Announcing GDPR Tracker — Track the compliance of your SaaS vendors
Over the past months, we launched gdprchecklist.io (it says what it does), but also gdprform.io (Product Hunt 😸 calls it “Google Forms — but for GDPR”, an easy to configure form to manage and simplify Data Subject access requests). Today, we’re proud to announce a new community project called GDPR Tracker — a crowdsourced directory helping companies and all of us to track and follow the GDPR Readiness, compliance efforts and data handling practices of their cloud services.
GDPR is not a one-time-thing, the law is in place since April 2016, had a transition time of 2 years to permit governments, institutions and companies to become compliant and will be applied as of May 25th 2018. The reality is that many companies are still in the early phase of reaching compliance or even learning about GDPR. We believe that SaaS companies should lead by example by transparently sharing their readiness, compliance and demonstrate best practices.
Staying GDPR compliant will be a moving target 🎯
So why did we build all these GDPR tools?
Implementing GDPR as an EU-based SaaS company has been an interesting journey for us. Inside one of our ventures called Apideck, we’re bullish on data portability and promote an open and integrated SaaS ecosystem.
Soon after starting our compliance process, we experienced and needed clear and understandable tools to help us both run through all the referenced GDPR legal articles, but also consider how we will be managing “Right of Access by the data subject” or “Right to be forgotten”.
Hence we built the GDPR Checklist and GDPR Form as we believe these tools would help other companies to overcome the struggle of GDPR compliance.
Due to the unbundling of SaaS, a lot more data processors are part of the technology stack of a company. As a truly cloud-native company, we use over +100 cloud services. By estimation, an average European company is effectively using 50 or more cloud apps.
In a GDPR era, this poses an extra layer of complexity.
One of the challenges staying compliant is keeping track of your (sub)processors.
Role of data processors, controllers & sub-processors
Controller: A controller is an entity that decides the purpose and manner that personal data is used, or will be used.
Processor: The company that processes the information on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
Sub-processor: The data processor that is engaged by the cloud service. Usually, these are infrastructure partners or subsidiaries.
Real-time data breach tracking
The above visual shows that data breaches will have a cascading effect on the cloud services running on top. These elements are redefining the supplier risk and increasing the importance of audits and will require real-time monitoring of Cloud and SaaS providers.
Community-driven (powered by Github)
One of the challenges we identified was the intense and laborsome process to reach out and contact all our SaaS vendors where personal identifiable information (PII) was stored, and verify how they would manage GDPR. This was the moment when we decided to open-source our research that could benefit other vendors. Most of the data we found by researching security pages GDPR statements, DPA, sub-processors & privacy policies. In the recent weeks we received contributions from big SaaS vendors like Intercom, Sendgrid & Github.
We experimented with Github to power our governance model and manage the crowdsourcing of privacy, protection and security data of cloud services in one repository. Thereby enabling us to track every single change to the dataset and having a full audit log to help maintain data integrity. We believe by keeping the conversations public we can push for more transparency around compliance discussions.
Open-call
So this post is not only to tell the world we’ve launched GDPR Tracker, and why it’s relevant for you, but also a kind shout-out to all the cloud services out there to use Github or Google Form to add your service to the tracker.
Supported data points
Service, GDPR compliance, DPA, bug bounty programs, infrastructure partners, datacenter locations, sub-processors, certifications, data transfers, privacy policy, data subject access requests (DSARs) & contacts (DPO / privacy officer).
Roadmap
- Tracking (sub)processors
- Public API
- Data breach alerts + real-time threat analysis
- Explore blockchain as an alternative for Github
- More security monitoring in partnership with sqreen.io
- Consumer SaaS support — Browser extensions
- Market data visualization
Tech stack
Some great thai food and an occasional Magma beer.
What’s next?
Due to the success of the GDPR Form & Checklist we recently decided to incorporate our GDPR projects under a new company called Privacy Radius.
We’re looking for like-minded people interested in building data and privacy solutions to join our team.
Stay tuned and we’re looking forward to your feedback & contributions.
