We are building one such service and I agree (to name a few services doing GDPRaaS : soveren.io, ethyca.com, securiti.ai, datagrail.com, alias.dev) .this is so much needed as there is almost no legally valid answer on the whole comment section!
I started to write an article on all the points above… should get back in 2 hours and post it here
In bullet points :
- GDPR is a risk management policy about personal data protection more than a privacy regulation
- for any personal data (PII) all companies must declare the following :
- purpose of the collection and the treatment of the specific data
— legal base of the treatment (6 available, they are the field card in Magic the gathering, they define a context of what is possible to do)
- data category (what type of data you are collecting i.e if you declare collecting delivery shipping information for a purpose, you limit yourself to data that correspond to that category )
- data retention duration (how long you declare storing the data in production and then in archive)
- list of recipients (all the 3rd party companies who will access the data)
- security measures (what is the level of security for keeping that data safe from breaches)
- some infos about the company, the data controller (who is responsible) etc…
So all companies must do a internal data mapping to know and declare where is the data and where it flows in production and write for every PII a ROPA (record of processing activity)
You can find an open source specification UROPA here)
