GDPR Compliance Tools

A critical review of GDPR compliance tools.

logo
PrivacyDocs
Updated Jan 23, 2025 · 6 min read

Let us review the features that are necessary for GDPR compliance of a small company. GDPR compliance needs of a small company are not that big.

PrivacyDocs Records of processes, assessment, breach investigations, risk management; compliance evidence Cookies Small and standard feature DPA for vendors Vendors (you act as ‘controller’) Stored on elsewhere, linked from PrivacyDocs Website Policy Policies from templates Internal and Client Policies Policies from templates Requests by Individuals Email exchange DPA for clients Clients (you act as ‘processor’) Stored on elsewhere, linked from PrivacyDocs

Let us review them.

Website Cookies

The ubiquitous cookie dialogs are featured by many GDPR tools. Paying for such a tool is often not necessary. The cookie dialogs are easy to implement (they need just a few lines of JavaScript code) and they have already become a standard feature in website creation and management tools.

Website Privacy Policy

The website privacy policy is important for compliance and it is visible and may be reviewed by your website visitors, clients, and authorities. These policies are very similar to each other because the websites often involve similar personal data processing. You can get a template website policy and adapt it. There are plenty of templates available on the web.

The lists of vendors may be lengthy and change over time. It often makes sense to generate (part of) the policy from your privacy records, and that is supported by PrivacyDocs.

Read here how PrivacyDocs supports generating your policies and keeping them in sync with the rest of your documentation

Internal and Client Policies

Internal privacy policies that you create for your employees and for your clients are less visible than the website policies but not less important. They instruct your employees on how to handle the data, how long to keep it, set their responsibility for mishandling, and other aspects. Small companies often need to disclose these policies to their large clients to support GDPR compliance of the clients.

The policies are compliant with the GDPR only if they are understandable to the individuals, you included. It often makes sense to get a template and adjust it yourself. That is more compliant than getting complex legal text that would be rendered non-compliant due to its complexity. There are plenty of templates and GDPR policy generation tools available on the web.

Parts of these policies are best generated from PrivacyDocs to keep them in sync with the rest of your privacy documentation.

Data Subject Requests

Many GDPR tools feature workflows and ticketing systems for handling Data Subject Access Requests (DSARs). That is often needed in large companies if they do not have their own workflow engines where they can just add DSARs as yet another workflow. Small companies usually do not need that.

In small companies, the requests are usually received by email and are first reviewed by a legal or privacy specialist. They are then either denied or forwarded to the appropriate colleagues to fulfill. This manual processing, common for small companies, makes investment in automation not worth it.

History of email exchange regarding the requests is usually sufficient to demonstrate compliance and additional systems are not needed. Many small companies have not received their first request yet, or receive less than a few per year.

Data Processing Agreements for Clients

When a company is acting as a processor working on behalf of its clients, it needs to have a Data Processing Agreement (DPA) in place. These DPAs form part of the legal contract and are usually stored in the cloud on Microsoft 365 or Google Workspaces, together with other documents. They are linked to from the corresponding records of processing activities maintained by PrivacyDocs. Investing in a separate storage system for these contracts is not necessary.

Data Processing Agreements for Vendors

Companies that have vendors are acting as controllers (or joint controllers) and also need to have a Data Processing Agreement (DPA) in place. Similar to the above, these DPAs are stored elsewhere and linked to from the corresponding records of processing activities maintained by PrivacyDocs. Investing in a separate storage system for these contracts is not necessary.

PrivacyDocs: What Really Needs To Be Managed

PrivacyDocs is a toolkit focused on the GDPR compliance data that companies really need to manage. These are the records of processing activities and various assessments, together with supporting data.

Summary: What To Pay For

Small and medium businesses (SME's) may wish to pay for:

More on this

GDPR documents to keep

  • Templates for records of processing activities, assessments (data protection impact assessments, legitimate interest assessments, transfer impact assessments), breach register, and breach assessments.
  • Templates for risk management.
  • Automatic checks of the entered records and assessments.
  • Generation of reports to automatically create the dynamic parts of privacy policies.
  • Sharing records with colleagues and external consultants.
  • Historical reports.

Yes, we made PrivacyDocs with the features that we believe are worth paying for.

Summary: What Not To Pay For

Small businesses should be cautious when paying for:

  • Storage for contracts and documents (better use cloud office tools such as Microsoft 365 and Google Workspaces).
  • Workflow engines or ticketing systems. Email exchange is often sufficient for small companies.
  • Support for 60/80/100 languages. Most small companies use one or two.

These features are not supported by PrivacyDocs.