Speaker
Prof.
Beatrix Weber
(MLE)
Description
On 25 May 2018 the General Data Protection Regulation (GDPR)1 will enter into force for the Internal
Market. The GDPR will nearly substitute the European Data Protection Directive2 and the National Data
Protection Codes as the German Data Protection Law (Bundesdatenschutzgesetz). According to the
GDPR the controller shall, in particular using new technologies, implement a Data Protection Compli-
ance Management System3 by adopting internal policies and undertaking appropriate technical and or-
ganisational measures preventing the risks and possible damages related to the processing of personal
data.
Evaluating risks means that the protection of personal data is not an absolute right and must be consi-
dered in relation to its function in society and balanced against other fundamental rights. Therefore,
there is no prevalance of the Right of Informational Self-determination. The principle of proportionality
leads to the application of the criteria as follows:
* Likelihood and severity for rights and freedoms of natural persons posed by the processing,
* State of the Art,
* Cost of implementation and
* Nature, scope, context and purposes of processing.
Dataprotection-Compliance shall meet the requirements of prevention and evidence. According to the
GDPR Privacy-by-Design means to implement the collection and use of personal data lawfully, fairly
and in a transparent manner while designing products and services using personal data. The controller
may classify the data according to what is adequate, relevant and limited to what is necessary in relation
to the purposes and to the likelihood and severity of data protection infringements, e.g. in case of loss
of data. Privacy-by-Default means the obligation to limit the collection and use of personal data to what
is necessary for each specific purpose while relying on measures as anonymisation or pseudonymisa-
tion. Offering such products or services may limit the product opportunities as specification for custo-
mers needs.
Critical success factor for the implementation of requirements of privacy-by-design is the integration into
the product development process. Business Process Management Tools (BPM) are widely used to
organize the companies activities and processes according to the business strategy and the product
performance. Aim of the presentation is to show how BPM can be developped to a Legal Process
Management (LPM) which integrates the requirements of Data Protection, e.g. Privacy-by-Design, into
the business processes. Challenges are to bring law codes and standards into a process pattern, which
is to analyse and disassemble them into individual parameters and to attribute them to single process
steps. We will show the Legal Process Modeling of the Research Group „Law in Sustainability, Compli-
ance and IT“ and the experience gained in the project sd-kama.
| Track | BDAHM |
|---|
Author
Prof.
Beatrix Weber
(MLE)
