Next week, the period of transition before the implementation of the new General Data Protection Regulation ends. In the last blog post, we discussed which changes are to come with the new regulations. Now it's time for a look at these changes from a practical perspective!
Why a process-based approach is best for GDPR implementation
The General Data Protection Regulation includes extended documentation and accountability obligations for companies. From May 25, the reversal of the burden of proof applies: This means that the authorities are no longer required to provide evidence in the case of infringements, but companies and public bodies have the responsibility to prove they have been acting in compliance with data protection laws. A watertight data protection management system that maps all business processes with a data protection component thus becomes an important prerequisite for GDPR compliance. But how can such a system be set up? Our process expert Tobias Przybylla will show you how, in four steps.
About Tobias Przybylla
Tobias is the Pre Sales Team Lead at Signavio. He has many years of experience in process modeling and optimization, as well as business process management. Tobias supports our customers and prospects in the implementation of their process initiatives and passes on his knowledge regularly.
Four steps to GDPR implementation
ACME AG is a (fictitious) international company with numerous locations in different EU member states. ACME AG currently faces the challenge of implementing the new data protection requirements before May 25.
For this purpose, all data protection-relevant processes are reviewed throughout the company. Is the current data protection management GDPR compliant, or should concrete optimization measures be initiated?
Through a data protection management system, ACME AG also wants to ensure that all GDPR-relevant processes are continuously monitored and improved. Going forward, process deviations should be identified, optimized and future process changes initiated in line with the requirements of the GDPR.
Corporate boards and compliance officers are wondering how they can systematically implement the requirements of the GDPR—including ACME AG. The goal is a comprehensive data protection management system for monitoring GDPR-relevant processes.
To achieve this goal and become GDPR compliant, the ACME AG relies on a four-step approach with Signavio:
Plan: To classify personal data, an IT system is implemented that allows GDPR-relevant data to be collected. Identify: To identify which personal data is concealed, and where, management should examine the respective company processes. Assign: The personal data is then assigned to GDPR-relevant process information. Monitor: The fourth step is a continuous task. As processes and IT systems change, personal information needs to be monitored on a regular basis. Therefore it is important to continuously check what personal data is being processed, and in which processes or IT systems this is happening.
Step 1: Planning well
All personal data should be collected from company processes and recorded, alongside its legal basis for processing. This documentation process should be carried out throughout the company.
- Set up privacy management system
- Maintain a central directory of processing activities
- Check the legality of the processing of personal data
In the first step, ACME AG is setting up a data protection management system throughout the company to record and map the processing of all available personal data. The system contains information about responsibilities, a processing directory, technical/organizational measures, and a risk management system.
To meet these requirements, ACME AG uses SAP Signavio Process Manager as part of the Process Transformation Suite. The cloud-based SaaS solution provides a customizable glossary that allows you to collect personal information.
The glossary serves as a central object dictionary and is used as a register for existing business processes. It allows you to define business objects (for example, organizational units or IT systems), store them centrally within processes, and link them to objects from business processes. This information can be defined as categories according to the GDPR requirements and used as attributes for the elements of the stored business processes.
However, in order to set up a reliable data protection management system, AMCE AG must also check the legality of the processing of personal data in each individual GDPR-relevant process step. This step can also be implemented using the glossary.
The process owners define a category for the legal basis of processing and assign it to an attribute for process diagram elements. This category contains all individual conditions defined according to the GDPR, such as consent of the data subject and fulfillment of a contract. With this new category, a new field appears in all relevant business processes every time personal data is processed. This new field must be filled out by the respective processors.
This ensures that the GDPR-relevant information defined in this step is stored directly in the process.
Step 2: Identify personal information
ACME AG is faced with the task of identifying which personal data is hidden—and where it is hidden—as well as which responsibilities are available.
- Set up the GDPR release workflow
- Review of process diagrams for GDPR compliance by decision makers
- Process approval by decision makers
The second step is to identify personal data. All company processes are checked for their GDPR relevance. For this purpose ACME AG configures a release workflow. The technological foundation is provided by Signavio's cloud-based SaaS solution.
A release workflow enables ACME AG to systematically review process diagrams across the enterprise. This workflow is automated, and based on the individual process steps that were previously defined. With this workflow, decision makers can quickly evaluate the quality and accuracy of the process diagrams and check whether personal data is processed in accordance with GDPR guidelines.
To implement the release workflow, process participants are assigned to the individual attributes. Then all compliance officers responsible for the GDPR implementation have the task of critically examining their respective processes. Any processes they now consider irrelevant will be released and published, while the other GDPR-critical processes will be overhauled. Every activity within this release workflow is documented carefully. Through the release workflow, ACME AG can successfully identify personal data.
Step 3: Assign personal data to the individual processes
All identified personal data should be assigned to the respective processes.
- Record personal data
- Define responsibilities
- Visualize attributes
- Data protection impact assessment according to Art. 35
ACME AG has set up a data protection management system and critically examined GDPR-relevant processes. Now, the third step is to link all GDPR-relevant objects with the corresponding processes.
For this purpose, ACME AG process managers create a framework of GDPR attributes and link it to the glossary, then categorize the attributes according to GDPR guidelines, before finally linking them to the individual process diagrams.
In this context, responsibilities can also be defined and documented in the process models, for example for data protection officers or other decision-makers. This is possible by attribution on the process diagram or element level.
In this way, ACME AG has assigned their personal data to the processes. Now the company faces another challenge: The GDPR requires data protection impact assessment to be implemented wherever there is a high risk in the processing of personal data. This can be the case with sensitive data or if there is a very large amount of data to be processed.
All conditions defined by the GDPR for the implementation of this Privacy Impact Assessment can be deposited into ACME AG’s the data protection management system using Signavio. Like all risks and controls, these conditions can also be stored in Signavio’s Process Manager directly at the individual process steps. For this purpose, an attribute type "risk management" is created at the process diagram and element level, the purpose of which is to record all GDPR-specific risks and controls. The additional glossary categories "GDPR risks" and "GDPR controls" define individual attributes for the corresponding glossary terms.
In this way, ACME AG specifically records risks and controls as part of the GDPR implementation.
Step 4: Continuous process monitoring
Permanent GDPR compliance in a changing process landscape.
- GDPR release workflow for continuous monitoring of GDPR compliance
- Process manual
The fourth step is a continuous task: ACME AG must regularly and constantly monitor its processes to ensure that it complies with all GDPR requirements at all times. ACME AG uses the GDPR release workflow, which it set up in step two for the initial analysis. This workflow allows for regular monitoring of business processes and can be triggered in the event of any process changes or variations. In addition, Signavio offers comprehensive evaluation options that allow you to create and export individual reports. ACME AG generates an automatic risk management report to continuously monitor all GDPR risks and all control steps. Continuous process monitoring is important not least because of the reversal of the burden of proof, where companies themselves have the duty to prove compliance with the GDPR. In order to comply with this documentation obligation, ACME AG process managers design a process manual template using Signavio.
This results in an overview of all GDPR-relevant metadata that you can use for audits, and which can also be configured individually. Under a process graphic, all GDPR attributes can be displayed at chart level, and all information can also be broken down to diagram and element level for a better overview.
After such a template has been defined for the first time, it can be used to generate printable and archivable documentation in various formats. Based on these documentations, ACME AG can prove its compliance with the GDPR.
By following these four steps, ACME AG has successfully prepared for the 25th of May 2018. If you’re keen to see for yourself how Signavio can help your organization prepare for the GDPR, sign up for a free 30-day trial today.
Note: This content is non-binding information and does not replace legal counsel.