catworkx-Lösung für DSGVO: Datenschutz-Management-System mit Jira & Confluence

Since the introduction of the new General Data Protection Regulation (GDPR) in May 2018, uncertainty still prevails in many companies. On the one hand, this is due to the fact that case law on the GDPR is often still lacking – keyword landmark rulings – and on the other hand, it is due to the scope and form of the documentation that the GDPR demands – mostly in a rather unspecific way – from companies.

catworkx has decided to take a collaborative approach to implementation in-house, using Jira and Confluence, which also views data protection as a living process. The data protection management system (DSMS) developed in this way not only maps the required documentation structures of the GDPR, it also enables the greatest possible transparency of responsibilities for data protection in a company.

One of the key requirements of the GDPR is accountability as per Art. 5 (2). The controllers in companies must be able to demonstrate compliance with data protection. Further documentation requirements can also be found, for example, in Art. 30 (record of processing activities) and 35 (data protection impact assessment) of the GDPR. This results in three essential areas for the structure of a data protection management system (DPMS):

Furthermore, the DSMS must meet the following requirements:

• Documentation of the technical and organisational measures (TOM)
• Documentation of data protection impact assessments (DSFA)

It quickly became clear that the usual forms of documentation could not be used to implement the GDPR at catworkx. For example, it is common practice to create and update the necessary documentation for the GDPR using Office programs. The catworkx approach of understanding data protection as a living process is difficult to reconcile with such an approach.

It was obvious to approach the implementation of process documentation at catworkx with the tools that we use every day – in other words, with the Atlassian tools Jira and Confluence, enhanced with a few additional modules from the Atlassian ecosystem. The special thing about the approach is the maintenance of the relevant procedures, the technical and organisational measures (TOM) and the data protection impact assessment (DSFA) are mapped in Jira via processes. The accompanying documentation for this is automatically sorted and stored in Confluence. The use of processes with their easy-to-design individual workflows enables sustainable documentation based on the division of labour, which includes release by the data protection officer (DPO) as needed and promotes annual review and adjustment of procedures and measures.

In detail, the DSMS at catworkx consists of the following Jira process types:

The respective processes in Jira are dynamically and automatically transferred to a previously defined process directory in Confluence and documented. This is where the Teamworx Issue Publisher for Jira from catworkx comes into play. This is how a dynamic process directory is created in Confluence, in which all the individual processes are documented with their respective measures. catworkx's collaborative approach to data protection also becomes clear, because individual measures are assigned to the respective managers, for example in the human resources department, sales or internal IT. Data protection officer Stefan Winkel notes: ‘For departments with different areas of focus, such as in the operational and administrative areas, there are also different areas of focus in terms of data protection. It is therefore definitely advantageous to assign internal responsibilities accordingly and to build up relevant expertise in the departments. At the same time, it must be possible to keep an eye on the big picture in order to prevent the formation of islands. This can be done well with a process management tool, such as the one used at catworkx, for example.’
Another special feature of the catworkx approach is the versioning of the individual processes and the measures derived from them. Because one thing is clear: for the area of technical and organisational measures, Art. 32 para. 1 lit. d of the DSGVO requires a regular review. But the directory of processing activities or other mandatory documentation must also be kept up to date. ‘Consistent management of existing documentation using a process management tool can greatly simplify the management of existing measures,’ explains Stefan Winkel.

The individual procedures are regularly reviewed to ensure that data protection always remains up to date. In view of the still uncertain legal interpretation of the GDPR, this is an advantage should, for example, changes in the law occur. Another advantage of the catworkx solution is the ability to create dashboards in Jira that can be used to access reports on the status of data protection at any time, possibly with a necessary escalation level.
Implementing the DSMS with Jira and Confluence also adds value to the information system, because requests for information about the processing of personal data or deletion can be made via a Jira service management. The process for providing information is different from the process for reporting a data protection violation. In the latter case, a report must be made to the supervisory authority within 72 hours of becoming aware of the data protection violation, in accordance with Art. 33 of the GDPR. Therefore, the configured workflow in this process ensures escalation automation.

Stefan Winkel draws a positive balance for the implementation of the GDPR at catworkx: ‘As with most other companies, the implementation of the necessary measures at catworkx was initially carried out by a few people. However, the ongoing operation of data protection concepts is handled differently from company to company. At catworkx, the decision was made to involve employees extensively in maintaining the data protection concept. In this way, the necessary tasks were distributed across as many shoulders as possible. A positive side effect of this arrangement is that employees also come into contact with the topic from time to time, beyond the obligatory data protection training. I think this is basically a very good approach for catworkx.’
This is because the advantage of the data protection management system (DSMS) developed by catworkx lies, on the one hand, in the ready-made structure with which the measures for data protection in companies and authorities are recorded in a clear and comprehensible manner. On the other hand, catworkx DSMS impresses with its collaborative approach, which takes into account the respective responsibilities. And it understands data protection not as a one-time process, but as an ongoing, changeable process that can be well controlled by the versioning function.

We advise you on the entire Atlassian ecosystem and are happy to support you in optimising licence models and costs.