When you create new software it is added to the software repository, where it is available for linking to the processing activities of your entity.
Table of contents
Overview
The software repository should contain all software involved in any of your processing activities.
Adding software to the repository allows you to:
-
easily link the software to processing activities
-
ensure GDPR Article 30 compliance of processing activities linked to the software
-
link persons, actions and documents to the software
-
determine whether the software in question is appropriate for a given processing activity
-
prepare for audits.
You can add software to the repository via the processing creation screens. However, it’s simpler and more efficient to build a more or less complete repository first.
To add software to the software repository, you can:
-
add individual software programs
-
bulk-import software repositories.
The Manage software permission is required to perform the actions described in this article.
Article 30 compliance
To add software to the repository, the only field required is the name. However, to be GDPR Article 30-compliant, each software linked to a processing activity MUST have at least 1 SECURITY MEASURE. If you are short on time, we recommend that you begin by completing the Security section. You can complete the other sections at a later time.
How to add individual software programs to the repository
There are five tabs to be completed when adding an individual software program:
-
Identification
-
Content
-
Confidentiality
-
Security
-
Link
To add an individual software program to the repository:
-
In the sidebar, click Repositories > Software.
2. Click the Add software button.
3. In the New software dialog box, complete the fields.
FIELD |
EXPLANATION |
Name (required) |
Enter the name used by the entity to identify the software. It can be the commercial name (this is the only field required in order to add software). |
Internal reference |
Reference used by the entity to identify the software (used by search engine to find linked processing activities). |
Type |
Click Add Value and enter the type of software, e.g. CRM, Saas, spreadsheet, etc. |
Commercial name |
Name used by the publisher. |
Publisher |
Name of the publisher (used by search engine to find linked processing activities). |
4. Click Save. The software is added to the repository. It appears in the list on the left. You can click the software at any time to complete more fields.
Once the software has been added to the repository, there is no Save button. The information entered is saved automatically (except for the items in the Link tab).
5. Click the Security tab to select the security measures that apply to the software.
For software linked to a processing activity, at least 1 security measure is required to achieve GDPR Article 30 compliance. That’s why we’re starting with this tab!
FIELD |
EXPLANATION |
Add value |
To add a security measure, click an Add value button and either select an item from the dropdown menu or type in your own security measure. You can add multiple security measures but only 1 is required for Article 30 compliance. |
Possibility to check the application log |
Does the software have logs that are accessible to administrators or other qualified users? Does not count toward Article 30 compliance! |
Manage access rights |
Does the software allow you to manage access rights? Does not count toward Article 30 compliance! |
Comment |
Add any additional comments. |
6. Click the Identification tab and complete the fields that haven’t already been completed.
FIELD |
EXPLANATION |
Date of release |
Date software was used for the first time in the entity. |
Date of update |
Date of most recent software update. |
Integrator |
Name of company that integrated, configured or set up the software in your company. |
Version |
Software version. |
Host type |
If the software is hosted by the entity, select the type of host from the dropdown menu or enter a different type of host. |
Webhost |
If the software is hosted by an external provider, enter the name of the company. |
Contact |
Name of person in charge of the software in the entity. |
Country hosting the data |
Country where data is hosted. |
Comment |
Allows you to provide additional information. |
7. Click the Content tab and complete the fields.
FIELD |
EXPLANATION |
Identified sensitive data |
Click Add value and select a sensitive data category from the dropdown menu, or enter your own category. You can select several categories. |
Identified intermediate data |
Click Add value and select an intermediate data category from the dropdown menu, or enter your own category. You can select several categories. |
Delete |
Does the software allow you to delete personal data? |
Deletion methods |
If you answered Yes to the question above, select the deletion method(s) from the dropdown menu. |
Support for audit metadata |
Does the software include an event log that allows tracing of actions performed with the software (user logon, operation validation, etc.)? If Yes, in the field below, specify the types of events logged. |
Customisation flexibility (fields, control) |
Can the software be customized by a non-computer expert (e.g. field names, running controls, etc.)? |
Master data synchronisation |
Is the software automatically updated with master data? Example: API to company.com |
Integration or interoperability with a campaigning tool |
Is the software connected or integrated in a marketing tool, mailing tool, etc.? Example: HubSpot with Sendinblue. |
Does the software include text entry fields? |
Are fields provided for text comments? |
Did you plan an audit to ensure the data entered is compliant? |
If you answered Yes to the question above, did you plan an external audit? If Yes, add the appropriate document(s). |
Information regarding the text entry fields |
You can provide additional information on the text entry fields. |
8. Click the Confidentiality tab and complete the fields.
FIELD |
EXPLANATION |
Web page dedicated to the management of personal or third-party data |
Does the software include an interface that allows users or administrators to edit personal data? |
Transparency in data deletion |
Does the software documentation clearly describe the data deletion feature: deletion delays, back-up retention times, anonymization, etc.? |
Possibility to extract personal data |
Can the software generate an extract of the personal data it processes? |
Manage consent |
Does the software have data subject consent management functionality? |
Existence of a portal or customer space |
Is there a portal or user space containing information specific to each user? |
9. Click the Link tab.
ACTION |
EXPLANATION |
Add processing |
If the software is involved in one or more processing activities:
Remember: if software is linked to a processing activity, the software must have at least 1 security measure to achieve Article 30 compliance. Software can also be linked from within a processing activity. See Creating Article 30-compliant processing. |
Add manager |
To assign a manager to the software:
|
Add action |
To create an action for the software:
|
Add document |
Click this link to:
|
10. Linked items are listed in the Link tab. You can unlink an item at any time by clicking the unlink icon.
11. Set the Compliance and Risk ratings. These ratings are based entirely on your own assessment of the software. They help to provide a global view of all your software on the Analytics page. Drag the sliders to the ratings of your choice. You can update the ratings if the situation changes.
RATING |
FACTORS FOR ASSESSING RATING |
Compliance rating |
Examples:
|
Risk rating |
Examples:
|
Bulk-importing
You can use bulk-importing to create a new software repository, or to update an existing repository.
How to create a software repository via bulk importing
This feature allows you to import information for multiple software programs.
Here’s the basic procedure: 1) Download the Excel import template from the GDPR software; 2) Enter your software programs in the template file; 3) Import the file to create your repository.
You can enter complete software information in the file, or import a partially completed file and complete the remaining information at a later time on the software.
For information on completing all the fields, see How to add individual software programs to the repository above.
ARTICLE 30 COMPLIANCE: If you link software to a processing activity, the software MUST have at least 1 security measure in order for the processing activity to be GDPR Article 30-compliant (see the Security tab above).
To create a software repository via bulk importing:
-
In the sidebar, click Repositories > Software.
2. Click the Import repository button. A window opens.
3. Click the import template link to download the Excel software import template.
4. Open the template, complete the information for all software and save the file.
If you enter multiple items in a column, separate them with a semicolon “;”
5. Click the Select file button and select the file.
6. Click the Check content button. The check results are displayed with the number of successfully imported lines (green) and lines with errors (red). Each error is explained.
The blue “Ignored” icon only concerns re-imports. See “How to update a software repository via bulk importing” below.
7. If there are errors, open the Excel file, correct the errors, and repeat steps 5 and 6. If errors still remain, correct them and repeat steps 5 and 6 again. You cannot import a file until all errors have been corrected.
8. Click the Import button. The file is imported and the import results are displayed.
To add processing activities, managers, actions or documents to a software program using the Link tab, see above.
How to update a software repository via bulk importing
To update a software repository that already exists in the GDPR software using bulk-importing, the basic process is 1) Download the existing repository from the GDPR software; 2) Make the changes to the Excel file; 3) Re-import the file.
The repository cannot be updated by modifying an existing software template and then importing it. You must download the repository from the GDPR software and modify the downloaded file.
To update a software repository via bulk importing:
-
In the sidebar, click Repositories > Software.
-
Click the “More” button and select Download.
3. Open the downloaded file, update it with your changes and save the file.
You may notice that downloaded files contain a new column called “Technical identifier”. This is used to match the software in the repository against any re-imported changes. Do not modify this column.
4. Click the Import repository button. A window opens.
5. Click the Select file button and select the updated file.
6. Click the Check content button.
7. If there are errors, open the Excel file, correct the errors, and repeat steps 5 and 6. If errors still remain, correct them and repeat steps 5 and 6 again. You cannot import a file until all errors have been corrected.
About ignored software
Once there are no more errors, a list of “ignored” software, i.e. software that was not re-imported, may be displayed. There are two possible reasons for this:
-
The software was shared by your parent company (this concerns subsidiaries whose parent organization set up an entity tree with a Data Legal Drive administrator). This software cannot be modified by your entity, and any updates will be ignored. The list is provided for information only. No action is required.
-
The technical identifier column of the software was modified. This column must not be edited.
8. Click the Import button. The file is imported and the import results are displayed.