Master's Thesis Ahmet Tanakol

The GDPR is the replacement for the Data Protection Directive which is outdated and does not cover state-of-the-art data collection, usage and transfer techniques. Latest data breaches and processing activities raise privacy concerns over the personal data of individuals and make data protection significantly important. To address the increasing privacy-related concerns, the General Data Protection Regulation came into effect to create consistent rules that enforce privacy and protection over personal data within the EU and allow EU citizens to control their personal data. The GDPR consists of seven key principles that the organizations have to adopt within their data-related operations in order to be compliant with the GDPR. One of these principles is the accountability. It enforces organizations to have suitable processes and documents to be compliant with the GDPR and demonstrate the compliance to supervisory authorities on request. The record of processing activities is one of these privacy-related documents and providing this document is stated as an obligation in the regulation. The main contact person on the request for the record of processing activities is the data protection officer. Creating such documentation can be a challenging task for large organizations which may have hundreds of applications. The situation complicates the retrieval of the data which is necessary for creating a record of processing activities. A promising approach for creating and maintaining the record of processing activities in an automated process is to use Enterprise Architecture. EA helps organizations to maintain and control IT-related processes by providing an overall view about their businesses, organizations, applications, information, infrastructures, and data.
Only few researches has been conducted in the area of using EA for GDPR-related issues. This thesis fills this gap by using Enterprise Architecture models as the primary source of information. We present a way to model the requirements of the record of processing activities in Enterprise Architecture models. The machine-readable format of the models are used in two different ways to automatize the creation of a record of processing activities. First way describes how the XML format of the models can be parsed to extract required information. The second approach uses the capabilities of graph databases. By importing the EA models into a graph database, one can analyze the EA models and retrieve necessary data for a record of processing activities.