GDPR with BlueDolphin
Securing GDPR through Recording Relationships with Operational Processes and IT
Organizations are under pressure to meet the regulations concerning the General Data Protection Regulation (GDPR). We see that organizations are racing to comply with the regulations. In most cases, documentation is done in specialized, separate tools or in Excel. This might seem like a logical method at first glance, which should prevent you from getting in trouble after 25 May 2018.
But how will you continue to properly safeguard all this information in the future? How do you adequately inform all involved in the processing of personal data about what they should and should not do? In addition to general personal data such as contact information, there are special personal data such as religion and health that are given a higher level of protection by the European legislator. How can you continue to actively manage continued compliance with the proposed ‘mitigating’ measures in practice, in order to safeguard privacy in situations with a risk of data leaks?
GDPR, Operational Processes and IT
The GDPR has everything to do with the operational processes of the organization that records, edits or uses personal data in combination with the applications and databases that process this data. This includes the infrastructure that supports all this and that forms a risky security source in itself. In this complex interplay, changes occur almost on a daily basis. Operational processes change due to the dynamics of the business, changing regulations and technical developments. IT changes accordingly. The (privacy-sensitive) data that flows through these processes and IT systems is subject to changes in a similar way. For this reason, it is important to have insight into the coherence and to safeguard this insight. Moreover: insight does not just benefit your GDPR compliancy but the total management of your organization as well.
GDPR Compliant with BlueDolphin
As soon as you link the GDPR register of processing activities to processes, process diagrams and underlying IT resources, it becomes a piece of cake to constantly comply with the European regulations. After all, relevant changes are then a reason to inspect and, if necessary, adjust the register of processing activities. Subsequently, you determine whether additional mitigating measures are required, and if so, which ones. This allows you to present current and correct records at any time and meet the legal requirements. Securing data also results in a dynamic visualization of connections between data, processes, and IT. This is essential in order to gain quick insight into security risks and to remedy them. The GDPR indicates that organizations must be GDPR compliant, which means that all processing activities must be documented and tested.
How will you be recording and securing GDPR?
Concrete elements that must be arranged for within the framework of GDPR legislation:
- Registration of processing activities of personal data in relation to processes and applications;
- Data Protection Impact Assessment (PIA) for (new) processing activities;
- Implementing data protection;
- Demonstrable compliance.
When you connect the data which are relevant for the GDPR legislation to the applications and processes and specifically to the process steps in which these are used, an exact and traceable insight into the actual situation arises. Changes in the IT landscape can be easily and automatically perceived. Thus, when these prove to concern IT components that are related to the personal data, there is an immediate reason to check whether this has any GDPR consequences. This allows you to create a GDPR register of processing activities based on an automatic anchor with reality. In doing so, you record the mutual relationships of the components ‘Business Objects’, ‘Operational Processes and Process Steps’, ‘Actors’ (departments, external actors), ‘Data Objects’ and ‘Applications’.
Opt for one central data system in which this information is recorded, one that is accessible and understandable for all involved. Additionally, all relevant information must be recorded in this system. Examples of relevant information:
- The results of the GDPR assessments (PIA);
- Ownership of processes and applications;
- Register of processing activities;
- Processing agreements;
- Detected risks and measures;
- Status and progress of the realization of the measures.
The central system also describes which relevant activities exist, what the storage term is for data, and whether or not the data is passed on to third countries. The system must record all mutual relationships and dependencies, such as the person responsible for processing, processor, applications, legal basis, security measures, categories of personal data, purpose limitations, persons involved and transfer to recipient. It must be possible to visualize this information in a dynamic way. The coherence in complex situations can only be made visible in a simple way through visualization (an image says more than a thousand words).
Finally: once you make the new system accessible to all involved, all kinds of activities for taking stock of information and executing tasks are distributed to the knowledgeable persons responsible. Think of application managers and process owners. Does the system offer possibilities regarding smart and available defined questionnaires that suggest answers themselves? In that case, these persons bearing domain responsibility can input information themselves, while retaining consistency. This significantly lightens the load. Do make sure there is someone in a management function who always has insight into the status and is able to easily assess the progress and changes.