General Data Protection Regulation - GDPR Compliance

Are You able to Demonstrate Compliance with GDPR?
Use Dragon1 for creating GDPR Registers, Assessments and Compliance Reporting

General Data Protection Regulation is a new EU regulation. It is aimed at unifying the way personal data is protected, imported and exported.

Companies have to be able to show how they treat and protect the personal data of customers or members, especially sensitive data, in business processes and software applications.

Sensitive personal data are data like social security number, birthday, religion and union membership. These data must be protected in your databases at all times. For instance to prevent identity theft and other abuse of data.

Using Dragon1 for GDPR

Dragon1 is a platform for creating and generating visualizations and management reports on how you as an organization treat, protect and make use of personal data in business processes and software applications.

Part of Dragon1 is a modeling language for business processes and information systems. The Dragon1 modeling language is fit for the purpose of modeling and analyzing all data in your organization compliant with GDPR. It contains all kinds of entity classes and the ability to model where data is treated and protected in processes and applications. This enables you to visually check all of your processes and applications for compliance with GDRP business rules:

  • Model and analyze your processes - And see how they treat and protect sensitive customer data.
  • Model and analyze your applications - And see how they treat and protect sensitive customer data.

Creating GDPR Registers

GDPR makes it an obligation for every company to carry out the following tasks:

  • Setup and maintain a register of data processing activities (DPA)
  • To do data protection impact assessment (DPIA)
  • Setup and maintain a register of data leaks (DL)
  • To be able to show proof that the person concerned has actually given permission for data processing when you need permission for processing.
  • To appoint a person as Data Protection Officer or if not, explain why

Two of the tasks are about setting up and maintaining a register for data processing activities and data leaks.

Both of these registers can be done on Dragon1.

Below we sketch how such a register can be setup and maintained on Dragon1.

The data attributes to registers

The following data attributes could be registered:

  • Data Processing activities
  • The reason for processing
  • Legal basis for processing
  • Documenting what is done
  • Involvements
  • Responsibilities
  • Accountabilities
  • Processed data
  • Data categories
  • Data Sources
  • Data Receiving Parties
  • 3rd Parties
  • Period of Data Retention
  • Data Processing Contracts
  • Data Processing Types
  • Information Systems and Software Applications that do the data processing
  • Necessity of Privacy Impact Assessment

It just takes six easy steps in order to set up and maintains a GDPR register on the Dragon1 platform

  • 1: Edit the GDPR Data Template to your situation
  • 2: Enter the Data in the register
  • 3: Publish the Register to make it available for stakeholder
  • 4: Design the GDPR Register update and maintenance process
  • 5: Approve the process and appoint concerned persons
  • 6: Setup GDPR Update and Maintenance alerts.

Here you see a screenshot of a GDPR Register that is set up and maintained on the Dragon1 platform.

Process Framework for GDPR

Below is a process framework that guides you as an organization to become GDPR compliant.

It defines four areas of attention that should be addressed in order to successfully comply at one point in time with GDPR:

  • Quick Check
  • Conceptual Design
  • Implementation
  • Program Management

Dragon1 supports teams in their collaboration to perform this work:

GDPR Assessments and Overviews

Dragon1 supports generating overviews for GDPR. With this GDPR overview, you can easily assess your current state situation, you can report progress and can improve compliance in your organization.

Using Dragon1 you will be able to either demonstrate your compliance or report progress on becoming more compliant.

GDPR Process Landscape Example

Below is an example of a GDRP Process landscape. The landscape shows GDPR requirements and processes and per process, the ownership attribute is highlighted and the value of the attribute is shown. The color red shows where, in this case, ownership is missing for a process.

In this way, you can quickly assess your own current situation with regard to GDPR legislation.

gdpr compliance

Click on the visualization to go to the Viewer. Next, click on a process and then on an attribute (in the list at the left bottom of the menubar) and view a live example of a GDPR report.

GDPR Reporting Example

Below is an example of a detailed GDPR excel report on the compliance of rules.

Based on this report you can project the current state and its progress on your process landscape and your application landscape.

Completeness of Reports

An General Data Protection Regulation (GDPR) overview, to be effective, should provide at least the following:

  • A common vocabulary
  • A list of business rules used
  • A set of systems and databases
  • Data objects and their sources
  • Process owners and data owners
  • Breaches of GDPR rules
  • Actions and measures to solve the breaches

By creating and generating GDPR landscapes and overviews, you are ensured that your reports will be complete.

Four Best Practices

Four best practices we want to mention here for implementing GDPR are:

  • Prove that your data is always stored encrypted if possible (even if there is minimal performance loss).
  • Demonstrate the location where your data (and backups) are stored (somewhere in a data center) is always known, for example, only in Europe.
  • Demonstrate that nobody (from outside the EU) can access your data without your explicit permission. Not even the administrators of the data center or the consultants.
  • Prove that you have a master key for decrypting your data in a database and that no one can have knowledge of this master key that should not have.

Got Interested?

Are you interested in using Dragon1 for GDPR at your company?

Please contact us via info@dragon1.com or call +31 317 411 341 (during business working hours in The Netherlands).

We are happy to discuss your needs and arrange a demo, proof of concept or pilot. With this, you will get acquainted with and become confident in using Dragon1 for GDPR.

Read Also

You may also be interested to read about this:

Architecting Solutions

DEMO: Concept Mapping Software

How to generate diagrams using Excel on Dragon1 EA Tool

Learn to generate diagrams using repositories
DEMO: BPMN Onboarding Process Example

DEMO: BPMN Onboarding Process Diagram - Measure Rules Compliance

Manufacturing, Financial Solutions
DEMO: Enterprise Architecture Blueprint Template

DEMO: Generate an Enterprise Architecture Blueprint to discover and solve RISK

Banking, Logistics, Healthcare
DEMO: Process Application Map

DEMO: Generate Landscape for RPA AUTOMATION

Retail, Agriculture, Energy, Oil & Gas
DEMO: Strategy Map Template

DEMO: Generate Strategy Map for CLOUD ADOPTION

Government, Logistics, Banking
DEMO: Data Mapping Software

DEMO: Generate Application Landscape for SECURITY

Automotive, Financial Services, Health Care