As of May 25, 2018, every organization that does business in the EU will have to meet new data protection rules or pay a steep fine. Many companies are struggling with their compliance projects to meet the deadline. The Software AG General Data Protection Regulation (GDPR) framework can help. Part of this framework are ARIS accelerators for GDPR, including some improvements for ARIS Connect and ARIS Risk & Compliance Manager, to help you speed up your GDPR projects.
|Issue 4, 2017||Download PDF|
When you get started with GDPR compliance, it makes sense to get familiar with the new legislation and integrate the requirements into your ARIS repository. This helps to define compliance risks, controls, and responsibilities. An out-of-the-box technical term model with detailed GDPR content helps you here. You can directly map the legal requirements to the business context and make it available to the affected people.
Figure 1 : Technical term model for GDPR
Article 30 of the legislation requires maintaining a Record Of Processing Activities (ROPA) from each data controller and each data processor. New fact sheets for ARIS Connect help subject matter experts do this in an easy table-based way. The ROPA diagram gets automatically created based on the information and assignments entered in the fact sheet view. A ROPA report creates an overview of all PAs to prove compliance with Article 30 to the supervisory authority on request.
In some cases Processing Activities (PA) are equivalent to business processes. In this case, you can reuse the business process data from the ARIS repository and add more processing activity details.
Other PAs might only cover specific parts of business processes or might not (yet) be part of the company’s process landscape. In this case, you can add them as new information to the ROPA. New filters with conventions to document processing activities and GDPR-relevant qualification of application systems, processes and data help you with this task. Data objects can be classified with new data privacy attributes. The method extensions also include risk assignment.
Figure 2 : ARIS Connect fact sheet for record of processing activities
In a first step, the business experts describe the PAs including processed data, used IT systems, responsible processors and controllers in the ROPA. In a second step, the Data Protection Officer (DPO) can add more detailed GDPR criteria to the PAs.
Figure 3 : Detailed description of processing activities with risk and questionnaire assignment
The DPO can assign questionnaire templates for PA Documentation (PAD) to the processing activities. These templates contain relevant questions about GDPR criteria that is still missing. The PAD surveys can be performed with ARIS Risk & Compliance Manager and help to collect and evaluate answers from the respective stakeholders.
A new survey intelligence report can be used to evaluate a score that helps the DPO define further measures. For critical PAs with a high score, we recommend performing more detailed surveys for PA Qualification (PAQ) and risk assessments.
Figure 4 : GDPR PAQ survey for critical PAs
The PAQs help to detect the need for data protection impact assessments (DPIA) and are used to evaluate all PAs according the criteria listed in Art 35 of the regulation, like evaluation or scoring, including profiling and predicting or processing on a large scale or systematic monitoring of a publicly accessible area on a large scale or sensitive data.
The ARIS accelerators for GDPR provide out-of-the-box example questionnaire templates for documentation and qualification. ARIS Risk & Compliance Manager provides a GDPR-specific impact type for risk assessment.
Risk assessments also help to detect the need for DPIA for PA risks with high probability and/or high occurrence frequency.
DPIA should be run for those PAs which are likely to result in a high risk according to the PAQ and/or risk assessment result. DPIA should usually be performed as workshops to evaluate the necessity and proportionality in relation to the purpose and to document existing mechanisms for data protection. The workshop results are analyzed to define data protection gaps and the need for additional measures to close these gaps.
For the DPO it is very important to always be up-to-date about the current situation and to react fast in case of any issues or incidents. GDPR-tailored dashboards with direct access to the affected elements ease this requirement.
Figure 5 : GDPR dashboard for the DPO
Finally, after all the work is done, the DPO needs a reliable tool to easily prove compliance with the GDPR by a click on a button. New management reports for GDPR make this an easy exercise. The extended management report shows the current status per PA including risks and measures.
The ARIS accelerators for GDPR are part of Software AG’s GDPR framework. For more information, please visit gdpr.softwareag.comand download the new e-bookto make sure you’re on track to meet the 2018 deadline. For a demo of the GDPR framework with ARIS and Alfabet, please watch this recording: GDPR – How ARIS and Alfabet will prepare you for the General Data Protection Regulation.