Elke Bastian's picture

The upcoming EU General Data Protection Regulation (GDPR) is still a hot topic, and many companies are struggling with their compliance projects to meet the deadline in May 2018. The Software AG GDPR framework can help. Part of this framework is the ARIS accelerators for GDPR, including some improvements for ARIS Connect and ARIS Risk & Compliance Manager, to help you speed up your GDPR projects.

When you get started with GDPR compliance, it makes sense to get familiar with the new legislation and integrate the requirements into your ARIS repository. This helps to define compliance risks, controls and responsibilities. An out-of-the-box technical term model with detailed GDPR content helps you here.

Technical term model for GDPR

Article 30 of the legislation requires maintaining a Record Of Processing Activities (ROPA) from each data controller and each data processor. New fact sheets for ARIS Connect help subject matter experts do this in an easy table-based way. In some cases Processing Activities (PA) are equivalent to business processes. In this case, you can reuse the business process data from the ARIS repository and add more processing activity details. Other PAs might only cover specific parts of business processes or might not (yet) be part of the company’s process landscape. In this case you can add them as new information to the ROPA. New filters with conventions to document processing activities and GDPR-relevant qualification of application systems, processes and data help you with this task. Data objects can be classified with new data privacy attributes. The method extensions include risk assignment.

ARIS Connect fact sheet for record of processing activities

Detailed description of processing activities with risk and questionnaire assignment

The Data Protection Officer (DPO) can describe the PAs in more detail and assign questionnaire templates for PA Documentation (PAD). The PAD surveys can be performed with ARIS Risk & Compliance Manager. A new survey intelligence report can be used to evaluate a score that helps the DPO define further measures. For critical PAs with a high score, we recommend performing more detailed surveys for PA Qualification (PAQ) and risk assessments.

The ARIS accelerators for GDPR provide out-of-the-box example questionnaire templates for documentation and qualification. ARIS Risk & Compliance Manager provides a GDPR-specific impact type for risk assessment.

Survey intelligence report for PAD score evaluation

GDPR PAQ survey for critical PAs

GDPR-relevant risk assessments for impact analyses

For the DPO it is very important to always be up-to-date about the current situation and to react fast in case of any issues or incidents. GDPR-tailored dashboards with direct access to the affected elements ease this requirement.

GDPR dashboard for the DPO

Finally, after all the work is done, the DPO needs a reliable tool to easily prove compliance with the GDPR by a click on a button. New management reports for GDPR make this an easy exercise.

Extended GDPR Management Report

The ARIS accelerators for GDPR are part of Software AG’s GDPR framework. For more information, please visit gdpr.softwareag.com and download the new e-book to make sure you’re on track to meet the 2018 deadline. For a demo of the GDPR framework with ARIS and Alfabet, please watch this recording: GDPR – How ARIS and Alfabet will prepare you for the General Data Protection Regulation

Tags: ARIS ARIS Aware ARIS Connect Business Process Management GRC