The General Data Protection Regulation (GDPR) is an EU regulation that became effective on the 25th of May 2018. It imposes a number of obligations on individuals and entities collecting personal data of EU residents, including, but not limited to, (i) implementing appropriate technical and organizational measures to ensure the security of the collected personal data, (ii) processing the personal data in a lawful manner, (iii) demonstrating their compliance with the GDPR, (iv) concluding data processing agreements with data processors (if any), and (v) reporting data breaches to the competent authorities.
While sole traders and other small businesses may be able to easily comply with the GDPR by hiring qualified professionals, large organizations may, in addition to external or internal expertise in the field of GDPR, need data privacy software that facilitates the GDPR compliance and reduces the costs associated with it. The purpose of this article is to examine the state of the art of data privacy software and provide speculations about its future. (Think you don’t need to comply with the GDPR because you’re not based in Europe? Think again: GDPR: Do You Know if Your Organization Needs to Comply?)
The State of the Art of Data Privacy Software
There is an abundance of software applications that facilitate GDPR compliance. They can be categorized in six groups, namely, (i) applications for mapping data flows, (ii) applications for preparing GDPR-compliant privacy policies, (iii) applications for reporting data breaches, (iv) applications for collecting cookie consent, (v) applications for creating GDPR-compliance checklists, (vi) and other GDPR-related applications. Elaborating on each of the applications in the five groups is beyond the scope of this article. Instead, it will examine one or more applications representing each group.
Applications for Mapping Data Flows
This type of application enables organizations to track the flows of their personal data. This, in turn, allows them not only to prepare the required privacy policies and data processing agreements, but also to address any GDPR violations. For example, the application BigID allows organizations to build maps of personal information without the need to copy any data. It can also be used to analyze personal data by person, state, access and data type. Exterro is another example of an application having data mapping functionalities. It offers granular data profiling, i.e., identification of where data exists within an organization and correlation of the data to specific security and privacy regulatory requirements.
Applications for Preparing GDPR-Compliant Privacy Policies
Many organizations operate hundreds of websites and have limited budgets for ensuring GDPR compliance. Such organizations may benefit from using software applications that allow them to quickly, affordably and effectively generate privacy policies that comply with all necessary legal requirements. For example, the software application Iubenda includes a privacy and cookie policy generator that allows companies to create customized privacy policies. The generator includes more than 650 clauses available in eight languages. Iubenda is used by more than 60,000 clients in more than 100 countries.
Applications for Reporting Data Breaches
GDPR requires organizations to report certain breaches to the competent data protection authorities as soon as they become aware of them, but no later than 72 hours. Hence, it is of utmost importance that a corporate department that discovers a breach immediately reports it to the company officer responsible for informing the data protection authorities about data breaches. Cloud applications, such as VOBE GDPR, allow each corporate department to share information about data breaches with the rest of the organization. (Not complying with the GDPR can make you a target for cybercriminals. Learn more in How Cybercriminals Use GDPR as Leverage to Extort Companies.)
Applications for Collecting Cookie Consent
The EU ePrivacy Directive and the GDPR impose obligations on website operators installing cookies on users’ computers. To comply with those obligations, website operators may need to install special plugins for collecting consent to use cookies. The application Cookie Assistant allows website operators to comply with EU laws while at the same time providing the opportunity to customize their consent notifications in accordance with the needs of their website. For example, the users of Cookie Assistant may choose the colors, the styles, and the placement of the cookie consent notifications.
Applications for Creating GDPR Compliance Checklists
Although organizations can use simple spreadsheets to list the applicable GDPR requirements and their compliance status, large organizations may benefit from advanced applications for creating GDPR compliance checklists. To illustrate, the cloud-based application Standard Fusion allows companies to create with ease GDPR compliance checklists indicating the compliance status of GDPR requirements (e.g., “conformance,” “minor non-conformance,” “opportunity for improvement”) and other information regarding each of those legal requirements.
Other GDPR-Related Applications
One can find many applications that do not fall within the scope of the aforementioned five groups. For example, encryption software, such as SimpleumSafe, allows companies to protect personal data by using encryption. Thus, they will comply with their GDPR obligations to implement appropriate technical security measures. Log360 may also help with the implementation of such measures. It has a log management ability that enables organizations to defend against external and internal threats. Consentric is another software that can facilitate GDPR compliance (more specifically, compliance with consent requirements). It allows the effective management of customer permissions and preferences.
The Future of GDPR Compliance Software
Most of the current GDPR compliance software applications fall within the scope of one or a few of the six groups examined above. Thus, organizations willing to benefit from the functionalities described in each of those groups may need to rely on multiple software applications. The lack of interoperability between those applications may cause technical and administrative issues.
Therefore, in the future, we can expect the appearance of comprehensive GDPR-compliance applications that will have a large number of functions. Furthermore, since many of the current applications have complex user interfaces, we can expect that future GDPR-compliance applications will facilitate communication with humans by using intuitive user interfaces and artificial intelligence. The fact that, in 2019, the U.K.-based data privacy software startup Privitar raised USD 40 million clearly indicates that there is a strong investor interest in innovation in the field of data privacy software.