It’s D-Day for the European General Data Protection Regulation on the 25th of May, 2018

We are just a few days away from the General Data Protection Regulation (GDPR) – from this point on, both, the requirements of this EU Regulation, as well as the national adaptation and implementation laws will be valid.

Thus, the status quo should be assessed by means of a state analysis, or at least the necessary need for adjustment should be roughly derived.


The following questions should already be clarified:

  • Which personal data is available?
  • Is sensitive data being processed and are services being offered to children?
  • Which IT applications exist and which personal data is processed there?
  • What are the purposes of data processing?
  • How is privacy implemented by design and by default?
  • Are the relevant documentation criteria and requirements (list of processing activities, documentation of the security measures taken, documentation of the risk assessment) met?
  • ...

The list of processing activities is at the very heart of GDPR. Therefore, this list must be kept in writing, regardless of the fact that it can naturally also be documented electronically.


Last year, together with the Kreditschutzverband 1870  (Credit Protection Association), BOC Group has developed an extension for its tools – ADONIS and ADOIT, and has successfully used it at the KSV1870, as well as in other pilot projects.


The add-on module integrated into ADONIS and ADOIT allows for the processing activities to be documented. Hence, if you are already an existing ADONIS or ADOIT user, we are sparing you the hassle of having to start from scratch. Rather, you can simply continue to use the pre-existing documentation, from the process management (ADONIS) or enterprise architecture (ADOIT) perspective:


  • The purpose of the processing activity can be documented within the context of relevant processes, along with a link to the company map or further description fields.
  • The personal data can be described centrally in the repository, by using the existing data model type in ADONIS and ADOIT and linking it to the processing activities.
  • The affected persons, processors are described and linked with the common objects roles, organizational units and external partners. Hence, here too, you can access and reuse your existing organizational documentation.
  • The processing activity can be linked with the actual IT application via a link to the IT model.
  • Last but not least, the proven ICS extensions can be used for the risk assessment, as well as the technical and organizational measures.





A detailed procedural model for the collection, preparation and evaluation of processing activities has already been covered in greater detail on our landing page Comply with the requirements of the European General Data Protection Regulation (GDPR) with the help of ADONIS and ADOIT.


As you can see, integrating your GDPR documentation into your existing BPM system in ADONIS or EA system in ADOIT will save you time, effort and nerves. Out-of-the-box reporting mechanisms and evaluations also make it possible to process the results according to the target group.


Since the list of processing activities is not "static" but has to be maintained continuously, the following enhancements are currently planned for the add-on module, in order to unceasingly meet these criteria in the future:

  • Release mechanisms for the documentation of processing activities:
    Via a release workflow, the versioning of the directory can be supported automatically.
  • Re-submissions:
    Set up re-submission dates for the update of your documentation, which will then inform the responsible persons in good time, before expiration.
  • Dashboards:
    Use the personalized dashboards for those responsible for processing activities – the right information at the right time!


Click here for more details about our offer.