Repositories
      Back to home
      1. Help desk
      2. Data Legal Drive GDPR
      3. Repositories

      Software repository

      When you create new software it is added to the software repository, where it is available for linking to the processing activities of your entity.

      Table of contents

      Overview

      The software repository should contain all software involved in any of your processing activities.

      Adding software to the repository allows you to:

      • easily link the software to processing activities

      • ensure GDPR Article 30 compliance of processing activities linked to the software

      • link persons, actions and documents to the software

      • determine whether the software in question is appropriate for a given processing activity

      • prepare for audits.

      You can add software to the repository via the processing creation screens. However, it’s simpler and more efficient to build a more or less complete repository first.

      To add software to the software repository, you can:

      • add individual software programs

      • bulk-import software repositories.

      The Manage software permission is required to perform the actions described in this article.

      Article 30 compliance

      To add software to the repository, the only field required is the name. However, to be GDPR Article 30-compliant, each software linked to a processing activity MUST have at least 1 SECURITY MEASURE. If you are short on time, we recommend that you begin by completing the Security section. You can complete the other sections at a later time.

      How to add individual software programs to the repository

      There are five tabs to be completed when adding an individual software program:

      • Identification

      • Content

      • Confidentiality

      • Security

      • Link

      To add an individual software program to the repository:

      1. In the sidebar, click Repositories Software.

      2. Click the Add software button.

      3. In the New software dialog box, complete the fields.

      FIELD

      EXPLANATION

      Name (required)

      Enter the name used by the entity to identify the software. It can be the commercial name (this is the only field required in order to add software).

      Internal reference

      Reference used by the entity to identify the software (used by search engine to find linked processing activities).

      Type

      Click Add Value and enter the type of software, e.g. CRM, Saas, spreadsheet, etc.

      Commercial name

      Name used by the publisher.

      Publisher

      Name of the publisher (used by search engine to find linked processing activities).

       

      4. Click Save. The software is added to the repository. It appears in the list on the left. You can click the software at any time to complete more fields.

      Once the software has been added to the repository, there is no Save button. The information entered is saved automatically (except for the items in the Link tab).

       

      5. Click the Security tab to select the security measures that apply to the software.

      For software linked to a processing activity, at least 1 security measure is required to achieve GDPR Article 30 compliance. That’s why we’re starting with this tab!

      FIELD

      EXPLANATION

      Add value

      To add a security measure, click an Add value button and either select an item from the dropdown menu or type in your own security measure.

      You can add multiple security measures but only 1 is required for Article 30 compliance.

      Possibility to check the application log

      Does the software have logs that are accessible to administrators or other qualified users?

      Does not count toward Article 30 compliance!

      Manage access rights

      Does the software allow you to manage access rights?

      Does not count toward Article 30 compliance!

      Comment

      Add any additional comments.

       

      6. Click the Identification tab and complete the fields that haven’t already been completed.

      FIELD

      EXPLANATION

      Date of release

      Date software was used for the first time in the entity.

      Date of update

      Date of most recent software update.

      Integrator

      Name of company that integrated, configured or set up the software in your company.

      Version

      Software version.

      Host type

      If the software is hosted by the entity, select the type of host from the dropdown menu or enter a different type of host.

      Webhost

      If the software is hosted by an external provider, enter the name of the company.

      Contact

      Name of person in charge of the software in the entity.

      Country hosting the data

      Country where data is hosted.

      Comment

      Allows you to provide additional information.

       

      7. Click the Content tab and complete the fields.

      FIELD

      EXPLANATION

      Identified sensitive data

      Click Add value and select a sensitive data category from the dropdown menu, or enter your own category. You can select several categories.

      Identified intermediate data

      Click Add value and select an intermediate data category from the dropdown menu, or enter your own category. You can select several categories.

      Delete

      Does the software allow you to delete personal data?

      Deletion methods

      If you answered Yes to the question above, select the deletion method(s) from the dropdown menu.

      Support for audit metadata

      Does the software include an event log that allows tracing of actions performed with the software (user logon, operation validation, etc.)? If Yes, in the field below, specify the types of events logged.

      Customisation flexibility (fields, control)

      Can the software be customized by a non-computer expert (e.g. field names, running controls, etc.)?

      Master data synchronisation

      Is the software automatically updated with master data?

      Example: API to company.com

      Integration or interoperability with a campaigning tool

      Is the software connected or integrated in a marketing tool, mailing tool, etc.?

      Example: HubSpot with Sendinblue.

      Does the software include text entry fields?

      Are fields provided for text comments?

      Did you plan an audit to ensure the data entered is compliant?

      If you answered Yes to the question above, did you plan an external audit? If Yes, add the appropriate document(s).

      Information regarding the text entry fields

      You can provide additional information on the text entry fields.

       

      8. Click the Confidentiality tab and complete the fields.

      FIELD

      EXPLANATION

      Web page dedicated to the management of personal or third-party data

      Does the software include an interface that allows users or administrators to edit personal data?

      Transparency in data deletion

      Does the software documentation clearly describe the data deletion feature: deletion delays, back-up retention times, anonymization, etc.?

      Possibility to extract personal data

      Can the software generate an extract of the personal data it processes?

      Manage consent

      Does the software have data subject consent management functionality?

      Existence of a portal or customer space

      Is there a portal or user space containing information specific to each user?

       

      9. Click the Link tab.

      ACTION

      EXPLANATION

      Add processing

      If the software is involved in one or more processing activities:

      1. Click Add processing.

      2. Click Filter by area if you wish to filter processing activities by area.

      3. Click the Assign processing field and select a processing activity from the dropdown menu. You can select multiple processing activities. When you have finished, click outside the menu to close it.

      4. Click Attach.

      Remember: if software is linked to a processing activity, the software must have at least 1 security measure to achieve Article 30 compliance.

      Software can also be linked from within a processing activity. See Creating Article 30-compliant processing.

      Add manager

      To assign a manager to the software:

      1. Click Add manager.

      2. Click the Attach manager field and select a manager from the dropdown menu. You can select multiple managers. When you have finished, click outside the menu to close it.

      3. Click Confirm.

      Add action

      To create an action for the software:

      1. Click Add action.

      2. Complete the Add action dialog box.

      3. Click Save.

      Add document

      Click this link to:

      • link a document already in the document database to the software

      • add a new document (in this case it is added to the document database)

      • add an external link.

       

      10. Linked items are listed in the Link tab. You can unlink an item at any time by clicking the unlink icon.

      11. Set the Compliance and Risk ratings. These ratings are based entirely on your own assessment of the software. They help to provide a global view of all your software on the Analytics page. Drag the sliders to the ratings of your choice. You can update the ratings if the situation changes.

      RATING

      FACTORS FOR ASSESSING RATING

      Compliance rating

      Examples:

      • Is the software license up to date?

      • Are data transfers outside the EU covered by contracts?

      Risk rating

      Examples:

      • What is the sensitivity level of the data processed?

      • What is the software security level?

      • Is personal data sent to the USA?

      • Is personal data hosted in the USA?

      Bulk-importing

      You can use bulk-importing to create a new software repository, or to update an existing repository.

      How to create a software repository via bulk importing

      This feature allows you to import information for multiple software programs.

      Here’s the basic procedure: 1) Download the Excel import template from the GDPR software; 2) Enter your software programs in the template file; 3) Import the file to create your repository.

      You can enter complete software information in the file, or import a partially completed file and complete the remaining information at a later time on the software.

      For information on completing all the fields, see How to add individual software programs to the repository above.

       

      ARTICLE 30 COMPLIANCE: If you link software to a processing activity, the software MUST have at least 1 security measure in order for the processing activity to be GDPR Article 30-compliant (see the Security tab above).

       

      To create a software repository via bulk importing:

      1. In the sidebar, click Repositories Software.

      2. Click the Import repository button. A window opens.

      3. Click the import template link to download the Excel software import template.

      4. Open the template, complete the information for all software and save the file.

      If you enter multiple items in a column, separate them with a semicolon “;”

      5. Click the Select file button and select the file.

      6. Click the Check content button. The check results are displayed with the number of successfully imported lines (green) and lines with errors (red). Each error is explained.

      The blue “Ignored” icon only concerns re-imports. See “How to update a software repository via bulk importing” below.

       

      7. If there are errors, open the Excel file, correct the errors, and repeat steps 5 and 6. If errors still remain, correct them and repeat steps 5 and 6 again. You cannot import a file until all errors have been corrected.

      8. Click the Import button. The file is imported and the import results are displayed.

      To add processing activities, managers, actions or documents to a software program using the Link tab, see above.

      How to update a software repository via bulk importing

      To update a software repository that already exists in the GDPR software using bulk-importing, the basic process is 1) Download the existing repository from the GDPR software; 2) Make the changes to the Excel file; 3) Re-import the file.

      The repository cannot be updated by modifying an existing software template and then importing it. You must download the repository from the GDPR software and modify the downloaded file.

       

      To update a software repository via bulk importing:

      1. In the sidebar, click Repositories Software.

      2. Click the “More” button and select Download.

      3. Open the downloaded file, update it with your changes and save the file.

      You may notice that downloaded files contain a new column called “Technical identifier”. This is used to match the software in the repository against any re-imported changes. Do not modify this column.

       

      4. Click the Import repository button. A window opens.

      5. Click the Select file button and select the updated file.

      6. Click the Check content button.

      7. If there are errors, open the Excel file, correct the errors, and repeat steps 5 and 6. If errors still remain, correct them and repeat steps 5 and 6 again. You cannot import a file until all errors have been corrected.

       

      About ignored software

      Once there are no more errors, a list of “ignored” software, i.e. software that was not re-imported, may be displayed. There are two possible reasons for this:

      1. The software was shared by your parent company (this concerns subsidiaries whose parent organization set up an entity tree with a Data Legal Drive administrator). This software cannot be modified by your entity, and any updates will be ignored. The list is provided for information only. No action is required.

      2. The technical identifier column of the software was modified. This column must not be edited.

       

      8. Click the Import button. The file is imported and the import results are displayed.