Johan De Keulenaer is a software entrepreneur and investor who, along with a team of colleagues, developed “The GDPR Checklist”. It’s a basic list of questions that, based on your answers, provides additional resources to help you develop your GDPR compliance.
We asked Johan some questions about the checklist, who should use it, and how it can help. Here’s what he had to say.
What is “The GDPR Checklist” and how did you come up with the idea for it?
We initially got inspired by the CTO security checklist from our friends at Sqreen.io. When we started working on the GDPR compliance of our own companies, we saw the need for an easy-to-use checklist. It’s an easy way to get started with your plan to get compliant with GDPR.
We noticed a lot of legal and consulting firms were making a lot of noise around GDPR. It turns out most of that is FUD intended to sell services at higher prices. The reality is that the new laws are not that shocking and basically boil down to one principle: don't do anything with people's data that they would not expect you to do.
Most other resources don’t try to explain what each specific article in the new law would actually mean on the ground for your average SaaS company. We think the checklist fills a void there.
Which types of organizations should be using The GDPR Checklist?
All of us have a background in running SaaS companies, so the checklist is written with those types of startup companies in mind. In theory, it should also be applicable to any type of company, but your mileage may vary. For example, companies that do profiling, like insurers, will have to dig quite a bit deeper.
How would an organization use the “The GDPR Checklist”?
Get your team to go over the list, and then try to map out all the places your company stores personal data and why. If you are in doubt about some of the items, try reading the actual laws behind them (they are linked from within the list). They are, surprisingly, somewhat readable. If that does not bring clarity, it's time to look for professional advice.
What topics are addressed in the checklist?
The checklist goes into depth about the kinds of documentation you need to produce (boring), but we also provide some pointers about the social aspects: making sure everyone on your team is aware of the issues and tradeoffs around personal data processing in your company. Your tech team has a role to play in this aspect, too.
We also provide 2 free, open-source tools that come with the checklist. One is a handy, free-forever form that lets your data subjects claim their rights in a structured way (www.gdprform.io - full disclosure: we have just released a paid version of this tool for companies that expect higher volumes and need to automate this process with their existing systems).
The second is a directory list for SaaS vendors to report and track their GDPR compliance status: www.gdprtracker.io. GDPR Tracker also demonstrates which companies go above and beyond and have an active bug bounty program.
Once an organization completes the checklist, then what?
GDPR is a continuous process and doesn't stop on the 25th of May. We provide pointers on where to go next. You might have to look into laws for the specific countries you do business with. For example, Germany has some amendments to GDPR that go even further than the baseline law. Ideally, you would have a point person to follow up on this (a DPO) and have that person advise your management on these issues.
The GDPR Checklist is open to contributions on GitHub. What are you hoping others will do with it or contribute to it?
Contributions could include fixing omissions or adding clarifications for parts that might not have been clear to everyone. They could even include translations into other languages. We encourage everyone to make a new PR here: https://github.com/privacyradius/gdpr-checklist.