Create your GDPR registers with BiZZdesign Enterprise Studio


Subscribe
Joost Niehof
Posted by Joost Niehof on Dec 19, 2017

Governance, Risk & Compliance

Enterprises need to create and maintain registers of why, where and how they are processing personal data from EU citizens. Creating and maintaining these registers in BiZZdesign Enterprise Studio helps to ensure you create consistent and coherent registers that conform to your baseline enterprise design. In this blog I would like to show you how you can use Enterprise Studio to support this specific GDPR use case: the creation and maintenance of the registers of all personal data.

GDPR

The General Data Protection Regulation (GDPR) is a stringent EU Regulation on privacy protection, which will go into effect in May 2018. In this blog by Marc Lankhorst, he pointed out the following seven GDPR highlights:

  1. GDPR applies for all companies that process data on EU residents
  2. GDPR is about demonstrating compliance
  3. GDPR expects you to record the purpose of collecting personal data
  4. GDPR demands an integrated approach to security-by-design
  5. GDPR requires Data Protection Impact Assessments
  6. GDPR forces you to report data breaches within 72 hours
  7. Non-compliance to GDPR results in big penalties

Some of these issues will primarily impact your (design) processes (bullet 4, 5, 6), while others will have more of an impact on what and how you register personal data, and the where and how you process this data (bullet 1, 2, 3).

As a lot of enterprises are still struggling to implement and conform to GDPR, BiZZdesign presents a hands-on solution to address some of the issues mentioned above.

Registers

A practical way to implement some of the GDPR requirements is to create a register of all the personal data processing within your enterprise. Such a register could be as easy as a spreadsheet file containing all the necessary data. Such a register can contain the following items e.g.:

  1. Name of the processing activities
  2. Why are you processing this data
  3. Legal basis for the processing
  4. Explanation
  5. Who is (internally) involved
  6. Who is internally responsible
  7. Who is accountable
  8. What data is processed
  9. Special categories of data
  10. Where is the data coming from
  11. Categories of receiving parties
  12. Other third parties receiving data
  13. Retention period
  14. Processing contract
  15. Type of processing
  16. Involved applications
  17. Privacy impact assessment needed

One could choose to have this register only available internally and create a publicly available register containing less items.

How to create such a register with BiZZdesign Enterprise Studio

In order to create and maintain such a register, we strongly advise not to create a separate register, but to integrate the necessary information into your baseline architectural models in Enterprise Studio.

In general, you must take the following steps in Enterprise Studio:

Steps to build a register in Enterprise Studio

 

Create metamodel extension

Use Enterprise Studio’s metamodeller to extend your current metamodel with the attributes mentioned above. We have chosen to add a special profile with the necessary attributes to the ArchiMate® application process concept. Next to that we have created stereotypes for Data objects and Business Actors to distinguish data categories, special data and third parties. After applying the metamodel the profile can look like this: 

Create metamodel extension

 

Model and add data

The gathering of all the data on the personal data processing in your enterprise is the hardest part. Maybe you can leverage assessments that have already been done. In the next picture you see an example of a modeled data processing scenario.

 

Modeled data processing scenario

 

Create export

Use Enterprise Studio’s powerful export functionality to create an export of the data to a spreadsheet like Excel. The principles to create an import (see this blog) can also be used to create an export. You can choose to develop two types of exports, one with the full register and one with the publicly available information. 

Export data with Enterprise Studio

 

Publish register

Now you can publish your register(s). Part of the resulting spreadsheet is shown below. If you have implemented a proper change process you only have to update your model and publish a refreshed register every now and then.

Publish register

 

See it in action

Hopefully I have inspired you on how you can leverage existing models and add GPDR data to these models to create the necessary GDPR registers of personal data processing. Whether you already use Enterprise Studio or not, please get in touch if you’d like to see it in action!

 

GDPR Recorded Webinar May 23 - 2017

SUBSCRIBE TO BIZZDESIGN'S BLOG

Join 10.000+ others! Get BiZZdesign's latest articles straight
to your inbox. Enter your email address below:

 

Subscribe to Email Updates

comments powered by Disqus