GDPR Software is a designation for a wide range of software and applications that support the compliance with the GDPR Regulation, enhance the readiness to comply with the GDPR or help to meet its requirements. There are many applications, software and enterprise solutions that are trying to catch the GDPR wave claiming that their product is a “GDPR software”. But what does it mean and what does belong to the category of GDPR software? What follows is an overview of various types of GDPR software.
What types of GDPR software are out there?
With a little exaggeration, almost every business software operating in Europe in 2018 uses the GDPR label. Almost every other company claims that their software supports GDPR or is GDPR ready or GDPR compliant. This is mostly true, but what does it really mean? What does it mean that software or solution is GDPR compliant? Let’s try to categorise this very heterogenous group of different solutions and applications into several core groups:
- Software that safely stores, processes, or transmit personal data
- Software for personal data transmission
- Security software that protects computers, computer network, or other software, or other organization’s assets
- Software to help evaluate organization’s readiness for GDPR (GDPR Assessment Software)
- Software to help prove compliance with the GDPR (GDPR Compliance Software)
- Software that helps to introduce changes related to the GDPR (GDPR Change Management Software)
Each of these types of software helps to meet GDPR requirements in a way. The first two types are de facto must-have for every organization because every organization have to keep records of personal details of its employees (at least) and almost each of them transmit this data to some other entity. In the following part of the article, find a detailed description of each type of the GDPR software.
Software that safely stores, processes, or transmit personal data
Unless an organization only uses paper folders to keep all their records in, it certainly uses some enterprise software or application that should meet the requirements for personal data storage. Since the personal data kept by organizations and businesses concerns mainly their employees (employee personal data), potential employees (job applicants’ personal data), customers (customers’ personal data) and suppliers (suppliers’ personal data), a majority of the big enterprise software that stores, processes or transmit one of the above-mentioned category of personal data can be counted into this type of GDPR software. A big portion of enterprise applications belong here, such as:
- HR Software
- ERP Software and ERP systems
- CRM software and CRM systems
- Accounting software
- Payroll software
Note that the personal data could simply be kept in an Excel spreadsheet. It all depends on the size and needs of the organization.
What does such software has to comply with
The GDPR requirements concern primarily the security of personal data storage in terms of access to personal data (it is thus necessary to make sure that the authorisation of access to personal data is granted only to the entitled employees (or users)), and in terms of data protection against thieves and other attackers. Simply put, the question is about data protection against unauthorized access inside the company, as well as protection against unauthorized access and attacks from outside the company. What does it mean in practice? The GDPR requirements are relatively broad and don’t give specific answers to what such software has to comply with. The GDPR only states that the controller and the processor must take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, for example:
- pseudonymization and encryption of personal information
- ensuring the permanent confidentiality, integrity, availability, and resilience of systems and data processing services
- ensuring the capability of early restoration of personal data availability in case of physical or technical incidents
- establishing a process of routine testing, assessing and evaluating the effectiveness of established technical and organizational measures to ensure security of data processing.
The Regulation also states that these measures shall be carried out while taking into account the state of the technical equipment, the cost of implementation and the nature, scope, context and purpose of data processing.
In practice, this means that software does not necessarily have to encrypt or pseudonymize data in order to comply with the GDPR requirements. Moreover, the simple fact that a specific software meets all the requirements is not a guarantee that the personal data stored and processed by the software is safe. Every software is only as safe as the usage of its users, just as a car - even the safest car can crash if its driver is bad.
So, if the regulation does not specify any standards or requirements, how do we recognize a software that is GDPR compliant? It always depends on the specific situation - a suitable solution for a self-employed tradesman will not be the same as for a big company. For example, small businesses where personal data are processed by only one or two people, can handle with a simple Excel spreadsheet or even papers. If a self-employed tradesman uses such record-keeping method on his / her own and adheres to certain security principles, we can say that an Excel spreadsheet complies with the GDPR requirements in terms of data safety. Nevertheless, the situation is totally different for a large company where there is a number of people working with personal data. In this case, Excel spreadsheet would be undoubtedly unsatisfactory.
It’s just like we’re assessing the safety of a bicycle. Just like a bus or airliner, a bike must also satisfy some safety requirements, e.g. requirements for materials. However, the bike is only safe if it’s ridden by one person alone. When five people try to ride it, there is a great chance that something unpleasant will happen to them. Also, an inexperienced cyclist riding a safe bike may not end up well.
It is similar with software - what is suitable for individuals will not suit a large company. If certain security measures are put in place, even an Excel spreadsheet or paper documentation can meet the GDPR requirements. It always depends on the specific situation, conditions, and processes. Therefore, GDPR software requirements cannot be taken out of context of how and by whom the software is used.
Software for personal data transmission
This category includes software for communication and data transmission - ranging from emails, transfers of individual files and chat to phone communication and videoconferencing.
- email server and email client
- telephony, voice transmission
- online communication - chat, group chat
- Videoconference - audio-video transmission
- FTP, file transfers
Communication security is quite clear. In contrast to software for internal use when all data stays with the company, communication almost always goes outward, or at least flows through external devices (e.g. a phone call between two people within the same company). This is why almost any communication is susceptible to interception or third-party intrusion. Protecting communications against interception and wiretapping can of course be a matter of a good choice of information services provider. Nonetheless, the only truly secure way is to encrypt the communications so that any interception is made impossible or that the captured communication is useless to any third party.
Non-encrypted communication such as email communication is easy to intercept and easy to fake and thus not suitable for personal or even sensitive data transmission.
But again, the principle of adequacy applies - it is not necessary to stop using unencrypted communications, it is not necessary to stop using emails because they are quite sufficient for a day-to-day communication. However, if the content of such communications includes personal, sensitive, or otherwise confidential information, it is appropriate to use some form of protected, encrypted or otherwise secure communications, such as in-house chat or communication tools that encrypt the transmitted data on both sides (end-to-end encryption). Another option is to avoid sending files by sharing them using trusted services and products (e.g. diverse software for team collaboration).
Another big category of software that helps organizations and businesses meet the GDPR requirements is security software. This includes all software that protects data from being stolen, and that protects systems, software or applications from being attacked by an attacker or malware. This type of software actively ensures the security of computers, servers or the entire corporate computer network. This category includes a variety of different security software regardless of GDPR (i.e. no matter if you store and process personal data). However, they ride the GDPR wave to reach out for new customers.
Security software of all kinds is certainly an integral part of protecting computers, computer networks, servers, and other communications against attacks and crimes such as data theft or interception of communication. The use of security software is essential not only for the personal data protection, but also for the protection of other confidential data. Security software protects personal data from both co-users and unauthorised persons from outside the company. Security software that helps protect personal information includes:
- Backup software
- Monitoring and surveillance software
- Encryption software - protects data being transmitted and stored
- Communication encryption software
- Data Shredding Software
- Authentication Software
- Identity management software
- Firmware of routers and other active networking hardware
- Software to monitor user activity
- Software for data loss prevention
- Entrance systems
- Camera and other security systems and more
Software to help evaluate organization’s readiness for GDPR (GDPR Assessment Software)
Another type of GDPR software helps to evaluate the organization’s readiness for GDPR. This type of software is mostly based on a questionnaire that evaluates the readiness for GDPR of the individual departments within the company. Its completion helps to identify weaknesses that need improvement in order to achieve the GDPR compliance. It can also include a guide with document templates (such as templates of contracts or GDPR regulation) or offer consulting services.
- Assessment of weaknesses in readiness for GDPR
- GDPR templates
Software to help prove compliance with GDPR (GDPR Compliance Software)
This type of software helps demonstrate compliance with GDPR. Not only is it extremely important to achieve the GDPR compliance, businesses and organizations also have to be able to prove it in case of inspection. Similarly, they have to have the appropriate documentation ready in order to be able to process data subjects’ requests and inquiries. What this kind of GDPR software offers is also a Consent Management tool. In fact, GDPR organizers do not address directly the personal data security, instead, they provide a tool able to prove the GDPR compliance, to record the data processing activities, manage risks and related countermeasures, report security breaches and to deal with data subjects’ requests.
- Record keeping - records of data processing activities
- Assessing and managing risks related to personal data processing
- Management of countermeasures to reduce the existing risks
- Handling requests from data subjects
- Consent management
- Reporting security incidents to the supervisory authority (incident management)
- Communication between data controller and data processor
Software that helps to introduce changes related to the GDPR (GDPR Change Management Software)
The last group of solutions help to implement measures that have to be taken in order to comply with the Regulation. As for the previous category of GDPR software, there are no requirements for this type of software stated in the Regulation. This software is only intended to help managers and processors to manage the technical and organizational changes the GDPR have provoked. Depending on the size of the organization, this kind of software can take form of various solutions addressing collaboration, task management or project management.