BPM GDPR
Personal data protection has been an important issue in the EU for over 20 years, but only the General Data Protection Regulations (hereinafter GDPR or RODO), approved in March 2016, comprehensively regulated the area of personal data protection and took it to a completely new level.
Why is BPM GDPR an effective answer to problems faced by organizations in the area of personal data protection?
The platform has been designed by a team of specialists who help dozens of customers maintain GDPR compliance on a daily basis. Acting as Data Protection Officers, Plenipotentiaries for Information Security Management Systems or Auditors, we were able to identify the causes of problems in the area of personal data protection and ensure that our system effectively solved them.
When designing the system, we remembered that it should ensure full compliance with the GDPR (the requirement of Article 5 (2) of the GDPR) and automate the implementation of the processes required by the Regulation so as to relieve the DPO and the employees who support him.
The system enables the construction of registers of processing activities and categories of processing activities taking into account all the requirements of the GDPR , guidelines of the Office for Personal Data Protection and additional information helping the DPO in managing the registers. Thanks to the possibility of linking a given activity with indicated people, positions or specific resources, i.e. rooms or IT systems in which a given activity is carried out, we build a real map of the flow of personal data through the Organization. The system also has the ability to create dictionaries, thanks to which it is very easy to supplement the register with even unusual types of personal data. The possibility of filtering data by any column and their intuitive search additionally improves the work. In addition, full accountability of the introduced changes and versioning are ensured.
The register of entrustment agreements not only allows for the registration of the entrustment agreements themselves, but ensures compliance with the requirements of the Regulation regarding the supervision of entities to which the organization entrusted personal data for processing, including in particular whether they provide sufficient guarantees to meet the requirements of the GDPR. In addition, the register will allow the Data Protection Inspector to easily control to whom, for how long and why, personal data has been entrusted. The system also has the ability to generate reminders, e.g. about the expiring date of the contract, which will enable the DPO to request the return of the data entrusted for processing.
The GDPR module has a functionality supporting the implementation of a personal data protection impact assessment (DPIA) and ensures that an assessment of the legitimacy of DPIA implementation will be carried out for each processing activity. When it turns out that DPIA is necessary, thanks to the methodology implemented by Blue Energy specialists, you will be able to quickly and comprehensively implement this process. The module has been designed in such a way as to ensure maximum automation, e.g. by downloading from the register of processing activities, register of incidents or data risk cards necessary to carry out the DPIA process.
The risk analysis functionality is developed on the basis of the requirements of international standards, such as ISO 27005 or ISO 31000. It allows for the assessment of risks related to information processing in specific resources used by the organization. The value of risk for resources is used when performing a personal data protection impact assessment (DPIA), handling personal data breaches, or selecting security measures for resources. The Risk Analysis module is supported by additional functionality related to the supervision of improvement activities – supervision of tasks resulting from the risk management plan.
The system allows employees to report events that may constitute a breach of personal data security. Such a report is sent to the DPO or another designated employee in order to assess whether such an event actually constitutes a breach of personal data protection. Regardless of the choice, the very fact of reporting the infringement will be automatically entered in the register, along with the necessary information. If the incident is classified as a personal data breach, the Platform will enable us to assess it using the ENISA (European Union Agency for Cybersecurity) methodology and decide whether it involves a high risk of violating the rights and freedoms of data subjects and must be reported to supervisory authority, or there is no such risk (Art. 33 and 34 GDPR). In addition, the system allows you to address and supervise the improvement actions taken as a result of the incident.
The functionality of exercising the rights of data subjects allows
effectively supervise the DPO of all requests that come to the organization related to the implementation of data subjects’ rights. After receiving the application, thanks to the combination of individual functionalities of the Platform, we will effectively search for resources in which the data of the person applying for the implementation of the right is processed, the activities in which the data of the applicant is involved and people who will be able to support the DPO in the implementation of a given right (resource owners). The system also allows you to supervise and report the implementation of tasks and has an implemented mechanism reminding you of the need to undertake specific tasks before the deadlines specified in the Regulation.
The BPM GDPR module, thanks to linking processing activities with their owners, enables to run a review of the register of processing activities. This functionality allows you to ensure that RCP is up-to-date at all times, and thus to comply with the principle of minimizing the collected data, implementing the retention period and limiting the purpose (Article 5 (1) of the GDPR).
– BPM Information Security
- It supports the organization's involvement in the implementation of the GDPR requirements.
- Automatisation
- Provides evidence of an organization's compliance with the GDPR
- Flexible licensing methods, including subscription
- Access from a web browser and on mobile devices
- Implemented dictionaries based on our many years of experience
- Alerts
- AD integraction
- No limit users
How do requests for the exercise of the rights of data subjects "disappear in the organization"?
How did the BPM Platform reduce the time necessary to exercise the rights of the data subject from 12 days to 1 day?
It turns out that subcontractors are the main source of infringements ...