.
Here is the (non-extensive) list of GDPR documents you may need to have to demonstrate your compliance:
- Records of Processing Activities;
- Personal Data Protection Policy;
- Privacy Notices (for employees, website visitors, etc.);
- Data Processing Agreements signed with your service providers;
- Data Retention Policy and schedules;
- Consent forms;
- Data breach response and notification procedures;
- Data Breach register;
- Data subject request processing procedures;
- Data Protection Impact Assessments;
- Legitimate Interest Assessments;
- Vendor Assessments;
- Data Transfer Impact Assessments.
GDPR compliance software
As you may have found from the GDPR principles described above, compliance with such requirements is not an easy task. It will require a lot of work and you will require some tools to achieve and maintain compliance with the GDPR.
There are many different types of GDPR software solutions available on the market today. Some of them are very simple while others are complex and require a lot of maintenance. So, before choosing one of these tools, it is important to understand the specifics of personal data processing happening in your organisation, assess risks related to it and choose the appropriate solution which will properly mitigate such risks.
To simplify this task we will try to look at some specific examples for each of the GDPR principles we described above.
GDPR audit tools
The first task in the GDPR compliance project is to understand the current situation of the organisation in terms of personal data protection and perform a gap analysis. Audit tools can be used to check whether your organization processes personal data according to the requirements of the GDPR. They usually contain a number of checks that are required to be performed during audits.
ICO data protection self-assessment
UK Information Commissioner’s Office (ICO) has put together a set of self-assessment tools for controllers and processors. Those simple questionnaires are meant for small to medium-sized organisations. The assessments include guidance and recommendations. As a result, you will find what you will need to do to ensure your personal data processing is in accordance with the GDPR. The toolkit includes the following checklists:
- small business owners and sole traders checklist;
- data protection assurance checklists for controller and processor;
- information security checklist;
- direct marketing checklist;
- records management checklist;
- CCTV compliance checklist.
You can find the ICO data protection self-assessments here.
Gartner GDPR compliance audit checklist
Gartner has published a bit more formal, but well-structured self-assessment checklist meant to prepare for GDPR compliance audits. Each requirement is related to a relevant GDPR article. With this tool, you can track items where you are compliant or not and track the compliance progress. The checklist covers the following requirements:
- accountability governance;
- processing principles;
- privacy by design and default;
- data protection impact assessment;
- records of processing;
- data subject rights;
- consent and notices;
- breach management;
- processors;
- data transfers.
You can download the Gartner GDPR compliance audit checklist here.
GDPR Register
GDPR Register will allow you to perform personal data mapping and maintaining records of processing activities, which will include the most important information about your personal data, purposes of the processing, legal bases, incident management and much more. It’s suitable both for a small companies and has advanced features much needed by multi-national corporations. It is a GDPR compliance solution that does not require any complicated set up and saves time by providing professional templates for different kind of activities and documents.
Consent management tools
Another important component of the transparency principle is consent. Consent should not only be obtained when collecting users’ personal data, but also whenever there is a change in the terms of service or conditions of personal data processing.
We have picked for you the two best ones in our opinion. They are both available as free and paid versions, have capabilities of blocking the loading of cookies until the consent is collected, customisation of banner appearance and other useful tools which make them stand out from other cookie banner GDPR compliance software tools.
Openli
Openli.com is very easy to use consent management tool for all types of content, includes automated privacy policy generator and data processing agreements register. Including customisable banner, detailed material for proof of consent and easy to use interface.