Prototype Tool to analyse Information System (IS) compliancy towards GDPR

This tool was developed as proof of concept for University of Tartu Master's Thesis "Analysis of GDPR Compliance in Information Systems" by Eduard Sing and supervised by Raimundas Matulevičius (2018).

What is GDPR? GDPR problems.

GDPR (Genetal Data Protection Regulation) is new regulation

In the April 2016, the European Parliament and Council approved the new personal data protection regulation - GDPR (General Data Protection Regulation), which will take effect in the end of the May 2018.The GDPR is addressing common problems of the protection and the usage of the personal data of EU citizens.

According to the new regulation, all organizations that use personal data of EU citizens in their day-to-day activities - have to reevaluate their business processes and information systems to comply with the new rules and constraints. The punishment for misuse of personal data can be very costly to company - up to 20 million euros or 4% of the annual global turnover. Nevertheless, there is no technical guidance or clear approach that would help to evaluate business processes of information system to comply with GDPR.

This thesis will address mentioned issue by researching the GDPR legislation text and proposing actual methodology for analysing business processes of information systems and aligning them with the GDPR. The proposed methodology will also help to map the flow of the personal data between different parties and highlight the problematic places in the business processes suggesting measures to reduce the misuse of personal data.

Taken from abstract

Method to analyse Information System compliancy towards GDPR

IS as-is compliancy model is compared against proposed GDPR meta-model (defined in UML class diagram notation [2.3 GDPR meta-model]). The information for as-is compliancy model is collected from business processes (defined with BPMN 2.0 notation) using extraction rules (3.3 Extraction Rules).

A method proposed in Thesis
Method to analyse Information System compliancy towards GDPR

What does this tool do?

This tool is capable of analysing business processes of IS:

  • Parse business process models defined in BPMN 2.0 notation (XML files with .bpmn extension).
  • Automatically apply extraction rules (3.3 Extraction Rules)
  • Ask user for additional inputs for extraction rules (3.3 Extraction Rules)
  • Compare and analyse GDPR meta-model and as-is compliancy model
  • Depict as-is compliancy model using PlantUML tool
Tool concept
Main concept of this tool

This form creates new model. Model represents analysis of one information system and can contain several business processes. Note that we are asking some additional information for each model to determine Controller, Processor and Third Party authorities.

Art. 4 GDPR
  1. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  2. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  1. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Pick a name for model so later this model could be easily found in list below
Previously saved models

There are no models created yet. You can create new model with form above (Create new model to analyse).