Enterprises need to create and maintain registers of why, where and how they are processing personal data from EU citizens. Creating and maintaining these registers in Enterprise Studio helps to ensure you create consistent and coherent registers that conform to your baseline enterprise design. In this blog I would like to show you how you can use Enterprise Studio to support this specific GDPR use case: the creation and maintenance of the registers of all personal data.
The General Data Protection Regulation (GDPR) is a stringent EU Regulation on privacy protection, which will go into effect in May 2018. In this blog by Marc Lankhorst, he pointed out the following seven GDPR highlights:
- GDPR applies for all companies that process data on EU residents
- GDPR is about demonstrating compliance
- GDPR expects you to record the purpose of collecting personal data
- GDPR demands an integrated approach to security-by-design
- GDPR requires Data Protection Impact Assessments
- GDPR forces you to report data breaches within 72 hours
- Non-compliance to GDPR results in big penalties
Some of these issues will primarily impact your (design) processes (bullet 4, 5, 6), while others will have more of an impact on what and how you register personal data, and the where and how you process this data (bullet 1, 2, 3).
As a lot of enterprises are still struggling to implement and conform to GDPR, BiZZdesign presents a hands-on solution to address some of the issues mentioned above.
A practical way to implement some of the GDPR requirements is to create a register of all the personal data processing within your enterprise. Such a register could be as easy as a spreadsheet file containing all the necessary data. Such a register can contain the following items e.g.:
- Name of the processing activities
- Why are you processing this data
- Legal basis for the processing
- Who is (internally) involved
- Who is internally responsible
- Who is accountable
- What data is processed
- Special categories of data
- Where is the data coming from
- Categories of receiving parties
- Other third parties receiving data
- Retention period
- Processing contract
- Type of processing
- Involved applications
- Privacy impact assessment needed
One could choose to have this register only available internally and create a publicly available register containing less items.
How to create such a register with Enterprise Studio
In order to create and maintain such a register, we strongly advise not to create a separate register, but to integrate the necessary information into your baseline architectural models in Enterprise Studio.
In general, you must take the following steps in Enterprise Studio:
Create metamodel extension
Use Enterprise Studio’s metamodeller to extend your current metamodel with the attributes mentioned above. We have chosen to add a special profile with the necessary attributes to the ArchiMate® application process concept. Next to that we have created stereotypes for Data objects and Business Actors to distinguish data categories, special data and third parties. After applying the metamodel the profile can look like this:
Model and add data
The gathering of all the data on the personal data processing in your enterprise is the hardest part. Maybe you can leverage assessments that have already been done. In the next picture you see an example of a modeled data processing scenario.
Use Enterprise Studio’s powerful export functionality to create an export of the data to a spreadsheet like Excel. The principles to create an import (see this blog) can also be used to create an export. You can choose to develop two types of exports, one with the full register and one with the publicly available information.
Now you can publish your register(s). Part of the resulting spreadsheet is shown below. If you have implemented a proper change process you only have to update your model and publish a refreshed register every now and then.
See it in action
Hopefully I have inspired you on how you can leverage existing models and add GPDR data to these models to create the necessary GDPR registers of personal data processing. Whether you already use Enterprise Studio or not, please get in touch if you’d like to see it in action!