Anchoring the EU General Data Protection Regulation (GDPR) in Process Management Systems

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into force. The regulations defined in the GDPR establish the basis for the collection, processing, and use of all personal data. Companies would be well-advised to become thoroughly informed about the contents of the GDPR and to institute appropriate measures.

What is the EU General Data Protection Regulation? A Brief Overview

Bochum, March 29, 2018 – Violations of the GDPR can carry penalties of up to 20 million euros or 4% of annual revenue, representing an enormous risk to any company. These regulations are not restricted to merely the protection of employee or customer data. Many companies store and process personal data, e.g., for lead generation, long before a customer relationship exists.

The newly-expanded data protection requirements will have an impact on corporate organization and governance as well as on processes and resources. In particular, the issue of documentation requirements will need to be reviewed to ensure that the company's IT and process landscapes meet with GDPR requirements and that appropriate processes and system adaptations for ensuring compliance are implemented.


Important Tips for GDPR Implementation

There is not much before the GDPR takes force, and the resources available for implementing necessary measures are often limited. The following tips will help you determine which steps need to be taken.


1. Current Situation and Planning

Review all business processes relevant to data protection legislation. Which processes involve the collection or processing of personal data? For instance, does your company send out a regular newsletter? Where and by whom is the data collected? As a final step, review the extent to which the company already complies with GDRP regulations and identify any new measures that will need to be taken.

2. Establish an Activities /Task Index

Create a record of processing activities as required by Article 30. This comprises documentation of all processes that involve the processing of personal data.

3. Assess Data Protection Impact

Should a high risk to the protection of personal data be identified within a process, an impact assessment will then be required. The impact assessment must include a description of the planned procedures as well as an evaluation of the inherent risks and planned counter-measures.

4. Review Legal Regulations

The collection and processing of personal data is permitted solely with express consent of the individuals affected. Gather all participants on board (data protection officers, attorneys, performance-level management) and assess whether consent forms, data protection declarations, and contractual clauses all conform to GDPR requirements.

5. Securely Implement Modifications

The GDPR requires a number of new procedures, such as those that result from customer inquiries related to information about or the deletion of personal data. These will also need to be processed, documented, and verifiably distributed to all employees.


BIC Enables Rapid and Efficient GDPR Implementation

The BIC BPM Suite enables GDPR requirements to be implemented quickly and in compliance with legal requirements. By integrating data-protection-relevant content into existing process management systems, companies can ensure compliance with the legal requirements for a data protection management system.


1. Assess Process Information

With BIC, business processes and IT systems can be more easily documented and existing processes can be assessed to identify where personal data is being used.

2. Add Data Protection Information

Process owners can add data protection information to the central process documentation process, clearly defining responsibilities. The report of processing activities required by Article 30 can then be automatically generated, without requiring additional resources or effort for its documentation. In addition, the BIC Process Portal ensures that employees always have access to all data protection information.

3. Data Protection Risks and Controls

BIC enables easy identification and documentation of the high level of legal risk associated with data protection. Workflows help to support risk assessment, while also reducing the time and effort required. In addition, risk control measures can also be documented in BIC.

4. Legal Documents

Legally-relevant documents (e.g., consent forms) are stored directly in the business process model. Areas of scope can be defined so that at a later date the term of validity for a particular legal document can be verified, along with the processes by which it has been used.

5. Compliance

New procedures, e.g., related to information from or deletion of data, can be directly created as process models. BIC BPM Suite will notify all participants of the release and/or modification of processes and documents, ensuring workflow control and compliance. This guarantees that all participants are aware of the new regulations and are informed as to which of their processes are considered high risk. Older process models will be archived and remain available for subsequent review. In addition, when changes are made to processes or documents, the data protection officer can also be informed via workflows, facilitating any necessary interventions.


When it comes to implementing GDPR regulations in your company, GBTEC will provide you with not only expert consulting, but also with effective technical solutions based on the BIC BPM Suite. For more information, please contact Mr. Benedikt Siebrecht, tel. +49-234-97645-110, or at

Questions about our public relations?

We look forward to your request and would be happy to help you.
Your personal contact person is: