Cyrus Wadia

GDPR Project Management with Pivotal Tracker

Productivity Updates Community

GDPR compliance is a beast. 99 articles, 173 recitals, 160 pages of text, and countless service providers vying to help you make sense of it all. If you’re a startup with limited resources, where and how can you even begin to make sense of it all? Treat it like a software development project and organize it with Pivotal Tracker.

Pivotal Tracker

Pivotal Tracker is the agile project management tool of choice for developers around the world for real-time collaboration around a shared, prioritized backlog. As the attorney for Pivotal Labs and Pivotal Software from 2011-2018, I worked closely with the Tracker team as it went from an internal tool for our own client projects to one of the most widely-used software project management tools in the world. I watched how the product evolved to enable collaboration and agile software development in a sensible, powerful way.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the gold standard for privacy and data protection. Even though it is based in the European Union, it applies to organizations worldwide that target or collect data on EU citizens. It is made up of 99 articles setting out legal requirements companies must meet to demonstrate compliance, and 173 recitals that provide more detailed information and support regarding how to comply with GDPR. When beginning a project as massive as GDPR compliance it quickly becomes evident that a project management tool is one of the only ways to handle (and track - a GDPR requirement) compliance efforts without the help of outside vendors or bespoke tools.

Applying Tracker to GDPR Compliance

Although Tracker was designed for software development, it’s also a strangely good fit for both building a legal compliance program for broad privacy frameworks like GDPR and tracking towards completion. Everyone shares the same view of what’s going on, everyone knows where you are at any given point and time, you know what to focus on, and you can build faster towards delivery of the final goal - GDPR compliance.

To demonstrate this, I built a GDPR Compliance Tracker Project and made it publicly available here. I’m assuming for purposes of this exercise that an organization (1) has already made the determination that the GDPR applies to their organization (i.e., the organization processes personal data of EU citizens), and (2) will, as part of this process, perform a data audit that identifies things such as what data the organization has, where it has, where it goes, who has access, how long it’s retained for, and how it’s secured, etc.

Before getting into the details, a brief outline of some basic Tracker terminology:

  • Projects: the top level name of the Project.
  • Epics: large features or themes, at a level higher than individual stories.
  • Stories: usually describes a feature of an Epic, which you can both prioritize and decide on the level of effort it’ll take to finish. You can track when you start, finish, and “deliver” a story for review/final approval by the project owner. Finish enough stories and you’ll start to get an idea of Project Velocity (how fast you’re going and an estimate to completion).
  • Icebox: this is where you start storing features and ideas for the Project. Stories are prioritized by moving them from the icebox to the backlog.
  • Backlog: this is where the active stories are worked on and prioritized. The higher a story is in the backlog, the sooner they need to be started.
  • Labels: general categories that tie stories to an epic or multiple epics.

The first step in creating the GDPR compliance program in Tracker are “Epics”. Each of the Epics in my Project tie to a GDPR Article. Each of my Epics/Articles includes the text of the Article in the “Description” box and includes the Article number as a linked Label so that I can tie certain stories to multiple Articles/Epics. I’ve included all 99 Articles as Epics, even though some of them don’t directly tie to an organization’s compliance obligations, just for context.

Each Article (Epic) is then broken down into multiple tasks (Stories), i.e. specific requirements set out in each Article (Epic). The number of Stories is reflected in the length of the blue bars above (the longer the bar, the greater the number of Stories). The Stories can be given multiple Labels, so that you can track when a single Story affects compliance with many Articles (Epics). Each of those Stories starts in the Icebox, and can be moved into the backlog in whatever order or priority is important to the organization and appropriate for the number of resources the organization is throwing at the Project.

So, for example, GDPR Articles 3 (Territorial Scope) and 27 (Representatives of controllers or processors not established in the Union) provide that the GDPR applies to any organization that controls or processes data of EU citizens, regardless of whether the organization’s in the EU or not. So, I’ve included a single story for the organization to “Identify whether you are (1) controller or processor in EU, or (2) non-EU company that monitors, tracks or targets EU data subjects. That’s the baseline for whether an organization needs to comply with GDPR or not. The Story addresses compliance with two Articles (3, 27), so I’ve labeled both with Article 27 and Article 3. Finishing this story kills 2 birds (Articles 3, 27) with one stone.

The power of the tool really becomes evident quickly. Tracker:

  • Allows thorough organization of a project with hundreds of both major and minor tasks that have to be performed by multiple individuals in different functions.
  • Enables a detailed audit trail, probably even more than is contemplated or required by the Commission.
  • Allows cross-labeling of compliance issues, so multiple Stories can be completed at once instead with careful labeling.
  • The approval mechanism for Stories allows a project manager final review of every task required by GDPR.
  • After an organization has completed enough Stories, an organization can begin determining Project Trends (velocity and points accepted, stories accepted, story cycle time, rejection rate) and reporting those up to chain.
  • Some stories are never “done” in that they’re an ongoing obligation (e.g., carrying out Data Protection Impact Assessments), but with Tracker you can track which of those obligations remain and which are one-time-only tasks. It becomes a living, breathing record of what work has been done, and can adapt into a tool that can be used for ongoing compliance.

Obviously, there’s no one-size fits all approach to legal compliance. The GDPR Compliance Tracker is based on factors required for legal compliance (vs. how an organization can adapt its practices to achieve compliance). The GDPR Compliance Tracker also doesn’t include anything specific to industries or explain the laws/extent of obligations, all of which should be run by your privacy attorney.

Hope this is helpful - it’s an ongoing project and as with all Tracker projects, any comments are welcome. Please email to get in touch.