This blogpost explains how to implement the EU General Data Protection Regulation (GDPR) by design and by default via Business Process Management (BPM). This blogpost describes only a reference solution architecture without much implementation details. It focuses, primarily, on the artefacts such as capabilities, rules, roles, data-structures, documents, explicit coordination and audit trails.
1 Terminology in the GDPR
Although the information security domain is developed well, the GDPR document (see article 3) uses rather exotic terminology (sources are not provided). For example, many concepts, available from the standard privacy framework (ISO/IEC 29100) have different designations (terms). Another example is that the concepts “data” and “information” do not follow the DIKW “pyramid”.
Although a mapping between 16 terms of the GDPR and existing terminology is not difficult, it would be better to avoid such a mapping.
2 The main element
The main element of the GDPR is a data-structure object “Personally Identifiable Information” (PII) in the ISO/IEC 29100 terminology or “personal data” in the GDPR terminology. It must be explicitly and carefully protected:
- for its confidentiality, integrity and availability
- in rest, in transit and in use
- throughout its life cycle
Usually, the life cycle of PII objects is very simple and covered by 4 actions which are known as the CRUD pattern (although each update may create a new version of the PII object).
3 The core processes
Those actions, namely, Create, Read, Update and Delete, must be presented as small processes (or workflows) to provide the design and execution traceability. Considering that any PII is owned by the “PII principal” (or a natural person to whom a set of personally identifiable information relates), he/she must approve some actions on his/her PII object.
For example, an PII principal must provide his/her consent to process his/her PII object and such a consent must be kept as a record by the “PII processor” (privacy stakeholder that processes personally identifiable information on behalf of and in accordance with the instructions of a “PII controller”).
4 Some supporting capabilities
The core (or life cycle) processes use several capabilities (services or processes) such as:
- identity management
- access management
- anonymization
- encryption
- etc.
Also, some error- and exception-handling processes are necessary to properly handle privacy incidents.
5 Related roles
The essential roles are the following:
- “PII principal” in the ISO/IEC 29100 terminology or “data subject” in the GDPR terminology – the owner of the PII,
- “PII processor” – persons or organisations who/which execute the GDPR processes,
- “PII controller” – authority which, alone or jointly with others, determines the purposes and means of the processing of personal data, and
- “Data Protection Officer (DPO)” – person who is the owner of the GDPR processes.
6 Rules
The execution of the GDPR processes is guided by numerous rules which are; actually, the majority of the GDPR documents. For example, if a PPI principal is a citizen of an EU countries then “PII processes” must follow the GDPR.
Unfortunately, it is unknown if these rules comply to the MECE principle (no overlaps and no holes).
7 Complex scenarios
There are a few scenarios which involve more than one PII object. For example, split, merge, export, transportation, correlation, etc.
8 Conclusion
Use of BPM to implement the GDPR addresses all the GDPR concerns. Explicit and machine-executable processes are mandatory to achieve by design and by default the listed below key points.
- Compliance – all privacy-related activities and coordination between them can be easy analysed.
- Accountability – generated audit trails provide factual and objective information about why did what.
- Data protection officers (DPOs) – as a role which owns all the GDPR processes.
- Consent – is achieved by the design of the GDPR processes and records management.
- Enhanced rights for individuals – is achieved by the design of the GDPR processes.
- Privacy policies – all PII controllers and PII processors must analyse their privacy policies via the logic of explicit processes.
- International transfers – also become processes.
- Breach notification – as an integral part of the privacy incident GDPR processes.
Thanks,
AS