Organizations around the world are now faced with a unique challenge related to the processing and use of personal data of European citizens. The European General Data Protection Regulation (GDPR) was adopted by the European Parliament in May 2016 with an implementation period of two years, meaning it enters into force in May 2018. It regulates processing of personal data by private companies and public bodies uniformly throughout the European Union and applies directly to the citizens of all member states.
The GDPR aim is to strengthen the rights of citizens of the European Union (EU) and European Economic Area (EEA) with regard to how organizations use their personal data and how it is protected. It applies to any organization inside or outside the EU that is marketing or selling products or services to citizens of the EU an EEA, and/or that is tracking the online behavior of citizens of the EU and EEA. That means: If you are doing business with Europeans involving the processing of their personal data, GDPR applies to you, regardless of your place of business.
Although some detailed questions have not yet been fully answered by the new regulation, the following major changes to existing legal regulations have already been decided upon:
Because of these and similar changes, companies around the world are required to take measures to ensure compliance with the GDPR until it is entered into force.
For this reason, we have developed an add-on to easily meet and prove compliance to the various aspects of the GDPR using ADONIS or ADOIT.
In this article, we will be looking at the details of the requirements and current implementation proposals with our process management and enterprise architecture management tools.
From the point of view of electronic data processing, the following aspects of data and their processing are at the forefront of the EU GDPR:
In the course of the processing of different data types, the following actors are also distinguished:
Essential tasks to be addressed to data processing companies include, for example, the following:
By means of existing functions and evaluations (such as the basic contextualization of information, measures monitoring or risk evaluations) as well as by a simple method and an intuitive tool, the BOC Group can support you and your company excellently.
The main focus of the present work is on the compulsory list of processing activities: The obligation to provide documentation thereby concerns the persons responsible and the order processor. Content of this list is the essential information on data processing activities, in particular information on the purpose of the processing, a description of the categories of the personal data, a description of the persons concerned and the recipients. This directory must include the following details:
For both our Business Process Management suite ADONIS and our Enterprise Architecture Management tool ADOIT, we have developed product extensions to the EU GDPR. This allows a simple expansion of documentation and evaluation for existing customers, while new prospective customers can also address the requirements of the GDPR.
To enable these two approaches, we extend our products with a new artefact, the processing activity. The following figure shows how the artefact is embedded into the meta model of ADOIT. Similarly, the extension is done in ADONIS.
The extension of your documentation is supplemented by a suitable and efficiently cut procedure model. Here, the focus is on the corresponding processing activity (e.g. creation of a new customer in the course of an insurance application processing). In the following, the procedure is sketched as an example for the IT-driven approach in ADOIT:
ADOIT and ADONIS can categorize and document the relevant data using business objects/entities.
For each business object or entity, the both solutions from BOC can identify the types of affected persons by data categories as well as describe the roles of the people or external actors.
In the next step, data processing applications are now recorded or updated. In many cases, this stage is done from an existing application landscape.
The processing activity is considered to be the pivotal point of all the relevant information. ADONIS or ADOIT record processing activities linked with the business objects/entities. The processing activities should be assigned not only to the affected persons according to roles, but also to the processing applications and processes (on a high-level or detail level).
ADONIS or ADOIT catalog the relevant data recipients as organizational units or external actors (e.g. cloud providers) and assign the recipients to the processing activities.
After analyzing the master data for the processing activities, the systems can assign the relevant risks to the activities. They can also provide an initial risk assessment with regards to the probability of the happening and the extent of damage when it happens. ADONIS and ADOIT can document necessary controls in an integrated manner as well. The initial assessment and assignment serve as a base for risk assessment. Risk allocation and evaluation must be updated at intervals.
This structured information acquisition allows to generate necessary reports and evaluations. For this purpose, the BOC Group provides specific sample reports and evaluations contained in the extension module. The following figure shows a few examples of reports and evaluations contained in the add-on module for ADOIT for the EU GDPR: