Search form

BPMN, a support tool in setting up GDPR

Processes Blog

Article originally published on MEGA's blog

GDPR (General Data Protection Regulation) a topical issue for organizations

The General Data Protection Regulation (GDPR) is a regulation by which the EU seeks to strengthen and standardize data protection for all its member countries, also controlling the transfer of data outside the Union. Its main objectives are to give citizens control over their personal information and to unify the regulatory framework for multinationals.

GDPR applies to all companies (EU or non-EU) that hold information from individuals in the EU. For those outside the EU, it is for example information of contacts at their customers.

As the date of entry into force approaches - May 25, 2018 - companies must check the personal data they keep, which rules apply in this respect and who are responsible for them. In particular, they need to set up business processes to be able to comply with the regulations.

DPO (Data Protection Officer)

The DPO is responsible for GDPR compliance in organizations, mandatory in some cases, optional in others. Example of compulsory implementation:

  • any administration that processes personal data
  • any private company dealing with sensitive (clinical) data or whose main activity involves the regular and large-scale processing of personal data (telecom operators, banks)

Which are the processes related to GDPR?

 hese are processes that allow organizations to demonstrate, where appropriate, to the competent national authority - in France, the CNIL (National Commission for Informatics and Liberties) - that the organization has actively sought to be compliant with GDPR.

Usual processes: response process to

  • right to information: everyone has the right to know that personal data concerning him / her are being processed and to know the purpose of this treatment.
  • right of access: the right for any data subject to obtain from the data controller the confirmation that data concerning him / her are being processed.
  • right of rectification: right to obtain from the data controller, rectification, without delay, of inaccurate or incomplete personal data.
  • right of opposition: the right of any individual to oppose the processing of personal data (except for a specific legal obligation).
  • right to be forgotten: any individual has the right to obtain from the data controller the deletion, as soon as possible, of personal data concerning him / her and the data controller has the obligation to delete this data at personal nature.
  • design of a data processing system and their default protection (Privacy by design)

Non-usual processes: Data Breach

In case of data breach (eg external intrusion), the controller shall notify the relevant supervisory authority (the CNIL in France) of that breach as soon as possible and, if possible, 72 hours at the latest after got acquainted with it. When this notification does not take place within 72 hours, it should be accompanied by the delay's reasons. The notification must, among other things, describe the nature of the personal data breach, the likely consequences of the personal data breach and the measures taken to remedy the personal data breach.

GDPR processes modeling

It is therefore necessary to describe as clearly as possible, and in a completely understandable way for the concerned actors - the DPO, the HR, the legal department, possibly the quality -, the processes related to GDPR.

Since 2010, there is a universal language adopted by all BPM Vendors to describe and model business processes as rigorously as possible. This is BPMN (Business Process Model & Notation) 2.0.

For those who do not know BPMN so much, what is speificl about this norm is that contrary to what one might think, it is not only a graphical representation tool, but a language with its syntax and semantics. In a graphical representation tool - even the most used on the market - the schema designer takes an element of the palett that seems appropriate and gives it a meaning: for example he decides that such element will represent a server. In BPMN, it is not the designer who gives meaning to the chosen element but the language itself. As a result, even diagrams (models in jargon) that might seem accurate regarding the business, are false regarding the standard.

For business users who are starting in this process modeling approach - which might be the case for a DPO - HOPEX Business Process Analysis sofware has an Easy Diagramming feature, allowing users to express their problem in business terms, in the form of a table, and the tool automatically translates it into a BPMN model. What will probably need to be refined with the complete pallet of BPMN elements.

As a MEGA partner, we offer training courses « Modéliser efficacement des processus liés à GDPR » with HOPEX Business Process Analysis.

Bruno van Dam - CEO BPM CYT