The GDPR Regulation, which entered into force in May 2018, systematizes the rules for the processing of personal data. Regulation 2016/679 (Regulation) replaces the previously applicable Directive 95/46 /EC, and consequently also the Law on Personal Data Protection of 1997. The entities that process personal data impose a number of obligations and give data subjects a number of rights. To be in line with the key regulation is to understand inter alia which personal data are processed, for what purpose, if the purpose is adequate to the scope of the data being processed, where and if the personal data are processed in a secure manner, and what is the formal and legal basis, whether we are able to fulfill the information obligations, whether we are in able to handle the queries of people whose data we process, preparation of relevant registers, etc.
In order to answer the above questions and assess the risks associated with the processing of personal data, multidimensional analysis is often necessary. Such an analysis is very difficult or even impossible without an inventory of the current state. The eGDPRBay portal allows you to inventories in a systematic way, including:
- purposes of processing personal data
- legal basis
- IT systems in which personal data are processed
- technical and organizational security measures
- organizational and procedural issues related to the management of personal data
Inventory data support multidimensional risk analysis, management of issues/tasks, preparation of reports and obligatory registers, management of types and notification metadata (notification types and metadata management), incidents/violations related to personal data, as well as handling of data subjects requests/inquiries (data subjects).
In order to systematize the above-mentioned issues, the concepts of the three perspectives have been introduced:
- the perspective of context (for processing of personal data),
- a conformity management perspective,
- operational perspective.
The high-level concept of the eGDPRBay system is illustrated in Figure 1.
The perspective of context for the processing of personal data:
- Personal Data Types and Retention Management Context,
- Personal Data Purposes Management Context,
- Lawful Basis Management Context,
- IT Systems Context,
- Data Subjects Categories (GDPR Actors) Context,
- Technological & Organisational Security Measures,
- Personal Data Governance Context.
Areas of conformity management perspective:
- Risk Management,
- Issues/Tasks Management,
- Reports Management,
- Mandatory Registers,
- Optional Registers,
- Notifications Types and Metadata Management,
- Personal Data Breaches/Incident Management,
- Data Subjects Request Types Management.
Areas of operational perspective:
- Activities and Activities Categories Management,
- Breaches Management,
- Data Subjects Requests Management,
- Operational Reports Management,
- Data Subjects Register/Evidence,
- Products/Services Categories Management,
- Products/Services Management,
- Operational Notifications Management.
THE PERSPECTIVE OF CONTEXTS
The perspective of contexts is the core of the solution. Data and relationships collected in it are used in all perspectives. In order to ensure the adequacy of the scope of input data to the needs and costs, most fields are optional. It is the client who decides what data he wants or can enter into the system.
In conjunction with a flexible data model, this allows the system to be adapted to almost any size of the company. The scope of the data introduced determines the possibility of a subsequent multidimensional analysis of the processing of personal data and related risks. The initial, minimum scope should enable reliable risk analysis and generation/preparation of obligatory registers, among others:
- Register of processing activities (if the company is the administrator of personal data),
- Register of the Processing Activity Category (if the Company is a personal data processor).
The abovementioned registers are in the system in the perspective of DATA COMPLIANCE MANAGEMENT in the area of obligatory Registers. These registers can be generated automatically if the customer enters relevant data in the perspective of CONTEXTS.
In many industries, the management or support processes have a similar scope and processing goals, therefore the Operator strives to make the client modify the scope of the predefined data prepared by the Operator as part of the implementation of the system, and not have to enter data for such purposes/processes from scratch. The goal is to optimize the client’s effort/costs in implementing the system. An example can be the HR processes.
An important context is the Management, Organizational and Procedural context, which is necessary for effective supervision over compliance with applicable legal acts in the area of personal data management.
The contexts that make up the CONTEXT PERSPECTIVE are illustrated in Figure 1. A description of each context can be found in the CONTEXTS section of the PERSPECTIVE CONTEXT. All contexts, marked in blue, are in the “Basic” version of the subscription.
A CONFORMITY MANAGEMENT CONCEPT
Based on data collected in the perspective of CONTEXTS, it is possible to manage compliance with legal acts identified in the context of the Management of Formal and Legal Basics and the preparation of obligatory registers. In the CONFORMITY MANAGEMENT perspective, the system enables, among others:
- Risk Management
- Keeping / generating registers (e.g. activity registers or categories of processing activities, authorization register, training)
- Management of Issues and Tasks (if the current state requires activities that should be supervised and accounted for)
- Managing Notification Types in the Context of the Data Entity
- Managing Types of Data Entry Submissions in the context of the Data Subject Category
- Management of the types of writes and templates of documents/forms/ processes
- Generating reports based on data collected in the context of CONTEXTS that support other areas, in particular, risk analysis.
The OPERATIONAL perspective enables, based on predefined perspectives, operational management of such areas as:
- Category Management of Processing Activities (e.g. Personal Data Processing of the Open Recruitment Process)
- Management of the categories of Products / Services produced as part of business processes and containing specific personal data (e.g. CV, as a category/type of document, recruitment process)
- Operational Product / Service Management (e.g., a record of specific CVs, specific Data Entities / Candidates with information on retention time)
- Operational management of violations related to the processing of personal data, notifications to the regulator and Data Actors
- Operational Management of Data Entry Submissions (support for submissions of specific Entities in both process and procedural as well as substantive areas based on contexts/areas of the perspective of CONTEXTS and CONFORMITY MANAGEMENT)
- Data Register / Register, containing data of specific Data Entities necessary, e.g. for the implementation of reports and violations *.
- Operational Management of Notifications implemented against Data Actors that form the basis for effective implementation of the information obligation
- Management of Operational Reports from the OPERATIONAL perspective.
* Each time requires analysis in the context of the administrator and confirm the formal and legal basis.
Scope of subscription:
The availability of individual contexts and/or areas is derived from the selected subscription. The colors in Figure 1 reflect the assignment to a given version of the subscription:
- “Basic” – blue
- “Premium” – orange
- “Premium Plus” – green**
** API is available in the subscription “Premium Plus”
Contexts of Perspektive Contexts
- Personal Data Types and Retention Management Context (PDTRMC)
The context has been introduced in order to systematize and jointly understand the types and categories of personal data (in particular: ordinary and specific categories), which are managed by the organization and management of retention of these data. In this context, all types and categories of personal data to which the other contexts and areas relate are cataloged. An important element of this context is also the mechanism of retention schemes, which (if possible) allows the calculation of processing times and, possibly, the deletion of personal data.
- Lawful Basis Management Context (LBMC)
The context of LBMC enables the inventory together with the relations of legal bases on the basis of which personal data are processed, the permitted scope of personal data processing on the formal and legal basis and the identification of possible retention schemes. The scope and diagrams introduced in this context are inherited directly or indirectly in other contexts and areas of the system, in particular in the Context of Management of Personal Data Processing Objectives. The introduced mechanisms are aimed at eliminating situations in which personal data would be processed without a formal and legal basis, and therefore unlawfully.
- Personal Data Purposes Management Context (PDPMC)
The processing of personal data without the purpose and legal basis defined in the reality of the enterprise’s activity is unlawful. The purposes of processing personal data are usually related to the processes (business processes) of the company. The context of PDPMC enables, among others, inventories the purposes of processing in relation to these processes and roles that process personal data and legal grounds as part of the process. The inheritance mechanism described in the CFLB makes it impossible to assign a different range of types/categories of personal data to the target than those allowed by the formal and legal basis. The introduction of roles in relation to the purposes of processing enables, among others, the implementation of the principle of minimizing access to data. In a subscription with an OPERATING perspective, the system allows, for example, identification of who in what role has or had access to which types/categories of personal data.
Examples of use cases:
- Analysis of the risks of personal data processing in the context of the purpose of processing
- Verification of legal grounds and adequacy of the scope of personal data processed for the purpose of processing
- Verification of the adequacy of technical and organizational measures per the purpose of processing
- Supporting the analysis of causes and impacts in the case of violations per the purpose of processing in the context of the process(es) and the role in the process
- Supporting effective management of Data Entity submissions
- Supporting the fulfillment of the information obligation (how to target, what role, what information obligation)
After defining the purposes of the processing, the system enables the creation of multidimensional relations with data entered in other contexts, with the legal basis based on which personal data are processed.
- IT Systems Context (ITSC)
Nowadays, personal data is in most cases stored and processed in IT systems. This context allows the inventory of IT systems, responsible persons, applied technical and organizational measures, data exchange channels, and the range of types/categories of personal data processed in the context of the Data Subject Category.
Examples of use cases:
- Analysis of the risks of personal data processing in the context of specific IT systems in which personal data are processed
- Verification of legal grounds and adequacy of the scope of personal data processed based on formal and legal, the purpose of processing and IT systems (e.g. in the context of systems that are outside the European Economic Area or within a capital group)
- Verification of the adequacy of technical and organizational measures per the purpose of processing and types/categories of personal data
- Supporting the analysis of causes and impacts in case of violation or changes per the IT system in the context of the process(es) and roles in the process
- Supporting the effective management of Data Operator notifications in the context of the implementation of the right to data transferability ***
*** The system allows you to generate a report. The preparation of a specific data package is carried out outside the eGDPRBay system. The release of the package will be possible within the area of Data Entry Management of the OPERATING PERSPECTIVE.
- Data Subjects Categories (GDPR Actors) Context
GDPR introduces the term Data Entity (also referred to as the GDPR system). In order to be able to implement issues relating to the Data Subject Category, a dedicated context has been introduced. This context is closely related to the context of Processing Objectives and roles because Data Entity Categories are usually an important stakeholder of the processes implemented by the Company (e.g. Customer of services/products).
- Analysis of the risks of personal data processing in the context of specific Data Subject Categories
- Verification of legal grounds and adequacy of the scope of personal data being processed, based on the formal and legal basis, the purpose of processing, IT systems (e.g. in the context of systems that are outside the European Economic Area or within a capital group) and Data Entity category
- Verification of the adequacy of technical and organizational measures per the purpose of processing, types/categories of personal data and Categories of Data subjects
- Supporting the analysis of causes and impacts in case of violation or changes per IT system in the context of the process (s), roles in the process in the context of individual Data Entity Categories
- Supporting effective management of Data Entry Submissions by preparing appropriate processes/procedures per Data Entity category
- Technical and Organizational Security Measures (TOSM)
Article 32 of the Regulation is “Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context, and purposes of processing and the risk of violating the rights or freedoms of natural persons with different probability of occurrence and threat weight, the administrator and the processor shall implement appropriate technical and organizational measures to ensure the degree of security corresponding to this risk … “. The context of Measure / Technical and Organizational Resources contains an open catalog of such measures/measures, and the possibility of their analysis in relation to other contexts allows, for example, to assess the risks associated with the processing and whether the level of security is adequate.
Examples of use cases:
- Supporting analysis of personal data processing risks or analyzing the impact of changes in the organization in the context of Measure / Technical and Organizational measures in relation to other contexts. CONTEXT PROSPECTS, in relation to specific categories of personal data, or data processed outside the European Economic Area,
- Supporting risk analysis and impact in the case of infringements – particularly important in relation to the temporary requirement specified in Article 33 of the Regulation, which states that “the administrator shall, without undue delay – if possible, not later than within 72 hours after finding the violation – notify the supervisory authority competent in accordance with art. 55, unless it is unlikely that the breach would result in the risk of violating the rights or freedoms of natural persons. “.
- Personal Data Governance Context
In this context, the roles defined in the framework of the organization responsible for the protection of personal data, policies, and procedures related to the protection of personal data are recorded. An appropriate management framework allows the introduction of accountability and accountability mechanisms for the processing of personal data and roles/contacts.
Examples of use cases:
- Analysis of the risks of personal data processing in the context of accountability and accountability for compliance with legal acts based on personal data processed,
- Supporting the analysis of causes and impact in the case of violations or changes in the organization in the context of the process(es), roles in the process in the context of existing policies and persons responsible for personal data protection and decision making,
- Supporting effective management of Data Entry Submissions by preparing appropriate processes/procedures per Data Entity category.
- Areas of the CONFORMITY MANAGEMENT perspective
- Risk Management (RM)
The regulation introduces a management and data protection model based on a risk-based approach. Awareness of the risks associated with the processing of personal data, both those on the part of the organization and on the part of Data Actors is crucial for the administrator and the processor. The area of RM makes it possible to record and manage identified risks – starting from identification (taking into account the context), through estimation (identification, analysis, evaluation), then treatment and remedies up to monitoring. An important element of risk management are reports from the Report Management Area generated on the basis of data and relations from CONTEXT PERSPECTIVES. Risk management is implemented based on the ISO 31000 methodology.
- Issues/Tasks Management (IM)
This area allows management of issues and tasks, including multidimensional relations between areas and contexts, priorities and accountability mechanisms.
- Mandatory Registers (MR)
Based on the data collected in the CONTEXT PERSPECTIVE, it is possible to generate activity registers and categories of processing activities that are obligatory for the administrator and the processor.
- Optional Registers (OR)
In this area, there are optional registers that the administrator or the processor can lead. At the moment these are:
- Register/records of authorizations to process personal data
- Register of training related to the protection of personal data
- Notifications Types and Metadata Management (NTMM)
The area allows the registration of notification types and the preparation of templates/types of notifications in the context of individual Data Entity Categories. The templates are prepared based on data collected in the CONTEXT PERSPECTIVE.
- Personal Data Breaches/Incident Management (PDIM)
The area allows for recording types of infringements in the context of processing purposes and in relation to the process being carried out, types/categories of personal data, IT systems and individual Data Entity Categories. The data for the initial analysis is prepared based on data collected in the CONTEXT PERSPECTIVE. If necessary, it is possible to generate auxiliary reports from the Reports Area.
- Data Subjects Request Types Management (DSRTM)
The area enables the registration of types of applications and preparation of templates/types of responses to applications in the context of individual Data Entity Categories. The templates are prepared based on data collected in the CONTEXT PERSPECTIVE.