—> Datamodel uitbreiden met Volglijst GDPR (Excel sheet)

Entity:
- has properties
- every property has a ToDo flag and a ToDoDescription

Process:
- has Name
- has Owner
- has Goal
- has Scope
- is part of Process
- has SubProcesses
- has DataProcessed
- has LawfulBases
- has Risks
- has Transfers
- has SubjectRightsProcedures
- has RetentionPolicy
- OrganisationActsAs (processor/controller)

If OrganisationActsAs Processor:
- has DataProcessingAgreement with Controller

If OrganisationActsAs Controller:
- has DataProcessingAgreement with Processor




Controller:
- has Name
- has DataProcessingAgreement

Processor:
- has Name
- has DataProcessingAgreement

# Processor/Controller is entity with certain type of relationship with CurrentOrganisation

Owner:
- has Name
- has Role
- has ContactData

DataProcessed:
- of DataSubjects
- has DataTypes (e.g. name, dateofbirth)
- has DataSources
- located in Assets


DataSubject:
- has RelationToProcessorOrController
- has Category (vulnerability)
- 

DataTypes
- has name (e.g. name, dateofbirth)
- has Category (sensitivity)
- 

LawfulBasis:
- has type

Risk:
- has Description
- has Safeguard

Transfers:
- has TransferSource
- has TransferSourceCountry
- has TransferTarget
- has TransferTargetCountry
- has TransferMethod


Asset:
- has Category (laptop, software, service, storage, transmissionmethod, …)
- has Location
- has Identification (tag etc.)
- has RemovalProcedure
- has ThirdPartyAccess (e.g. suppliers, authorities, IT support company)
- has AccessPolicy
- has Owner/Administrator/User (needs work: think of BYOD laptop)
- has LinkedAsset (e.g. SharePoint has connectors to Dropbox, OneDrive, etc. If there’s a breach at Dropbox it could impact SharePoint)

If Asset:Category is Service:
- has Processor

SubjectRightsProcedures:
- has Type (access, removal, portability, …)
- has Notes
- has Steps

RetentionPolicy:
- has RemovalProcedure (per Asset where DataProcessed is located)

AccessPolicy:
- has description