GDPR compliance is a beast. 99 articles, 173 recitals, 160 pages of text, and countless service providers vying to help you make sense of it all. If you’re a startup with limited resources, where and how can you even begin to make sense of it all? Treat it like a software development project and organize it with Pivotal Tracker.
Pivotal Tracker is the agile project management tool of choice for developers around the world for real-time collaboration around a shared, prioritized backlog. As the attorney for Pivotal Labs and Pivotal Software from 2011-2018, I worked closely with the Tracker team as it went from an internal tool for our own client projects to one of the most widely-used software project management tools in the world. I watched how the product evolved to enable collaboration and agile software development in a sensible, powerful way.
The General Data Protection Regulation (GDPR) is the gold standard for privacy and data protection. Even though it is based in the European Union, it applies to organizations worldwide that target or collect data on EU citizens. It is made up of 99 articles setting out legal requirements companies must meet to demonstrate compliance, and 173 recitals that provide more detailed information and support regarding how to comply with GDPR. When beginning a project as massive as GDPR compliance it quickly becomes evident that a project management tool is one of the only ways to handle (and track - a GDPR requirement) compliance efforts without the help of outside vendors or bespoke tools.
Although Tracker was designed for software development, it’s also a strangely good fit for both building a legal compliance program for broad privacy frameworks like GDPR and tracking towards completion. Everyone shares the same view of what’s going on, everyone knows where you are at any given point and time, you know what to focus on, and you can build faster towards delivery of the final goal - GDPR compliance.
To demonstrate this, I built a GDPR Compliance Tracker Project and made it publicly available here. I’m assuming for purposes of this exercise that an organization (1) has already made the determination that the GDPR applies to their organization (i.e., the organization processes personal data of EU citizens), and (2) will, as part of this process, perform a data audit that identifies things such as what data the organization has, where it has, where it goes, who has access, how long it’s retained for, and how it’s secured, etc.
Before getting into the details, a brief outline of some basic Tracker terminology:
The first step in creating the GDPR compliance program in Tracker are “Epics”. Each of the Epics in my Project tie to a GDPR Article. Each of my Epics/Articles includes the text of the Article in the “Description” box and includes the Article number as a linked Label so that I can tie certain stories to multiple Articles/Epics. I’ve included all 99 Articles as Epics, even though some of them don’t directly tie to an organization’s compliance obligations, just for context.
Each Article (Epic) is then broken down into multiple tasks (Stories), i.e. specific requirements set out in each Article (Epic). The number of Stories is reflected in the length of the blue bars above (the longer the bar, the greater the number of Stories). The Stories can be given multiple Labels, so that you can track when a single Story affects compliance with many Articles (Epics). Each of those Stories starts in the Icebox, and can be moved into the backlog in whatever order or priority is important to the organization and appropriate for the number of resources the organization is throwing at the Project.
So, for example, GDPR Articles 3 (Territorial Scope) and 27 (Representatives of controllers or processors not established in the Union) provide that the GDPR applies to any organization that controls or processes data of EU citizens, regardless of whether the organization’s in the EU or not. So, I’ve included a single story for the organization to “Identify whether you are (1) controller or processor in EU, or (2) non-EU company that monitors, tracks or targets EU data subjects. That’s the baseline for whether an organization needs to comply with GDPR or not. The Story addresses compliance with two Articles (3, 27), so I’ve labeled both with Article 27 and Article 3. Finishing this story kills 2 birds (Articles 3, 27) with one stone.
The power of the tool really becomes evident quickly. Tracker:
Obviously, there’s no one-size fits all approach to legal compliance. The GDPR Compliance Tracker is based on factors required for legal compliance (vs. how an organization can adapt its practices to achieve compliance). The GDPR Compliance Tracker also doesn’t include anything specific to industries or explain the laws/extent of obligations, all of which should be run by your privacy attorney.
Hope this is helpful - it’s an ongoing project and as with all Tracker projects, any comments are welcome. Please email firstname.lastname@example.org to get in touch.