Relevant GDPR attributes

The GDPR method extension filter enhances the standard ARIS Method with a generic set of new models, objects, and attributes. You can use the following GDPR object attributes in addition to the standard ARIS object attributes. Only rarely are all object attributes used at the same time. Depending on your GDPR approach, method, and configuration, you use an attribute that is available at different objects, for example, Data privacy score, at only one of these objects.

Function

Attribute

Use

GDPR processing activity

Specifies whether the function is a (GDPR) processing activity.

Description

Specifies the purpose of the processing activity.

Data privacy score

Specifies a score on a predefined scale in order to qualify the data privacy of the element. Example: The score derived from the Processing Activity Qualification questionnaire.

Data sensitivity

Indicates whether the data used by this object requires special handling. Options (default values):

  • Public
  • Sensitive
  • Very sensitive
  • Highly sensitive
  • Extremely sensitive

Data/Cluster

Attribute

Use

Restriction level

Specifies the level of legal usage of the data. Options (default values):

  • Unrestricted data
  • Personal data
  • Sensitive personal data
  • Confidential data

Data privacy score

Specifies a score on a predefined scale in order to qualify the data privacy of the element. Example: A score derived from a data qualification questionnaire or from any external enterprise architecture system.

Application system type

Attribute

Use

Data sensitivity

Indicates whether the data used by this object requires special handling. Options (default values):

  • Public
  • Sensitive
  • Very sensitive
  • Highly sensitive
  • Extremely sensitive

GDPR qualification score

Indicates a score on a predefined scale in order to qualify the GDPR-relevant assessment of the object. Example: A score derived from any external enterprise architecture system.

GDPR risk relevance score

Indicates a score on a predefined scale in order to qualify the GDPR risk relevance of the object. Example: A score derived from any external enterprise architecture system.

Data privacy score

Specifies a score on a predefined scale in order to qualify the data privacy of the element. Example: The score derived from the Application System Qualification questionnaire.

Organizational unit

Attribute

Use

Data protection officer

Displays the name and address of the data protection officer. Must be included in the record of processing activities.

Data protection representative

Displays the name and address of the data protection representative. Must be included in the record of processing activities.

Connection

Use

is technically responsible for

Organizational unit acting as controller. (Connection between organizational unit and function.)

carries out

Organizational unit acting as processor. (Connection between organizational unit and function.)

For detailed information on GDPR modeling conventions, refer to the GDPR Conventions for ARIS Accelerators guide.