GDPR-BPMN Analyzer


Upload a GDPR-BPMN annotated model to begin evaluating the compliance level of your business process to the GDPR. The output will help refine the process model and determine potential violations of the GDPR that may risk your organization receiving administrative fines as outlined by the regulation.

The output is intended to serve as a basis for rectification of the process model and may require further consultation with the process stakeholders to correct.


GDPR-BPMN Modeling Syntax

The GDPR-BPMN modeling syntax is based on the GDPR Compliance Model and captures all the classes and their corresponding attributes using BPMN annotations attached to appropriate BPMN elements. The annotations are described using square brackets. (Eg. [Controller])

The process diagram below describes how to depict the core elements of the compliance model to run a successful analysis.

  1. Actors such as the controller are described using Company [Controller].
  2. Artifacts are described using [Artifact] Consent or [Artifact] PrivacyPolicy.
  3. Attributes of artifacts are described by annotating the appropriate artifact with labels corresponding to the attributes. Multiple attributes are separated by a space - [clear_purpose] [unambiguous] in this case.
  4. Personal data is assigned by prefixing the appropriate data object label with the prefix [personal_data]
  5. Data category is assigned by annotating the personal data object with the appropriate label - [general] in this case.
  6. Technical measures and processing task are described by prefixing the task label with the technical measure and the label [processing_task] in that order - [PKEncryption] [processing_task] in this case.
  7. Attributes of the processing system, filing system and miscellaneous attributes are annotated on the controller's pool - [confidentiality] [integrity] in this case.
  8. Legal ground is described by annotating the controller's pool - [consent] in this case.