Organization

The initial point of the GDPR Automation System is Organization module. The organization represents the company that has agreed to do the compliance regulation with us. In this case, the product Detail View corresponds to the form of submitting a shipment.The information stored for each company is:

• Organization name

• PIVA

• Address

• ZIP Code

• City

• GDPR Human Resources Block

• Checklist GDPR Commerciale Block

 

GDPR Human Resource Block

 

The GDPR Human Resource fields block is the section that gives the basic information about the responsibilities of the company related to the new regulation of GDPR like the name of the DPO, Legal Adviser, administrator of the system and the name of the person responsible for the backup. This are defined as text fields where the data entry clerk enters the information based on the security checklist.

 

Checklist GDPR Commerciale

 

As shown above, in the Figure the Checklist GDPR Commerciale block saves information about the DPO in cases that the client has appointed an external or internal data protection officer, if he transfers data out of the EU or other countries. In terms of business logic, every field that is created in this section is in function to the recommended practices and principles of the GDPR Regulation legal framework. Every field inserted by the data entry clerk is mapped inside the template documents and will represent a piece of information in compliance with the regulation and the guidelines that every SME should apply.

Processing Activities

The set of data that they process and store into their organization are recorded in the module processing activities that will be only a record which will contain all the databases or data treated. All the data sets are represented as checkboxes inside the module. Every data entry clerk of the back office team will select the correct checkboxes and also the name of the responsible data processor for that particular database. All the databases have their standard numbers codes defined in order to distinguish them.

 

Processing Activities databases

 

Personal Data Categories

The personal data categories module will contain all the data categories that one company process. Based on the regulation of GDPR this module will store for one organization all the personal data categories classified representing different departments or responsibilities into their organization and also through this module each personal data categories will store all the database that each of these categories is allowed to see, modify, store, process or delete. It is important to properly define them because it gives a framework not only about the classification of data categories but also through them we define the access control for each employee that is included in one of these classes.

It is composed of three basic sections:

• Related Organization is a UIT10 Corebos field that connects this personal data category with the related organization.

• Related Processing Activities is a UIT10 Corebos field that connects these personal data categories with the related processing activities.

• Lista Dati is all the databases related to one personal data category. Databases are checkboxes field that each of the data clerks will have to compile.

All these fields are mandatory, which means the visitor cannot proceed without filling them. Filling the record with the respective organization and processing activities will help the data retrieval process and eventually the merging of the GDPR templates to the correct record.

Employee

The module Employee represents all the employees of the organizations that have agreed to do the compliance regulations with us. In this case, employees are the dependents connected with the organization account. For each employee the user is required to put the following information:

• Name and Surname

• Related Organization is a UIT10 Corebos field that connects this employee with the related organization.

• GDPR Information Block

The GDPR Information block is designed to save information about the roles and responsibilities of the employee in compliance with the GDPR Regulation. It is mandatory that each employee is connected with only one personal data category that represents the access control of databases that these employees are supposed to see, store, process or modify. These block also stores information about particular roles defined by article 37, 24, 32 of the regulation. If one of the following roles ( System Administrator, Data Protection Officer, IT Manager, etc) is applicable to one of the employees the user fills the corresponding checkboxes.

Inserting the checkboxes into module employee means several actions in the Back Office System:

• In real-time, the parent entity will match with the child record and through Gendoc we can merge the field into the documents.

• On save, a workflow is triggered, and in the background will save the name of the personal data categories for this employee.

• Filling the checkboxes correctly is mandatory because through actions and Gendoc Syntax dynamic parts and sections into the document template are generated.

 

Employee GDPR Information Block

 

In Figure 5 above is shown the GDPR Information Block. The user based on the information he gets from the security checklist fills the information as described. If the employee is DPO, legal representative, system administrator or a privacy referent the user is required to check the appropriate checkbox field. The field Classe Incarico receives the value from the Personal Data Categories module.

Third Parties

The third-party module is used to store the external data processors subjects who do a specific activity in the organization as an outsourcer, for example, a company that offers service to the client as a financial advisor or information technology consulting services. It is also fundamental to define the databases that this third party has access to the process, see, modify or delete.

For each third party the user is required to put the following information:

• Name of the company who is an outsourcer for the organization

• Related Organization is a UIT10 Corebos field that connects this third party with the related organization.

• Third-Party type represents the activity type of the outsourcer, for example, External Consulenze in IT, ERP, etc..

• Lista Dati are all the databases related to the third party related. Databases are checkboxes field that the user is required to fill.

In the CRM systems, there are two different views, listview where modules are listed and detail view where details of the record are displayed. The users can create custom list views based on filters in order to minimize the exhausting search of the record for specific fields or third parties related to one organization.

Modules Threats and Threats Measures

Threats Measure module contains information regarding the security measures undertaken by the organization. The module is divided into two information blocks. In the main information block, the user is required to fill the general information: Threats Measures Name and the UIT10 field that connects the threats measure record with the related Organization.

The other blocks of the module are multi-selector fields that contain information about physical measures at the office, the protection measures of information systems, personal working station threats measures and threats measures on data accessing.

Physical Measures inside the organization

• Physical Measures inside the organization include measures on the reception and office, shatterproof glass, office guardian, armored doors, video surveillance, locked doors, gates, shutters, bars on the windows, etc.

• In cases of fire, the measures the organization might have are fire system, firefighters, hydrants, smoke detectors, emergency exit, etc.

• Other measures in case of electrical system failure, air conditioning system failure or data loss & destruction consist of electricity

• generator, periodical audit, filter maintenance, service agreement, Disaster Recovery Procedures, Pianificazione Backup, Daily Backup, Automated Backup

Threats measures on data accessing

• Physical Measures on data accessing include measures applied to the organization in order to protect the information system from hacking, data breaches or other threats like a Web application or DDoS attacks.

 

Threats Measures multi-selector fields

 

On save of a threat measure record, a record in the module threats is “Autocreated”, which means all the measures selected are divided through the automatic processing flow in the background into specific threats categories as applied measures of protection. Every threat categories that are in the interface are filled automatically with the corresponding measures applied. All these validations are provided by the AngularJS framework and all of them are triggered in real-time. All the threats measures are divided as measures to different categories of threats, and them a concatenation of all the measures selected is mapped to the corresponding threat. These data are saved in text area fields in the module Threats.

 

Concatenated Measures in Threats Module

 

The module Threats are used for doing an evaluation of impact assessment for each measure applied to one organization. So based on the information that is autocompleted from the Threats Measures is done the calculation of the level of the impact which can take values: Low, Medium or High. These evaluations serve as entity fields to the DPIA ( Data Protection Impact Assessment) Gendoc Template that GDPR adheres. The evaluation of the impact assessment is done through an internal function written in PHP that was developed by the programming team. This function is triggered on a workflow in the background on creating.

Module Cities

Cities Module is a new module developed that will store all the headquarters of the main organization. For each headquarters of the organization, the user is required to put a description into a text area field. This description section is mainly related to information of physical access to the sede. An example of the description is shown in the figure below:

Generate Documents

We use this module to generate different types of documents for a specific organization. The generation of documents it is based on GDPR automated templates and each document has his unique template. In order to generate a document is mandatory to specify the module related, the name of the template and the organization for which we want to generate the document as in the following picture.

 

 Generate Documents Module

Choosing the right module is very important because if we select the wrong module it will eventually cause a wrong generation of the document and the entity fields will not be merged correctly. We can export the merged document in ODT format and also in PDF through button action that coreBOS provides to save the generated documents in OpenOffice.