The technology behind an online service created to help citizens facing lawsuits in Utah has now been adapted to power EU General Data Protection Regulation–compliance initiatives. The developers behind GDPR IQ say they use automation to generate all the compliance documents organizations will need to adhere to the impending rules.

In a phone interview with Privacy Tech, Parsons Behle Lab President Kimball D. Parker said development started after his team saw the software used for SoloSuit, the tool that helps those Utah citizens who are being sued for debt. He said it could be altered to handle generating GDPR-compliance documents in a faster, more cost-effective manner.

As director of LawX, the legal design lab at BYU Law School that created SoloSuit, Parker found the software could help solve a problem his practice — Parsons Behle & Latimer — was seeing with the rules coming out of Europe. Generating GDPR documents can take months, and Parker’s practice was concerned many of its clients would not be able to create them before the May deadline.

While it was a slight challenge to adapt the software to handle the more complicated GDPR-compliance documents, Parker and his team finished within two months. Professionals created the legal documents and templates, and a European Union law firm in Scotland specializing in the GDPR offered its feedback to ensure GDPR IQ was on the right track.

When clients begin using GDPR IQ, they will first see a screen asking if the GDPR will be applicable to their organization. The screen has five prompts, and if a user clicks any of these choices, they will be advised to continue.

From there, they will be taken to the GDPR IQ dashboard. Users will see all the required documents they need to comply with the GDPR, such as policies and procedures, notice and consent forms, and records of processing for both internal and external activities. There is also a list of situational documents, such as data protection impact assessments and request records for erasure and blocking.

Users start with GDPR procedures, where they are asked to provide the name of the organization and the contact information of the individual handling personal data. Once the six questions are completed, a document is generated, containing the procedures, and eventually the policies once they are filled out. 

For the record of processing for internal procedures, GDPR IQ warns users they may have to answer as many as 100 questions. The tool asks how many locations will be handling personal data, what types of data each location holds, and from whom the data is collected. The questions will be repeated for each location and data type the user enters.

“It gets very granular because that is what’s required for this document to comply with the GDPR. You have to catalog how every location is using every piece of information,” Parker said.

Users will be able to answer all the questions, but to get the documents, they will need to pay. Parker believes GDPR IQ offers users an efficient, cheaper tool, something he has not seen in the market.

“There are so many people doing technical things, like helping organizations scan data so they can find it easily and securing firewalls, but we didn’t see anyone doing a full sweep of legal documents,” Parker said. “We thought that it was a glaring gap in the market, and, basically, the only way you can get these documents is to download free versions off the internet, and you don’t know where they came from, or hire a lawyer and spend $150,000.”

Parker said it could take a week just to arrange a visit from a lawyer to come in and ask all the questions found within GDPR IQ; on top of that, it could then take an additional month to create the documents. Parker asserts GDPR IQ can finish it in hours. One competitor allegedly charges $50,000 for just one record-of-processing document, whereas Parker said GDPR IQ will allow users to access all the documents for $10,000.

GDPR IQ was created with audits in mind. If users update their procedures several times, GDPR IQ will log and store each version. If a company faces an audit, it will have timestamped documents stating it has the proper documentation in place before the GDPR deadline if regulators were, for instance, to assess per diem fines for every day an organization is out of compliance with the GDPR after the May 25 deadline.

The service also informs users about the GDPR tasks it does not cover. Checklists are placed within GDPR IQ to tell users that, while it may generate a privacy notice, the organization still needs to make sure it is placed on the website.

Parker and his team want to make sure everyone has the opportunity to use GDPR IQ. Nonprofit organizations will be able to get it for half-price, while refugee and adoption agencies will get it for free. He said they wanted to make sure the latter groups, which work primarily in Europe and would be decimated by enforcement actions, have the opportunity to use the service.

While the world waits to see what happens after May 25, Parker's team will be paying close attention to see how regulators handle enforcement and adjust their product accordingly.

“We are going to monitor how organizations are complying with the GDPR. If there are any indications from regulators before the implementation date that changes the way we think about it, we will update our templates and then we will notify people who have accounts to re-download their templates. We will constantly be pinging them for the first year,” Parker said.