[mehdim]

We are building one such service and I agree (to name a few services doing GDPRaaS : soveren.io, ethyca.com, securiti.ai, datagrail.com, alias.dev) .this is so much needed as there is almost no legally valid answer on the whole comment section! I started to write an article on all the points above… should get back in 2 hours and post it here

[mehdim]

In bullet points : - GDPR is a risk management policy about personal data protection more than a privacy regulation

- for any personal data (PII) all companies must declare the following :

  - purpose of the collection and the treatment of the specific data

  — legal base of the treatment (6 available, they are the field card in Magic the gathering, they define a context of what is possible to do)

  - data category (what type of data you are collecting i.e if you declare collecting delivery shipping information for a purpose, you limit yourself to data that correspond to that category )

  - data retention duration (how long you declare storing the data in production and then in archive)

  - list of recipients (all the 3rd party companies who will access the data)

  - security measures (what is the level of security for keeping that data safe from breaches)

  - some infos about the company, the data controller (who is responsible) etc…

So all companies must do a internal data mapping to know and declare where is the data and where it flows in production and write for every PII a ROPA (record of processing activity) You can find an open source specification UROPA here)

https://github.com/uropa-project/uropa

- consent is just one of the 6 legal bases to collect and treat data. The comment above that everything is possible with consent is wrong.

- below 250 employees you don’t need officially a DPO