Your guide to buying compliance software

The GDPR is not something you can just wade through in an afternoon or manage in an Excel spreadsheet. The law contains almost 300 pages, 11 chapters, and 91 provisions. And it doesn't really end there. In many ways, the GDPR is (quite deliberately) formulated in broad and general terms, leaving it up to the authorities and the courts to interpret and administer the law.
This places demands on you as a company, and since very few organisations have one dedicated employee resource to handle GDPR compliance, many choose to implement and use a GDPR system.
In this article, we dive into GDPR systems, including the what, why, and how. Our goal is to equip you to assess which platform (if any) is right for you and what to look out for when it comes to compliance software.
What is a GDPR system?

Let's start with a basic answer to the question in the title.

A GDPR system is a platform that helps you ensure compliance with the GDPR through templates, frameworks for ongoing compliance audits, infrastructure for security measures, etc.

In the same way that you use an accounting system to comply with the rules for ongoing bookkeeping and the Annual Accounts Act, a GDPR system acts as a centralised infrastructure for everything related to GDPR compliance.

Of course, it depends very much on the individual GDPR system which specific tasks you can fully or partially handle via the platform. Some of the features and tasks worth highlighting include, among others

1. Infrastructure: Building an internal structure and organisation for the work on Compliance & Privacy.
2. Planning of activities: Mapping of activities throughout the year to be initiated or finalised.
3. Record of processing activities: Ongoing documentation of the work processes in which you process personal data (also called processing activities).
4. Consents: Review and random checks of collected consents in relation to validity. validity.
5. Data processors: Ongoing control and supervision of data processors and their compliance with data processing agreements.
6. Transfers: Overview of and insight into the legal basis for processing in relation to transfers to third countries.
7. IT security: Testing and control of internal procedures and log of security-related incidents.
8. Awareness: Planning of awareness training for employees.
9. Deadlines: Checking internal processes regarding deletion of personal data and compliance with deadlines.
10. Risk assessment: Continuous review of risk assessments across the organisation.

Why should you (consider) investing in a GDPR system?

You need to comply with GDPR. There's not much to quibble about here. But how you ensure you're on the right side of the law is your decision.
A GDPR system can help you stay on top of your compliance activities, and in many cases, it will be a better solution than saving a few thousand dollars a month by using Excel - or doing nothing at all.

Let's take a closer look at the main benefits of implementing GDPR software in your organisation.

Everything in one place - independent of internal stakeholders

One of the things that often causes grey hairs when it comes to GDPR compliance is organisational and structural clutter that can lead to data loss. It could be a folder infrastructure that is impossible to understand or unclear procedures for where specific personal data should be stored.

This may be fine if there are one or two people who have the overview and can take responsibility for the way you do things today, but what if those stakeholders stop at some point or fall ill? Compliance never takes a holiday.

With a GDPR system, everything is in one place and there are clear guidelines for the use of the different functions. This provides a more structured approach to compliance work, which also minimises the risk of errors or vulnerability to organisational change. 

Efficient workflows and processes

The vast majority of GDPR systems offer some degree of automation or templates to make your work easier. Out with manual processes that suck the life force out of most people, and which in themselves don't add any value, but just have to be done.

If you choose a solution that provides you with worksheets, templates, and other support tools, you will not only save time on the actual preparation of relevant documents. You may also be able to streamline other parts of your compliance processes by setting up automated workflows, including reminders and notifications for deletions, activities, and controls, for example.

Keeping up with technology and legal developments

Technology and law never stand still, which means that what was legal yesterday is not necessarily legal tomorrow. Especially when it comes to personal data and data security, things are moving fast, which requires you to keep yourself and your processes up to date.

With a GDPR system, you are not alone with this task. The platforms obviously have an interest in adapting to changes in relevant legislation, so that large parts of the things that affect you and your business are either solved directly by your software solution or by encouraging you to do it yourself.

Easy and quick to implement

Depending on whether you choose to buy or build your own solution (read our article on the subject here), you can get started relatively quickly with implementing the vast majority of platforms. So if you're working with a home-built setup today, you don't have to worry that you'll have to start from scratch and won't be up and running for another six months. For most systems, you can be up and running within a few days.

Support and counseling

You only realise the importance of good support and advice when you need it - a bit like insurance. If you have a large internal IT department in your company today, this point may be less important, although if nothing else, you can use your system supplier for sparring. If you work in a smaller company without major IT competencies, support and advice can be worth their weight in gold.

How to find the right GDPR system?

As you will find out in the following section, there are many options and platforms to choose from.

Some are well suited to specific industries and niches; others are more general and cover businesses across sectors.

Some focus on small and medium-sized businesses; others on large corporate and enterprise solutions.

And then there are platforms that work exclusively with a small branch of compliance, while others try to be as broad as possible.

Unfortunately, there is no formula for what the right choice is in your particular context. It depends on a lot of things that differ from organisation to organisation. Nevertheless, we have tried to summarise the factors that have the greatest influence on your choice of solution below:

1. Buy or build: Do you prefer a solution that is quick and easy to implement and builds on best practice across many organisations, or would you like to own and manage the system yourself?
2. Needs: What personal data do you process? The more sensitive the personal data you process, the stricter the requirements for the processing itself and thus your choice of system.
3. Integrations: Do you have other systems or technologies that the system needs to be able to interact with? Do you need to develop an integration from scratch?
4. Support: How great is your need for support and ongoing counselling in the use of the system?
5. External access to the system (e.g. DPO or advisor): Should your external DPO or legal advisor be able to access the platform in order to quality assure all or parts of the set-up or assist with e.g. risk assessment or other tasks?
6. Need for specialised functionality: Do you need special functionality in relation to the type of personal data you process or the way in which you collect/store/process them?
7. Workflows and user management: Is everything related to GDPR managed by one person, or is it important to be able to delegate tasks to the departments and employees who in practice use systems (data processors) and personal data, such as HR, Marketing, etc.
8. Time horizon: When should the system be implemented in the organisation?
9. Documentation: What need do you have for reporting and documentation to internal or external stakeholders?
10. References: How important are references from similar companies/industries?
11. Budget: What is the value for your company of being able to demonstrate compliance, and what cost could a ban or fine impose on you? This amount, minus the cost of internal time, gives you an idea of how much you can invest.

Ask yourself the above questions - then you will be well prepared to go out into the market based on what is important for your particular decision and choice of supplier.

10 things to ask potential suppliers

So far, so good. You now have an idea of what the GDPR software market has to offer. You might even have made a small list of the options that are interesting and that you need to talk to. But what do you need to remember to ask to get a full overview of the pros and cons?

Here are our suggestions for the 10 most important questions to bring to the meeting with a potential supplier of your GDPR system:

1. Where does the supplier store your data? If the company is located outside the EU, there must be a valid legal basis to transfer personal data to them.
2. Does the provider have any external legal auditors to quality assure their solutions and keep the existing functionalities up to date with developments in relevant legislation? Be aware that the experience and competences of the legal auditors can vary greatly.
3. Which parts of your compliance work can be fully or partially handled by the system today?
4. What does the supplier's product roadmap look like? It is of course most important which functions you get today, but the product's historical development and launches of new functionality as well as future plans should not be unimportant in your choice.
5. What options do you have to bundle features in the system? Many people want to bundle everything in one system (GDPR, awareness, whistleblower functions, InfoSec, etc.), which can be tempting but also create unnecessary complexity.
6. How does their onboarding in the system work? Does the supplier help with migration from your current solution/system, or do you have to handle this part yourself?
7. What kind of support is included in your licence? Is it exclusively help with the product, or is there the possibility of sparring regarding the setup more generally?
8. Which integrations does the supplier offer as standard, and which ones have to be developed from scratch?
9. How easy is it to create documentation and reports in the system so that you can document your compliance work?
10. What opportunities do you have to try out the system before committing to it?

With the above questions in your backpack, you now have a basic insight on which, together with the more specific questions for your organisation, you can make a decision.

At .legal, we help companies on a daily basis to clarify their needs regarding the choice of privacy platform, and can also help answer your questions. Book a demo here or send your questions by email.

If you want to try a platform on your own, you can test the .legal Privacy Platform free of charge and without obligation for 30 days.