Are You able to Demonstrate Compliance with GDPR?
Use Dragon1 for creating GDPR Registers, Assessments and Compliance Reporting
General Data Protection Regulation is a new EU regulation. It aims to unify how personal data is protected, imported, and exported.
Companies must be able to show how they treat and protect the personal data of customers or members, susceptible data, in business processes and software applications.
Sensitive personal data include social security number, birthday, religion, and union membership. These data must be protected in your databases at all times. For instance, to prevent identity theft and other abuse of data.
Using Dragon1 for GDPR
Dragon1 is a platform for creating and generating visualizations and management reports on how you, as an organization, treat, protect, and use personal data in business processes and software applications.
Part of Dragon1 is a modeling language for business processes and information systems. The Dragon1 modeling language is fit for modeling and analyzing all data in your organization compliant with GDPR. It contains all kinds of entity classes and the ability to model where data is treated and protected in processes and applications. This enables you to visually check all of your processes and applications for compliance with GDRP business rules:
- Model and analyze your processes - And see how they treat and protect sensitive customer data.
- Model and analyze your applications - And see how they treat and protect sensitive customer data.
Creating GDPR Registers
GDPR makes it an obligation for every company to carry out the following tasks:
- Setup and maintain a register of data processing activities (DPA)
- To do data protection impact assessment (DPIA)
- Setup and maintain a register of data leaks (DL)
- To show proof that the person concerned has permitted data processing when you need permission for processing.
- To appoint a person as Data Protection Officer or, if not, explain why
Two of the tasks are about setting up and maintaining a register for data processing activities and data leaks.
Both of these registers can be done on Dragon1.
Below, we sketch how such a register can be set up and maintained on Dragon1.
The data attributes to registers
The following data attributes could be registered:
- Data Processing activities
- The reason for processing
- Legal basis for processing
- Documenting what is done
- Involvements
- Responsibilities
- Accountabilities
- Processed data
- Data categories
- Data Sources
- Data Receiving Parties
- 3rd Parties
- Period of Data Retention
- Data Processing Contracts
- Data Processing Types
- Information Systems and Software Applications that do the data processing
- Necessity of Privacy Impact Assessment
It just takes six easy steps to set up and maintain a GDPR register on the Dragon1 platform
- 1: Edit the GDPR Data Template to your situation
- 2: Enter the Data in the register
- 3: Publish the Register to make it available for stakeholder
- 4: Design the GDPR Register update and maintenance process
- 5: Approve the process and appoint concerned persons
- 6: Setup GDPR Update and Maintenance Alerts.
Here is a screenshot of a GDPR Register set up and maintained on the Dragon1 platform.
Process Framework for GDPR
Below is a process framework that guides you as an organization to become GDPR compliant.
It defines four areas of attention that should be addressed to successfully comply at one point in time with GDPR:
- Quick Check
- Conceptual Design
- Implementation
- Program Management
Dragon1 supports teams in their collaboration to perform this work:
GDPR Assessments and Overviews
Dragon1 supports generating overviews for GDPR. With this GDPR overview, you can easily assess your current state situation, you can report progress, and can improve compliance in your organization.
Using Dragon1, you can demonstrate your compliance or report progress on becoming more compliant.
GDPR Process Landscape Example
Below is an example of a GDRP Process landscape. The landscape shows GDPR requirements and processes; per process, the ownership attribute is highlighted, and the attribute's value is shown. The color red shows where, in this case, ownership is missing for a process.
In this way, you can quickly assess your current situation about GDPR legislation.
Click on the visualization to go to the Viewer. Next, click on a process and then on an attribute (in the list at the left bottom of the menubar) and view a live example of a GDPR report.
GDPR Reporting Example
Below is an example of a detailed GDPR Excel report on the compliance of rules.
Based on this report, you can project the current state and its progress on your process and application landscapes.
Completeness of Reports
A General Data Protection Regulation (GDPR) overview, to be effective, should provide at least the following:
- A common vocabulary
- A list of business rules used
- A set of systems and databases
- Data objects and their sources
- Process owners and data owners
- Breaches of GDPR rules
- Actions and measures to solve the breaches
By creating and generating GDPR landscapes and overviews, you are ensured that your reports will be complete.
Four Best Practices
Four best practices we want to mention here for implementing GDPR are:
- Prove that your data is always stored encrypted if possible (even if there is minimal performance loss).
- Demonstrate the location where your data (and backups) are stored (somewhere in a data center) is always known, for example, only in Europe.
- Demonstrate that nobody (from outside the EU) can access your data without your explicit permission. Not even the administrators of the data center or the consultants.
- Prove that you have a master key for decrypting your data in a database and that no one can know this master key that should not have.
Got Interested?
Are you interested in using Dragon1 for GDPR at your company?
Please get in touch with us via info@dragon1.com or call +31 317 411 341 (during business working hours in The Netherlands).
We are happy to discuss your needs and arrange a demo, proof of concept, or pilot. With this, you will get acquainted with and become confident in using Dragon1 for GDPR.
Read Also
You may also be interested to read about this: