Avatar
@iamgregb

Local-First GDPR Governance with Obsidian

This is a nerdy one.

As someone who spends a lot of time reading compliance documents and thinking about GDPR, I decided to see what would happen if I treated governance like a knowledge management problem.

Is a more flexible, lightweight world outside of spreadsheets even possible?

There are plenty of governance solutions out there. Big players like Vanta and Drata are great and all, but a) they cost a lot of money, and b) they’re mostly focused on automation, broader frameworks, and c) they're not really GDPR-specific. They’re also US-based, which means adding yet another processor outside of the EU. And who knows what happens to the Data Privacy Framework in the future.

At the same time, local files are back in fashion. After thinking a lot about Obsidian following my last two posts, I had an idea: what if you could maintain your GDPR compliance documentation entirely in local .md files?

It sounds like the dream of a very particular kind of nerd (me). But could it actually survive real compliance challenges - and the inevitable clash with legal teams who live in Microsoft files? I don’t know, but that didn’t stop me.

So I built a proof-of-concept vault in Obsidian with that goal in mind. This is an exploration of what's possible there right now, and for security reasons I used Restricted mode and core plugins only.

Vault template

  1. Download the compliance vault or clone it from the Github repo.
  2. Unzip the .zip file to a folder of your choosing.
  3. In Obsidian open the folder as a vault.

It’s not as deep as the enterprise solutions mentioned above. There are no mapped controls, no automations, no pie charts or completion dashboards. But the local, interconnected files with backlinks - and the new Obsidian Bases - work surprisingly well for this particular case (take the RoPA base, for example, which pulls in the properties from individual Business Function files). And, the bases also can be exported to .CSV files for audit purposes, when needed.

There’s also a lot more that can be done: local evidence files with structured properties, AI agents with access to local files, and probably a few other things I haven’t even explored yet.

This is a cool little project, and I think it might actually work - if you have enough background in governance and GDPR.

Compliance ≠ complicated tooling.