Use ARIS to create a processing activity risk assessment.
Prerequisites
You have the ARIS Connect Viewer > Contribution license privilege.
The relevant objects are available in a Record of processing activities model and assigned to the respective legal entity.
The ARIS GDPR method enhancement filter is imported. For detailed information, refer to the ARIS Accelerators for GDPR Installation Guide.
The GDPR impact type is created in ARIS Risk and Compliance. For detailed information, refer to ARIS Accelerators for GDPR Installations Guide > Create a GDPR impact type in ARIS Risk and Compliance.
Procedure
Start ARIS.
Enter the name of the relevant Record of processing activity model to the Search field.
Click the relevant model in the list of results. The fact sheet is displayed.
Click Edit >
Contribute if the edit mode is not activated yet.
In the Processing activities table, click the Processing activity details attribute of the relevant processing activity. The fact sheet is displayed.
The link is only available if the elements are already assigned to the processing activity.
Click the edit box of the Risks attribute to add a new element.
Enter a name according to the respective processing activity and the risk type, for
example, Salary payment GDPR risk, click to transfer your input, then click OK to confirm your input.
Click the Risks attribute. The fact sheet is displayed.
Specify the relevant risk details. To do so, click the edit box of the respective attribute, enter the relevant information,
click to transfer your input, and click OK to confirm your input (only for some attributes).
Responsible: Any user responsible for this risk.
Description: Short description of the risk assessment.
Compliance: Enable true for GDPR risks
Assessment activities: Description of the activities to be performed during risk assessment.
Groups*): The risk owner group and the risk reviewer group in charge.
Transfer data to ARIS Risk and Compliance*): Enable Yes.
Risk management-relevant*): Enable Yes.
Assessment frequency*): The interval at which risk assessments are automatically generated.
Event-driven assessment allowed: Indicates whether risk assessments can be generated not only automatically, but also manually.
Execution time in days*): The number of days available to the risk owner to assess the risk.
Start date of risk assessment*): The date the first risk assessment is generated.
End date of risk assessment: The date when the risk assessment is completed.
*) = Mandatory
The risk assessment schedule is created.
For detailed information, refer to the ARCM - Modeling Conventions manual and the ARIS Risk and Compliance online help.
Example