General Data Protection Regulation - GDPR Compliance

Are You able to Demonstrate Compliance with GDPR?
Use Dragon1 for creating GDPR Registers, Assessments and Compliance Reporting

General Data Protection Regulation is a new EU regulation. It is aimed at unifying the way personal data is protected, imported and exported.

Companies have to be able to show how they treat and protect personal data of customers or members, especially sensitive data, in business processes and software applications.

Sensitive personal data are data like social security number, birthday, religion and union membership. These data must be protected in your databases at all times. For instance to prevent identity theft and other abuse of data.

Using Dragon1 for GDPR

Dragon1 is a platform for creating and generating visualizations and management reports on how you as organization treat, protect and make use of personal data in business processes and software applications.

Part of Dragon1 is a modeling language for business processes and information systems. The Dragon1 modeling language is fit for purpose to model and analyze all data in your organization compliant to GDPR. It contains all kinds of entity classes and the ability to model where what data is treated and protected in processes and applications. This enables you to visually check all of your processes and application for compliancy on GDRP business rules:

  • Model and analyze your processes on Dragon1 - And see how they treat and protect sensitive customer data.
  • Model and analyze your applications on Dragon1 - And see how they treat and protect sensitive customer data.

Creating GDPR Registers on Dragon1

GDPR makes it an obligation for every company to carry out the following tasks:

  • Setup and maintain a register of data processing activities (DPA)
  • To do data protection impact assessment (DPIA)
  • Setup and maintain a register of data leaks (DL)
  • To be able show proof that the person concerned has actually given permission for data processing when you need permission for a processing.
  • To appoint a person as Data Protection Officer or if not, explain why

Two of the tasks are about setting up and maintaining a register for data processing activities and data leaks.

Both of these registers can be done on Dragon1.

Below we sketch how such a register can be setup and maintained on Dragon1.

The data attributes to registers

The following data attributes could be registered:

  • Data Processing activities
  • The reason for processing
  • Legal basis for processing
  • Documenting what is done
  • Involvements
  • Responsibilities
  • Accountabilities
  • Processed data
  • Data categories
  • Data Sources
  • Data Receiving Parties
  • 3rd Parties
  • Period of Data Retention
  • Data Processing Contracts
  • Data Processing Types
  • Information Systems and Software Applications that do the data processing
  • Necessity of Privacy impact Assessment

It just takes six easy steps in order to setup and maintain a GDPR register on the Dragon1 platform

  • 1: Edit the GDPR Data Template to your situation
  • 2: Enter the Data in the register
  • 3: Publish the Register to make it available for stakeholder
  • 4: Design the GDPR Register update and maintenance process
  • 5: Approve the process and appoint concerned persons
  • 6: Setup GDPR Update and Maintenance alerts.

Here you see a screenshot of a GDPR Register that is setup and maintained on Dragon1.

Process Framework for GDPR

Below is a process framework that guides you as organization to become GDPR compliant.

It defines four areas of attention that should be addressed in order to successfully comply at one point in time to GDPR:

  • Quick Check
  • Conceptual Design
  • Implementation
  • Program Management

Dragon1 supports teams in their collaboration to perform this work:

General Data Protection Regulation (GDPR)

GDPR Assessments and Overviews

Dragon1 supports generating overviews for GDPR. With this GDPR overview, you can easily assess your current state situation, you can report progress and you can improve the compliance in your organization.

Using Dragon1 you will be able to either demonstrate your compliance or report progress on becoming more compliant.

GDPR Process Landscape Example

Below is an example of a GDRP Process landscape. The landscape shows GDPR requirements and processes and per process, the ownership attribute is highlighted and the value of the attribute is shown. The color red shows where in this case ownership is missing for a process.

In this way you can quickly assess your own current situation with regards to GDPR legislation.

Click on the visualization to go to the Content Viewer. Next, click on a process and then on an attribute (in the list at the left bottom of the menubar) and view a live example of a GDPR report.

GDPR Reporting Example

Below is an example of a detailed GDPR excel report on compliancy of rules.

Based on this report you can project the current state and its progress on your process landscape and your application landscape.

Completeness of Reports

An General Data Protection Regulation (GDPR) overview, to be effective, should provide at least the following:

  • A common vocabulary
  • A list of business rules used
  • A set of systems and databases
  • Data objects and their sources
  • Process owners and data owners
  • Breaches of GDPR rules
  • Actions and measures to solve the breaches

By creating and generating GDPR landscapes and overviews on Dragon1, you are ensured that your reports will be complete.

Four Best Practices

Four best practices we want to mention here for implementing GDPR are:

  • Prove that your data is always stored encrypted if possible (even if there is minimal performance loss).
  • Demonstrate the location where your data (and backups) are stored (somewhere in a data center) is always known, for example, only in Europe.
  • Demonstrate that nobody (from outside the EU) can access your data without your explicit permission. Not even the administrators of the data center or the consultants.
  • Prove that you have a master key for decrypting your data in a database and that no one can have knowledge of this master key that should not have it.

Read Also

You may also be interested to read about this:

Got Interested?

Are you interested in using Dragon1 for GDPR at your company?

Please contact us via info@dragon1.com or call +31 317 411 341 (during business working hours in The Netherlands).

We are happy to discuss your needs and arrange a demo, proof of concept or pilot. With this, you will get acquainted with and become confident in using Dragon1 for GDPR.