Crucial for the GDPR is maintaining a central register with “Records of processing activities” (art. 30). It is a legal obligation to maintain this register. However without appropriate automation it is virtually impossible and very time consuming creating and maintaining it. Would hunting people with Excel spreadsheets, as easy as it seems, in practice actually work? And when are you ready? With our advanced spiral inventory & classification, mapping of data flows, API integrations and a central repository, Qixium SDT provides a holistic view on your sensitive data landscape. Based on its central repository, among other functionality, SDT supports: The “Records of processing activities”, Processing agreements, status of mandates, DPIA’s, Anonymization of data, the Data subject’s right to be forgotten” (art 17) and “Information to be provided” (art. 13).
Qixium SDT supports becoming and staying GDPR compliant, substantially saves time, improves quality and reduces risks of fines. In the Values section of the website you will find the benefits. In this section the tool features and functions are found. On request we will be happy to provide more detailed information and to support you in your challenge becoming and remaining GDPR compliant and not less important to support ISO certification initiatives.
Integrated features and function based on Qixium SDT Central Repository:
- Sensitive Data Landscape Dashboard
- Automatic Spiral Inventory & Classification
- Processing activities
- Data-flow map
- Central “Records of processing activities”
- Processing agreements
- Data anonymization
- Audit of the Data subject “Right to be forgotten”
- Support of the Data subject “Information to be provided”
- Support of “Privacy by design”
- API integrations
- Detailed logging and audit functionality
- Role based with Native, Active Directory and SSO authentication
Sensitive Data Landscape Dashboard
The SDT Dashboard provides a holistic view on your sensitive data landscape and supports GDPR compliancy. Even with many hundreds of thousands of sensitive data-items, -sets and -sources, numerous data-flows and an organisation wide “Records of processing activities” you will know what things need attention. What data-sources and -sets need to be classified? What data items are still unassigned? What changes have been detected? What sensitive data classes are involved in what processing-activities and is the nature of it? What Data subjects should still be removed – taken retention times in calculation? Last but not least the sensitivity index and trend of the whole landscape is provided with the ability to drilldown by domain, data-source and dataset. The SDT Dashboard will help your organisation to become and stay compliant with the GDPR and in control of your sensitive data landscape!
Automatic Spiral Inventory & Classification
Whether to define records of processing activities, anonymize sensitive data without missing a single field, audit the data subject rights to be forgotten or many other important functionality, the spiral inventory & classification stands on the base of all of this and all other Qixium functionality. Simply select and add data sources to the Qixium central repository, perform automatic high-level classification, based on that populate fingerprinting reference tables and based on that perform granular and precise classification of sensitive data. With each data source added, classification will take less and less efforts and will be more precise and effective. Additionally changes are detected automatically. This way organisation wide classification of all data sources with the least possible efforts is made possible. Once sensitive data classes are defined, either automatically or manually, the classification process itself is automated. It is provided on the level of data items as well as data sets. Data item classification enables the ability to map processing activities and data-flows with precise information what sensitive data classes of what data subjects groups are processed and exchanged. Data set classification provides top-down insight in the nature of sensitive data being processed and exchanged, like PII, PCI, PHI, etc.
No matter classification takes place the Sensitivity Index or in brief SI, is automatically defined. The SI is an important parameter to identify for what data sources measures to protect or prevent the data should be applied and prioritized. The SI is provided for the whole landscape. It supports drilldown per domain, data source until the level of data sets. Both SI changes and trends are presented, providing insight where actions should be undertaken. ENISA provides an academic level of SI calculation. For Qixium based on the general ENISA principles an effective and applicable algorithm has been defined to operationalize the calculations. More information may be obtained on request.
“Process activities” within SDT are based on the information gathered in the central Qixium repository. Each “Processing activity” contains detailed classification information until data item level. The Sensitivity Index is automatically calculated. Additional information like owner, controller, processer, country, applicable legislations, retention time, purpose of processing, security measures, etc. can be registered. Either by enrichment using API integrations or manually via the SDT Workbench Interface. However, always in a structured and controlled way. Using SDT Flag management you will now what Process activities need attention and what are complete.
Important aspect of the GDPR is the exchange of privacy sensitive data. The process flow of privacy sensitive data needs to be clear. Privacy data exchanged as well as the parties and countries involved must be registered. When controller and processor are different legal entities this must governed by a contract. Within SDT the “Processing activities” already contain information like parties, countries, purpose of processing and SDC’s (Sensitive Data Classes). When mapping the Data-flow the explicit SDC’s involved can simply be selected and mapped. All other relevant information will automatically be taken over from the “Processing activities”. This way avoiding inconsistency and reducing time required for the mapping process. Data-flows can be configured for per process. The resulting Data‑flow maps can be visualized. Data-flows are automatically linked via the Processing activities to the “Records of processing activities” (article 30). In addition SDT Flag management will show if a contract in general referred to as a “Processing agreement” (article 29) between the parties involved in the Data Flow is required and present. This way keeping supporting GDPR compliancy.
Records of processing activities
According to article 30 of the GDPR each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. Based on the “Processing activities” and the Data-flow nearly all required information is already present in SDT. So within SDT we have provide the “Records of processing activities”. It contains legally required information like (joint) Controller(s), Processor and their Countries and Representatives, Purpose, Retention-time, Security Measures, etc., etc. Using SDT Flag management you will know what still needs attention to support becoming GDPR compliant.
In SDT we nearly have all required information for a “Processing agreement” between controllers and processors. So in SDT we have added a “Processing agreement” module that allows you to Export and maintain such an agreement. Using SDT flag management you will know when an agreement needs to be updated. This way supporting GDPR compliancy and improving efficiency.
Integrations / API’s
Although Qixium already offers a wide range of functionality itself, other applications may be able to provide or consume valuable data for or from Qixium SDT. As publisher of Data Manager and Connect, top technology integration software already since 2004, it speaks for itself that integrations can be made with service management, incident management, CMDB, DPIA, IAM and many other applications. Standard and bespoke import and export functionality based on API’s (REST & SOAP), files like Excel, XML, csv, email, command line interface etc. etc. are supported.
Get in touch!If you’ve got a question(s) and/or would like to request a demo? Share some thoughts, or would like to know how our Sensitive Data Tools work? Don’t hesitate, get in touch!