Impact of GDPR on Personal Data Management - A Case Study

Abstract

The aim of this thesis was to analyze the impact from new European General Data Protection Regulation (GDPR), which sets new requirements for personal data management, on a real-life case study. The analysis was conducted using case study methodology on two business processes of Töötukassa: working ability assessment and working ability allowance. The existing processes were mapped using BPMN, use of sensitive data was highlighted and then the GDPR compliance was evaluated. From the results of the evaluation, possible solutions were offered to fix the compliance issues. The solutions were offered as TO-BE models and system requirements with the assessment of the impact on the current system architecture. The results found with the analysis were positive, where the two use cases in this study were compliant with most of the articles in the GDPR. There were some non-compliance issues as well – it was found that the current logging of personal data should be encrypted and some logging should be disabled completely, to support the compliance with the data minimization principle. Töötukassa also needed to support possible queries for data subject (like personal data access requests, consent withdrawal, and data erasure) and update their consent forms with necessary information. It is possible to extend the scope of the current thesis by increasing the cases covered in the case study and looking at all the processes within the organizations. Each process should be analyzed carefully and the whole flow of activities should be considered (both the controller and processor side). Including all the processes within Töötukassa would give a much clearer overview on all the aspects concerning the data management compliance with GDPR, for example, processes handling the data breaches and cooperation between superior authority and the organization. Additionally, from the feedback received from Töötukassa, there are additional points to re-evaluate to improve the current analysis: the need for consent for requesting medical personal data for working ability assessment and the possibility of partial erasure of the personal data when it is not needed for the purpose it was initially gathered.