Verifiable and Practical Compliance for Data Privacy Laws

A number of governments have legislated privacy laws in recent years. The most prominent international one covering multiple nations is the General Data Protection Regulation (GDPR) of the European Union. Many national and local governments are in the process of tabling similar legislation. To be compliant with privacy laws, software companies providing Software as a Service (SaaS) have changed internal practices to develop applications with a “privacy first” ethos. In addition, these companies (data controllers) have put mechanisms in place for ensuring the privacy and security preparedness of their service providers (data processors), which is currently being done manually using questionnaires. Questionnaires designed to collect compliance information from processors aren't the best instruments. This is due to many reasons including lack of clarity on information to be collected, humans in the information collection loop, and badly designed questionnaires, among others. In this paper, we analyse a few reasons making compliance determination a herculean tasks for both parties and propose a simple mechanism to automate compliance information gathering.