Prototype Tool to analyse Information System (IS) compliancy towards GDPR
This tool was developed as proof of concept for University of Tartu Master's Thesis
"Analysis of GDPR Compliance in Information Systems" by Eduard Sing and supervised
by Raimundas Matulevičius (2018).
What is GDPR? GDPR problems.
GDPR (Genetal Data Protection Regulation) is new regulation
In the April 2016, the European Parliament and Council approved the new personal data
protection regulation - GDPR (General Data Protection Regulation), which will take effect
in the end of the May 2018.The GDPR is addressing common problems of the protection and the
usage of the personal data of EU citizens.
According to the new regulation, all organizations that use personal data of EU citizens in
their day-to-day activities - have to reevaluate their business processes and information
systems to comply with the new rules and constraints. The punishment for misuse of personal
data can be very costly to company - up to 20 million euros or 4% of the annual global
Nevertheless, there is no technical guidance or clear approach that would help to evaluate
business processes of information system to comply with GDPR.
This thesis will address mentioned issue by researching the GDPR legislation text and
proposing actual methodology for analysing business processes of information systems and
aligning them with the GDPR. The proposed methodology will also help to map the flow of the
personal data between different parties and highlight the problematic places in the
business processes suggesting measures to reduce the misuse of personal data.
Taken from abstract
Method to analyse Information System compliancy towards GDPR
IS as-is compliancy model is compared against proposed
GDPR meta-model (defined in UML class
diagram notation [2.3 GDPR meta-model]). The information for as-is compliancy model is
collected from business processes (defined with BPMN 2.0 notation) using extraction
rules (3.3 Extraction Rules).
What does this tool do?
This tool is capable of analysing business processes of IS:
- Parse business process models defined in BPMN 2.0 notation (XML files with .bpmn extension).
- Automatically apply extraction rules (3.3 Extraction Rules)
- Ask user for additional inputs for extraction rules (3.3 Extraction Rules)
- Compare and analyse GDPR meta-model
and as-is compliancy model
- Depict as-is compliancy model using PlantUML tool