Business process modeling for GDPR compliance
Unless you’ve been living in a cave for the last few month, you have surely heard from the GDPR (General Data Protection Regulation) that has came into force the last 25th of May.
Whether from journalists, consultants or businesses looking for reassuring their clients, plenty of informations, tips and advices about the new Union’s regulation are flooding our legal newsfeeds.
Often noise or emptiness, sometimes valuable advices.
In this paper, that I hope to be part of the last category, we will approach the different opportunities that business process modeling (BPM) offers to organize GDPR compliance within your organisation.
Definition of BPM
Business process modeling in business process management can be defined as the activity of representing processes of an organisation in order to analyse, improve and automate it. (Wikipedia)
Contributions to GDPR compliance
Within the organisation, BPM allows to set up the appropriate workflows to process the different requests resulting from the recognition of new rights to data subjects.
Here’s a diagram that depicts a possible representation of a process to manage a right to be forgotten‘s request.
It is important to consider that the representation of the process can and should be different and more or less accurate depending on the purpose of the diagram and also of the targeted audience.
Indeed, the diagram given in example is pretty adequate to give intern workforces an overall comprehension of the process and also to document the compliance (documentation on which one supervisory authorities pay attention). In this case, it is unnecessary and unproductive to blur the audience with more details.
However, from the perspective of one of the stakeholder involved in the process, it could be useful to precise one of the step of the process.
Let’s place ourselves in the DPO lane and take the example of the « study the request’s admissibility » process. This process actually includes several tasks detailed in a subprocess.
It is to be noted that these tasks can be different considering the request’s nature. When considering all the possible scenarii, the modeling could then be a helpful tool of quality management. As a matter of fact, the modus operandi depicted in the diagram allows to ensure that any data subject request will be processed as needed (in accordance to the regulation).
BPM can also facilitate and automate the management of data retention. As you might know, independently of the right to be forgotten, data controller are obliged to remove (or anonymize) personal data at the end of the planned and announced retention’s period (or inform the data subject of the new processing). In this case, a good modeling combined with a process engine enable the automation of all the processes needed to fulfill the data controller obligations (notification processes, databases and backup update etc.).
So let’s see a quick summary of BPM major benefits in GDPR compliance
>> Understanding of the use and the flows of personal data within the organisation (for Cartography)
>> Design, improvement and automatization of all the the useful processes involving intern workforces, partners and data processors (management of data subjects’ requests, identification of cross-border flows, management of security breach, management of storage time…)
>> Documentation of the compliance by showing the existence of organized and quality-controled processes