2 KiB
2 KiB
—> Datamodel uitbreiden met Volglijst GDPR (Excel sheet)
Entity:
- has properties
- every property has a ToDo flag and a ToDoDescription
Process:
- has Name
- has Owner
- has Goal
- has Scope
- is part of Process
- has SubProcesses
- has DataProcessed
- has LawfulBases
- has Risks
- has Transfers
- has SubjectRightsProcedures
- has RetentionPolicy
- OrganisationActsAs (processor/controller)
If OrganisationActsAs Processor:
- has DataProcessingAgreement with Controller
If OrganisationActsAs Controller:
- has DataProcessingAgreement with Processor
Controller:
- has Name
- has DataProcessingAgreement
Processor:
- has Name
- has DataProcessingAgreement
Processor/Controller is entity with certain type of relationship with CurrentOrganisation
Owner:
- has Name
- has Role
- has ContactData
DataProcessed:
- of DataSubjects
- has DataTypes (e.g. name, dateofbirth)
- has DataSources
- located in Assets
DataSubject:
- has RelationToProcessorOrController
- has Category (vulnerability)
DataTypes
- has name (e.g. name, dateofbirth)
- has Category (sensitivity)
LawfulBasis:
- has type
Risk:
- has Description
- has Safeguard
Transfers:
- has TransferSource
- has TransferSourceCountry
- has TransferTarget
- has TransferTargetCountry
- has TransferMethod
Asset:
- has Category (laptop, software, service, storage, transmissionmethod, …)
- has Location
- has Identification (tag etc.)
- has RemovalProcedure
- has ThirdPartyAccess (e.g. suppliers, authorities, IT support company)
- has AccessPolicy
- has Owner/Administrator/User (needs work: think of BYOD laptop)
- has LinkedAsset (e.g. SharePoint has connectors to Dropbox, OneDrive, etc. If there’s a breach at Dropbox it could impact SharePoint)
If Asset:Category is Service:
- has Processor
SubjectRightsProcedures:
- has Type (access, removal, portability, …)
- has Notes
- has Steps
RetentionPolicy:
- has RemovalProcedure (per Asset where DataProcessed is located)
AccessPolicy:
- has description