Editing Templates

In the navigation menu select the “Processing Activities” menu item (Article 30 GDPR).

As described in section regarding Master Data, NiōBase will supply a series of templates for processing activities. These can be used for the implementation of the GDPR requirements within your organization, however they must be examined in detail. It is very important to pay special attention to the processors, systems, data subject categories, and technical and organizational safety measures and adapt them if necessary. Please also check a potential risk and a data protection impact assessment that may be required, if you use special categories in accordance with Article 9 GDPR.

Before you start examining and adjusting the templates, we recommend you to familiarize yourself with the system by creating a new processing activity.

In the following steps, we will show you how to create a processing activity based on the example of “Travel Management”.

1. Create a Processing Activity
In the overview of processing activities, click on 'New' in the top right, as displayed in the previous screen. You will then be shown the following screen (extract) and can start with the entry of a new processing activity.

The screens are displayed in two columns. If you have a screen with a lower resolution, then all the fields in sequence may be displayed in one column. If you are not yet familiar with the system and the definition of processing activities within the framework of the GDPR, we recommend to start with the left column and fill in all the necessary information scrolling down. Afterwards you should continue with the TOMs on the right side.

2. Adjust Status

In the 'Status' drop-down menu you can now select the desired setting. In this example, “In Examination” is the best option.

Akarion NiōBase – Select the status using the drop-down menu
3. Select a Name

In the next step, provide a descriptive name and describe the intended use as accurately as possible. Bear in mind that this is used during the generation or printing of the record for the purpose of providing data protection authorities with information.

Akarion NiōBase – Entry of the name and intended purpose
4. Assign a Department and Process Controller

In the next step, select the department you would like to assign the processing task to by clicking on “Department” in the drop-down menu.

Akarion NiōBase – Entry of the name and intended purpose

Select the 'Department' and 'Controller' responsible for this processing activity.

5. Select Data Subject Categories

Now, in the “Data Subjects” section (Data Subject Categories) add the data subjects (employees, customers, etc.) as well as their data categories (name, address, birth data, etc.). First select the relevant Storage Period1 that is legally required for this purpose2. List all categories individually (in the future you will be able to state the storage period collectively). Missing storage periods can be subsequently entered under “Storage period” in the “Categories” navigation section3.

1 If you have any questions, please contact your legal adviser, data protection coordinator or officer or your Chamber of Trade or Commerce.

2 For this purpose contact your data protection controller or officer or your legal counsel, if necessary.

3 Unfortunately, your storage periods are not collectively available in all countries. Those from Austria can be found using the following link:
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html, accessed on 26/05/2018. If necessary, please contact your legal adviser, data protection coordinator or officer or your Chamber of Trade or Commerce.

Akarion NiōBase – Adding Data Subject and Data Categories
6. Record Data Collection Sources

Then, record the data collection sources. For this example, select “Other Processing Activities”. This is because there is definitely an upstream processing activity, e.g. ‘Personnel file management’.

Akarion NiōBase – Selecting Data Collection Sources
7. Specify a Target System

With the integrated logic, the system is able to automatically recognize the next step and requests you to select the previous processing activity “Personnel file management”. In the next step, select the “System” and choose the appropriate HR software - in this example 'Salesforce'.

Now the following entries should be available to you:

Akarion NiōBase – Data processing overview
8. Add Data Processing

Now using the '+ Add data processing' function add the data transfer to hotels because you will be forwarding personal data for the hotel booking for the purposes of Travel Management.

Akarion NiōBase – Adding a Data Transfer

Now using the “+ Add data processing” function add the other data transfers to railways, airlines, car rentals, embassies, immigration authorities or the like or those that you require for your business activities. In doing so, always keep the data subject categories in mind that you will be recording in the next step.

Previously, you should have had a screen with entries that looked similar to the one below:

Akarion NiōBase – Data Processings of a Processing Activity
10. Set Access Permissions

Now specify who in your organization has access to this data in the company. The selected roles are typical but can differ in each organization. Please examine this very closely and select the appropriate roles. If roles are missing, you can add them right here using the '+ Add Job Title' function without having to leave this screen. The roles will then be immediately available for other processing activities.

Akarion NiōBase – Set Access Permissions
11. Create a Risk Analysis

In the next step, you must create a risk analysis. If necessary, this must be compared with a data protection impact assessment and with the technical and organizational safety measures (TOMs) that have already been taken. A Data Breach Notification process is necessary where appropriate.

For this purpose NiōBase offers a template with a typical process for a possible data breach.

Caution
The template must be examined and possibly adapted in your organization for the application.

Refer to the GDPR legal text relevant to these issues in NiōBase under the “GDPR” navigation section. The appropriate notes can be found in Articles 32, 33, 34, 35 and 36. Furthermore, if necessary, please refer to your legal adviser, data protection coordinator or officer or your Chamber of Trade or Commerce.

Akarion NiōBase – Risk analysis

1. Make an assessment for the risk analysis. This must be carried out manually.

2. Describe the assessment made for the risk analysis. Important: 
You must also describe your risk assessment, even if you classed the risk as low.

3. The controller will be set to active depending on your assessment.

12. Privacy by Design & Default

“Privacy by Design” and “Privacy by Default”. Now describe which technical and organizational safety measures you must take in good time.

Akarion NiōBase – Privacy by Design & Default
13. Take additional measures

Depending on the processing activities and the technical and organizational measures taken within the framework of the risk analysis, data deletion as well as data correction processes and data minimization measures could be necessary. The necessary processes can be linked directly provided they are saved in the system. Furthermore, it is possible to link documents that contain the appropriate measures and those that you previously uploaded via the document management function (“Operative“ - “Documents” navigation section) or linked externally.

Akarion NiōBase – Privacy by Design & Default - Additional measures

Regularly save your entries and finalize the entry by clicking on 'Update'.

Set Processing Activity as active

If your processing activity is completely defined, you can use the “Status” drop-down menu and set it to “Active”. A slider will appear, which you can use to specify a time frame. This makes sense if the processing activities change through the years and you copy and modify a processing activity and deactivate the old one. Thus, you have completed the History required by the GDPR.

Akarion NiōBase – Set Processing Activity as active