Joining a growing number of law firms looking to help clients comply with the EU's upcoming General Data Protection Regulation (GDPR), Parsons Behle & Latimer has announced the release of GDPR IQ, a web-based tool that automatically drafts necessary GDPR documents.

While GDPR compliance technology is nothing new, Parsons' tool, which was developed by the firm's tech design subsidiary Parsons Behle Lab, stands out in focusing on small and medium companies and nonprofits as clients. This market has been underserved by current GDPR tools, most of which focus on large, well-resourced organizations.

GDPR IQ is the brainchild of Kimball Parker, president of Parsons Behle Lab and professor and director of legal design lab LawX at the Brigham Young University Law School. Parker developed the tool out of a similar one he and his students created to help people being sued for debt collection draft necessary court paperwork.

Through writing answers to specific sequential questions, GPDR IQ allows users to generate various GDPR documents, which Parker explained fall into two categories. The first contains documents where you plug in the company name, address and a few little bits of information into a template. Such documents include things like a “GDPR Training Acknowledgement Form.”

The other category, however, contains more “dynamic documents, because it varies based on the specific circumstances of the company,” Parker added.

Such documents, including “Record of Processing” forms that document how third-party vendors handle data, can require 100 questions to be generated. These questions can change depending on certain variables, such as how many vendors one has.

Though document generators are nothing new to the legal tech space, GDPR IQ is one of the few geared toward small- and medium-sized clients and nonprofits. While Parsons has some big “multimillion dollar clients, we are based in Utah, and a lot of our clients are just middle-sized and small clients,” Parker said.

One such client “is a company that manufactures bowling balls and sends them around the world,” he said. “That bowling ball company can't spend $200,000 on a lawyer to help them comply with the GDPR, but that bowling ball company needs to comply because they offer goods and services in Europe.”

To help such clients, Parson priced its solution at $10,000, which “is something small- to medium-sized companies can stomach.” What's more, for “nonprofits, we're selling it for $5,000. We're essentially selling it for cost,” he added. And for nonprofits that work with refugees, the law firm is offering it for free.

To be sure, though most tech companies and law firms focus their GDPR solutions on large clients, some also offer products for nonprofits and small to medium-sized businesses.

Data privacy compliance research company Nymity, for example, offers a free GDPR Compliance Toolkit, while U.K.-based computer software provider The Access Group offers downloadable guides for nonprofits as well. Meanwhile, OneTrust also offers a free edition of its platform, which features privacy assessment tools and data workflow management functionality.

Article 30 of the GDPR exempts any enterprise with less than 250 employees from the requirement to maintain certain records, meaning that small to medium companies and nonprofits have fewer obligations under the GDPR than their larger counterparts. And even if such nonprofits and companies run afoul of their GDPR obligations, they may be less at risk from EU regulators than large businesses.

Regulators are “going to go after people they could make an example of, those who could afford to pay a sizable penalty,” Dimitri Sirota, CEO of BigID, said. “In any kind of civil action, you typically see that directed in larger entities. Nobody is interested in bankrupting someone and collecting nothing.”

But Blake Brannon, vice president of products at OneTrust, noted that many also may not know the GDPR will apply to them as well. “A lot of it is lack of awareness,” he said, adding that the “market situation hasn't quite got there for all those kinds of services to be as robust and extensible” for smaller organizations.