Using Enterprise Architecture Models for Creating the Record of Processing Activities (Art. 30 GDPR)

The record of processing activities (RPA) is a central document in demonstrating compliance with the General Data Protection Regulation (GDPR). Article 30 of the GDPR specifies the information that has to be made available to the supervisory authority upon request. Currently, data protection management experts conduct their own data collection and maintain isolated RPAs. We show how existing Enterprise Architecture models can be augmented with the necessary information to maintain and generate an RPA. We evaluate the completeness and usefulness of the approach together with data protection management experts.