GDPR - introduction

Ewida Standard supports record-keeping related to GDPR, meaning the personal data protection rules that apply in an organization. In practice, this means organizing information about data sets, the people who have access to them, permissions to process data, and the places where that data is used.

The Ewida Standard program allows you to link this information with the existing records of hardware, software, and users. This means the GDPR register does not operate alongside the system, but becomes part of the company’s overall data structure. If you prefer a web-based solution for managing assets and data in your organization instead of a Windows desktop application, also take a look at Codenica ITSM + ITAM.

GDPR as part of record-keeping in Ewida Standard

Ewida Standard is not a simple register based only on tables. The program works with relationally linked objects such as Set, User, Device, Software, License, and Consumable. GDPR mechanisms have been built directly into that structure.

This makes it possible to keep records not only of personal data sets themselves, but also of their technical and organizational context. The most important GDPR elements in the program are:

  • personal data sets,
  • access rights to personal data,
  • permissions to process personal data.

Linking GDPR with record objects

GDPR handling mainly extends the Software object. You can indicate which programs contain personal data sets and what kind of data sets they are. As a result, personal data is not registered separately from the work environment, but in connection with specific applications.

The links also work more broadly. Software can be assigned to a Computer Set, and a set can be assigned to a User. This structure makes it possible to determine where data is used, on which computer it is located, and who is responsible for the given workstation or uses the linked software.

In practice, this makes it easier to locate personal data sets and organize information about access to them.

Personal data set register step by step

Ewida Standard includes a single wizard that lets you go through the whole registration process in an organized way. In one run, you can:

  • indicate software that contains personal data sets,
  • create and describe any number of personal data sets,
  • add users who have access to those sets,
  • create and assign access rights,
  • indicate users whose data is included in the sets,
  • create and assign permissions to process personal data.

Access rights and processing permissions can be created both individually and in bulk. This matters because in many organizations some rights apply to individual people, while others apply to entire teams or departments.

Selecting software that contains data sets

In the first step, we choose from the records those applications that contain personal data sets. They are added to the process using the + button next to the software list.

You need to keep in mind that all applications selected in one run of the wizard will share the personal data sets created there. If different programs should have separate data sets, the wizard needs to be run separately for each such group.

Creating personal data sets

In the next step, we create the personal data sets themselves. For the software selected earlier, you can create any number of sets. Each of them can be described using properties such as:

  • Name,
  • Type,
  • Category,
  • Scope,
  • Technical protection,
  • Organizational protection,
  • Tag,
  • Detailed description.

If different data sets are created for one program, users, their rights, and permissions will be recorded separately for each of those sets. This makes it possible to keep the right level of detail without mixing different areas of data processing.

Users who have access to personal data

After creating the data sets, you can indicate the users who have access to them. Some people may be identified automatically based on existing relationships in the records. This applies, for example, to:

  • a user assigned to a set that contains the given software,
  • a user to whom the software has been assigned directly,
  • users linked with the set or software through usage relationships.

In addition, you can also add other people who have access to the selected data set. This matters because real access to data cannot always be fully determined only from hardware or software relationships.

Access rights to personal data

The next stage is registering access rights to personal data sets. Rights can be:

  • individual,
  • group.

If one employee is selected, an individual right is created. If at least two employees are selected, the wizard will recognize it as a group right. A new right is added with the + button.

The properties describing an access right may include, among other things:

  • the name of the right,
  • the type and category of the right,
  • the agreement related to the right,
  • the scope and purpose of personal data processing,
  • the date of the access request,
  • approval of the request,
  • the access start date,
  • the planned end date of access,
  • the Personal Data Controller,
  • information about transferring data outside the organization,
  • an external contractor as the data recipient,
  • notes.

In the same place, there is also a printout of the Personal Data Access Rights Report and an option to delete the right.

Users whose data is included in the sets

The wizard allows you to record not only the people who have access to the data, but also the users whose personal data is included in the sets. This is the second important area of the register, because it makes it possible to separate the people processing the data from the people whose data is being processed.

In the same place, you can also create permissions to process personal data. They work in a similar way to access rights and can also be individual or group-based. The program can indicate that a selected user already belongs to a group covered by a given permission, which makes it easier later to keep the data consistent.

GDPR tabs in object properties

GDPR handling in Ewida Standard does not end with the wizard itself. The program also extends object property windows with additional GDPR tabs for:

  • Software,
  • Computer Set,
  • User.

Thanks to this, personal data information is available directly where you work with a specific object.

The GDPR Software tab shows, among other things:

  • personal data sets,
  • the linked computer set,
  • a list of employees whose data is being processed with and without permission,
  • a list of employees who have access to the set with and without the required rights.

The GDPR Computer Set tab works in a similar way, but the reference point is a specific set.

The GDPR User tab shows in which sets a given person’s data appears and to which sets that person has access, with a distinction between situations that are properly documented and those that still need to be completed.

GDPR summaries, reports, and custom analysis

Ewida Standard also provides extensive GDPR-related summaries. They include, among other things:

  • personal data sets,
  • data access rights,
  • permissions to process data,
  • summaries of users, software, and sets linked with personal data sets,
  • users who are missing required rights or permissions.

GDPR has also been built into the detailed reports for users, software, and sets. Each such report can include information about data sets, rights, and permissions linked to the given object.

In addition, the My Summaries mechanism makes it possible to build your own analyses based on available columns. This matters in practice because different companies need different data views and different reporting formats.

A useful feature is also related summaries. Thanks to the relational data model, you can quickly move from a selected object to the summaries related to it, including summaries dedicated to GDPR.

Summary

Ewida Standard makes it possible to maintain a personal data set register in a way that is integrated with the company’s overall records of software, computers, and users. This makes it possible not only to record the data set itself, but also to control where the data is located, who has access to it, who is covered by processing, and whether all required rights and permissions have been properly completed.

In practice, the solution includes:

  • a wizard for registering personal data sets,
  • records of access rights and processing permissions,
  • GDPR tabs in object property windows,
  • reports and summaries dedicated to GDPR,
  • custom analysis based on the summaries mechanism,
  • control of dates related to rights and permissions.

As a result, the GDPR register is not a separate, disconnected tool, but part of the overall records maintained in the Ewida Standard Windows desktop application.