How to choose the right GDPR software for your organisation? Most start with Excel — record of processing activities in a spreadsheet, authorisations in a separate file, retention deadlines somewhere in a calendar. It works at first. The problem appears after a few months, when the number of processes grows and documentation starts living its own life — multiple versions, multiple folders, no single owner. That is when dedicated GDPR software becomes a necessity, not a luxury.
That is when the question arises: do I need dedicated GDPR software? And if so — how do I choose?
Three Approaches to GDPR Management
Spreadsheets and Documents
The simplest approach: spreadsheets, Word files, shared drives. Zero cost, minimal barrier to entry. The problem: no relationships between documents, no version control, no deadline notifications, no access control. With 10 processing activities and 3 people it still works. With 50 activities and 15 people — it does not.
Outsourcing to a DPO or Law Firm
A DPO or law firm takes operational responsibility for documentation. Advantage: professional expertise, experience with supervisory authority audits. Disadvantage: the organisation lacks full visibility into its own data, dependency on a single person, documentation often exists “outside the company” — in the DPO’s files, on their drive, in their templates. When the DPO leaves — the company is left with a gap.
Dedicated GDPR System
Software designed for GDPR management: record of processing, risk assessment, authorisations, retention, data subject requests, breaches — in one place, with relationships between elements. Advantage: consistency, timeliness, access control, change history. Disadvantage: requires initial effort for configuration and data migration.
What to Look For
Module Completeness
The system should cover the full GDPR management cycle: record of processing activities, risk assessment (Pre-PIA, DPIA, LIA), authorisations with workflow, retention with deadlines, data subject requests, breaches with notifications, data processing agreements, privacy notices. If the system only covers the record — everything else still ends up in Excel.
Relationships Between Elements
The record of processing should be linked to authorisations, agreements, resources and retention. A change in one place should be visible elsewhere. This is the key difference between a spreadsheet and a system — a spreadsheet does not know relationships.
Deadlines and Notifications
Retention periods, authorisation reviews, agreement deadlines, response deadlines for data subject requests — the system should track dates and send reminders. In Excel, no one gets a notification that the deadline for responding to a data deletion request expires in 3 days.
Access and Roles
The system should support roles and permissions — the DPO sees everything, the business owner sees their processing activities, the HR employee sees their authorisations. In Excel, either everyone has access to everything or no one has access to anything.
Reports and Export
Report generation for management, supervisory authorities, auditors. PDF export. Without this, the controller must manually compile information from multiple files during an audit.
Security and Hosting
Where is data stored — public cloud, private cloud, on-premise? What security certifications does the provider hold? Is data encrypted? Has the system undergone a security audit?
Licensing Model
Is the fee per user, per controller, or flat rate? Is there a trial period? Can you test the system with your own data?
Checklist — 10 Questions Before Buying
- Does the system support a full record of processing activities compliant with Article 30 GDPR?
- Can I conduct DPIA and Pre-PIA within the system?
- Do authorisations have workflow (request → approval → confirmation)?
- Does the system track retention deadlines and send notifications?
- Can I handle data subject requests with deadline monitoring?
- Is the record linked to agreements, resources and authorisations?
- Can I generate reports and export data to PDF?
- Has the system undergone an external security audit?
- Can I test the system with my own data before purchasing?
- Is the system available in SaaS and on-premise models?
FAQ
Initially — yes. For small-scale processing, a spreadsheet can meet the requirements. The problem appears as the number of processes, people and deadlines grows — Excel does not track dates, manage relationships or control access.
Prices range from a few hundred to several thousand euros per month, depending on the scale and functionality. Key: compare not the price, but what you get — does the system cover the full GDPR cycle or just the record?
Yes — most systems support importing data from CSV or XLSX files. Important: the system should support importing not just the record, but also authorisations, agreements and resources.
No — the system is a tool, the DPO is a person with expertise. The system supports the DPO’s daily work: automates deadlines, ensures documentation completeness and simplifies reporting. But decisions are made by the DPO.
From a few days to a few weeks, depending on the scale. For a small company with 10-15 processing activities — a few days. For a large organisation with 50+ activities, multiple controllers and a complex structure — 2-4 weeks.
Check if iGDPR meets your requirements
Record of processing, DPIA, authorisations with workflow, retention with deadlines, data subject requests — the full GDPR cycle in one system. Test with your own data for 21 days.
START FREE TRIAL, no commitment