A Process Manager's Adventures in GDPR Land
An article by Theresa Zwotzl, FireStart Community Manager
The GDPR is the new EU General Data Protection Regulation, which comes into effect on 25 May 2018. Unlike the previous data protection directive, in which the EU defined its data protection goals, which were to be achieved on a national level by various laws, the GDPR is binding throughout the EU. The GDPR applies not only to companies located in the EU, but to all companies that work with EU-based companies or that record, process or collect the data of EU citizens in any way.
This new regulation has long been the source of much disquiet in many companies, no matter what sector, and has been the subject of many discussions, white papers and workshops. We would like to take this opportunity to provide you with an overview of the most important points for your company. At the same time, we would like to dispel any concerns you may have by showing you how you can meet these new challenges with the aid of well-conceived and implemented processes.
The new guidelines of the GDPR
The current data protection directive essentially already includes important guidelines concerning personal data. These guidelines state that personal data:
- must be lawfully collected and processed.
- may only be stored for one or more specified and legitimate purpose.
- may only be processed for those cases for which they were originally collected.
- must be stored in a secure, protected environment.
- must be correct and up-to-date.
For the most part, the new guidelines also refer to how personal data are collected, stored and processed. In addition, however, they also give individuals more control over their own data. The new guidelines can be summarised as follows:
- Explicit consent is required for processing personal data.
- Individuals may object to the processing of their personal data – including after the fact.
- The right of information allows a person to obtain information and a copy of their collected personal data.
- Individuals may obtain rectification of incorrect or incomplete data.
- The frequently discussed “right to be forgotten” allows people to obtain erasure of their personal data from all existing systems.
- Data portability to other organisations must be available at any time, if requested.
Checklist for your GDPR compliance
One of the greatest challenges presented by the new regulation is keeping track of which personal data has been processed when, where, how, why, by whom and for what purpose. This means that, in the digital age, organisations are required to put organisational and technical measures in place that enable them to answer these questions and, in the event of an audit, provide verification. To help you navigate all this red tape and ensure transparency for your clients in how you handle their data, we have devised a checklist for you.
The checklist starts with a focus on evaluating current processes and data processing operations in order to help you create a new, unified process. The objective is to create standardised processes for all kinds of use cases and client requests. This saves time, which is often very important, for example, when providing information to a client. It also creates the basis for documenting data processing operations and the assignation of roles for potential audits and inspections. Once the GDPR has come into effect, companies will be required to document, implement and provide evidence of their data protection processes. They must be prepared to be audited by the national security authority at any time.
Gaining an overview: current processes and data processing operations
- Evaluate the current processes relating to client data and current methods of handling and processing client data
- Review the purposes for which the data is processed, and the type of consent provided by the clients
- Verify whether a record of processing operations is already being kept or whether one must be kept due to the company’s main business activities (generally in the case of profiling)
- Analyse any potential risks of the current processes and data processing operations on a technical and organisational level
- Analyse the exact purposes of a collection of data, as consent is restricted to these purposes
Complying with data protection: defining new data management processes and strategies
- Define the new or missing purposes of data processing and formulate the declaration of consent
- Create unified, automated processes for consent (double opt-in)
- Create unified, automated processes for managing customer inquiries (right to information, erasure, data portability, rectification and right to object to processing)
- Assign a data protection officer (if necessary) or process controller
At the process level, attention must be paid to three important components when defining and creating new processes: The data must be maintained in a consistent format during the process itself and the exchange with other systems. The security level must also be maintained. Another component relates to the necessary interfaces and systems involved in the processed and which communicate with each other: they must be compatible. Besides ensuring security and compatibility, it is also important to document activities at the interfaces. As in every process, it is important for responsibilities to be clearly assigned, as these may also be subject to restriction and must be documented for any subsequent audits. It is advisable to take an integral view at business processing level when devising the processes, as this is the only way to ensure a standardised management of data, interfaces and roles. BPM tools for modelling processes and integrating third-party systems and role models can be extremely helpful.
Use case: a client’s right of information
In principle, all these guidelines can be tackled at the process level by using unified process management. Standardised processes ensure the security of central data collection, thereby providing an overview of all the data and the systems they are stored in. Individual standard questions can be translated into new processes which are then automated. For example, users seeking access to their data may receive information on their personal data by means of an automated process. A link to the third-party systems on which the data are stored allows these to be read, transmitted or erased. This means that organisations can respond automatically to client requests for information, data portability or the erasure of personal data.
In principle, organisations need not be afraid of the switch to data protection compliance. As with any other change, the best thing is to approach the new requirements step by step. This is why any risks should be assessed beforehand. Existing processes must be analysed and, ideally, adjusted or improved. The next step involves new, unified processes that help ensure future security and compliance. Automating these processes reduces the work load for staff and saves time. A unified BPM platform such as FireStart can not only plan and automate new business processes, it also helps implement the required GDPR work flows such as requests for information or erasure with absolute precision and documents them in a revision-proof manner.
This article does not constitute legal advice, but merely reflects what we have found in our own research on this topic. We assume no liability for the accuracy, timeliness and completeness of our statements and no liability for possible legal consequences.
30 Wall Street
New York, NY 10005
E: [email protected]
P: +1 647 991 9981