The European General Data Protection Regulation (GDPR) was adopted by the European Parliament in May 2016. The implementation period has been two years, which means that this regulation will enter into force at the end of May 2018. It regulates processing of personal data by private companies and public bodies uniformly throughout the European Union and applies directly in all member states without having to be transposed into national law.
Although some detail questions have not yet been fully resolved, it has been already decided upon the following major changes to existing legal regulations:
Because of these and similar changes, companies are required to take measures to ensure compliance with the GDPR until it is entered into force.
For this reason, we have developed possibilities to easily meet and prove various aspects of the GDPR using ADONIS or ADOIT.
In this article, we will be looking at the details of the requirements and present implementation proposals with our process management and enterprise architecture management tools.
From the point of view of electronic data processing, the following aspects of data and their processing are at the forefront of the EU GDPR:
In the course of the processing of different data types, the following actors are also distinguished:
Essential tasks to be addressed to data processing companies include, for example, the following:
By means of existing functions and evaluations (such as the basic contextualization of information, measures monitoring or risk evaluations) as well as by a simple method and an intuitive tool, the BOC Group can support you and your company excellently.
The main focus of the present work is on the compulsory list of processing activities: The obligation to provide documentation thereby concerns the persons responsible and the order processor. Content of this list is the essential information on data processing activities, in particular information on the purpose of the processing, a description of the categories of the personal data, a description of the persons concerned and the recipients. This directory must include the following details:
For both our Business Process Management suite ADONIS and our Enterprise Architecture Management tool ADOIT, we have developed product extensions to the EU GDPR. This allows a simple expansion of documentation and evaluation for existing customers, while new prospective customers can also address the requirements of the GDPR.
To enable these two approaches, we extend our products with a new artefact, the processing activity. The following figure shows how the artefact is embedded into the meta model of ADOIT. Similarly, the extension is done in ADONIS.
The extension of your documentation is supplemented by a suitable and efficiently cut procedure model. Here, the focus is on the corresponding processing activity (e.g. creation of a new customer in the course of an insurance application processing). In the following, the procedure is sketched as an example for the IT-driven approach in ADOIT:
By means of business objects or entities, the relevant data is categorized (personal and sensitive data) and documented. The ADOIT and ADONIS repositories can be used to reuse the appropriate predefined schemas.
In the next step, data processing applications are now recorded or updated. In many cases, this is done from an existing application landscape.
In a next step, processes are assigned and identified. These usually represent the purpose of the processing.
The relevant data recipients are catalogued as organizational units or external actors (e.g. cloud provider) and affected persons are identified and described in the ADONIS or ADOIT repository.
Lastly, the relevant risks can be entered and assigned. This initial assessment and assignment serves as a basis for risk assessment.
This structured information acquisition allows to generate necessary reports and evaluations. For this purpose, the BOC Group provides specific sample reports and evaluations contained in the extension module. The following figure shows a few examples of reports and evaluations contained in the add-on module for ADOIT for the EU GDPR: