Three, two, one, now – accellerate your way to GDPR with content management and BPMN

The General Data Protection Regulation (GDPR) brings one of the most far-reaching changes in the domain of data privacy, to the citizens of the European Union.


The General Data Protection Regulation (GDPR) brings one of the most far-reaching changes in the domain of data privacy, offering the citizens of the European Union higher degree of control over their own personal data that are used by different organizations and companies. What we have here is a new law on privacy that applies to government organizations, companies, and non-profit organizations which provide different services to the citizens or collect and process their personal data. The regulation calls for higher degree of control and safety over data.

It was approved and adopted in April 2016, and its implementation is scheduled to begin May 25, 2018.

Data protection regulations, along with the civil rights introduced by the European Union, proved to be a model for majority of the countries around the world. Therefore, it is logical to expect that other similar laws to be passed and implemented outside the European Union, particularly in the candidate countries, in future will be based on the GDPR.


The GDPR defines this term as any data that relates to or can be connected with an identifiable person. Therefore, personal data include the following: all personal identification data (name, address, phone numbers, business and private email addresses, ID numbers), medical and healthcare documentation, information on ethnic and religious identity, information on company that employs a specific person, online identifiers (IP addresses, social media posts, GPS or location data, cookies), information on employees, sellable databases, user databases, biometric data, CCTV video recordings. Personal data may even include the data that, at first glance, do not seem that personal at all, like landscape photo containing an identification code that can potentially be connected with a person or even pseudonyms that can be connected with a specific person.


Having in mind all the above, it is clear that the GDPR harmonization requires advanced software solutions that provide storage, protection and control mechanisms, all in one.

By nature of their intended purpose, vendor content management solutions are built to achieve this goal. The already built-in functionalities create the preconditions to fully meet the GDPR.

To prove the above, we will analyze the manner in which serious vendor solutions deal with the six basic data protection principles a company or organization has to meet.

1.    Transparency, fairness and lawfulness

User must be clearly informed about the purpose of data use and identity of data collectors. Legal rules and individual consent are used by organizations to obtain legal grounds for such use of data.

Through document storing, organizing and linking mechanisms, platforms provide a clear insight into documentation collected for the purpose and informed consent documents signed by users.

Platform functionality audit enables logging information on all activities involving documents and data. Functionality audit can be set to record every activity involving data and documents in a specific platform database. The logged information invariably includes activity date and time, information on identity of persons performing the activity as well as information on type of performed activity. Audit is placed at platform level, which makes it independent from apps used to perform the specific activity. Access to and activity performed on data/document is being recorded regardless of whether it was accessed through an internal app, external app or web/rest service. Information on access is stored at platform level and it can be viewed only through platform functionality. As a result, user can at any given time be informed about the manner of use of his/her personal data/documents.

2.   Purpose of data processing

The so-called Access Control List (ACL), which clearly defines user groups and individuals who are granted access to a specific object as well as operations that can be performed on it, is attached to each respective data/document stored in a content management system. A set of permissions assigned to an object through ACL varies depending on the specific platform, but in general it can be broken into the following groups:

  • None – user has no permissions
  • Read – user is permitted only to view object. It is important to note that, depending on the platform, this type of permission is additionally granulated, allowing users to, for example, view only object metadata (attributes), and preventing them from viewing the actual content of a document attached to a specific object. To view the actual content of a document, users need an additional permission level.
  • Write – user is permitted to alter object. Similar to Read, certain platforms may additionally granulate this permission as well, allowing specific users to alter only object metadata (attributes), while preventing them from doing the same with the actual content. Alteration of document content would require an additional permission level.
  • Delete – user is permitted to delete object.

If none of the above permission levels is specified in connection with a user, it is implied that he/she has no permissions with regard to a specific object. For him/her the object is virtually non-existent.

The ACL mechanisms establish full control over object access for platform users. Just like any other mechanism, access control is provided at basic, platform level. Regardless of the type of communication channel, permissions are platform-controlled and cannot be prevailed over at application level.

Control over data processing flow is established by adding the BPMN functionality. Clearly defined business process converted into application workflow provides mechanisms which are used for assigning a minimum set of object handling permissions to clearly specified users, at precisely defined points of a business process. The result is establishment of control, meaning that an individual taking part in a business process is allowed to perform only the type of activity that is demanded from him/her in a specific situation, and only when it is demanded by the process. For example, data alteration cannot happen unless it is performed through a process that covers data update.

Centralized management of permissions and business process design using the BPMN tools helps establish a single control point which regulates object access and management of its lifespan.

3.   Purpose of data storage

Content management system represents a single, centralized data storage location. It allows storing all user data in one place. Minimum set of data/documents stored within a system is defined by business rules and legal regulations. However, if a set of data/documents needs to be expanded, as required by certain other business processes, the only proper thing to do is expand it at the above mentioned central place. Storing data/documents connected with a single user in several places due to mere data supplementation requirement can result in duplicating identical pieces of information in several places, which makes administration and control additionally complicated. New requirements can be met, without any loss of control or data duplication, by supplementing data, potentially supplementing the ACLs or redesigning business process through the use of the BPMN.

4.   Data accuracy and deletion/correction capability

Content management system places user data/documents in a single centralized location, without data duplication or redundancy. Therefore, all user-demanded alterations happen in one place. Altered information can immediately be viewed through all other apps or systems. The BPMN functionality may also be involved in data alteration process. For example, data supplementation/alteration requested by user and registered at input automatically initializes an implemented workflow, demanding from authorized persons to make requested alterations. After alterations are made, a well-designed workflow may request from other persons to verify and confirm such alterations. This ensures that altered piece of information is double-checked (four-eyes principle). The entire process creates an additional value of logging and memorizing all the above mentioned alteration activities at platform level. User can be informed about this, which makes the GDPR transparency and validity requirement easy to meet.

5.   Data storage time period

As stipulated by the GDPR, personal data are retained only throughout the time period required to reach the goals that were the purpose of data gathering. The use of Retention Service provides data removal mechanism at platform level. Record deletion rules are defined by retention policies. When defining the rules which are to govern record deletion process, almost all data regarding a specific object that exist within a specific system are being used.

6.   Safety, integrity and confidentiality

Providing safety, integrity and confidentiality, which is the last GDPR principle that has to be met, actually lays in the core of existence and functionality of content management solutions. With the mechanisms involving management of access permissions, workflow implementation, retention policies, and audit mechanism, the entire platform is built to help reach this goal. Platform detects every single breach of this requirement. Relative data are forwarded to responsible persons, whereas user can be immediately informed about the occurrence, in line with the GDPR requirement.


Combined with the BPMN tools, advanced vendor content management solutions are built and intended to provide mechanisms needed to meet the GDPR requirements. Through appropriate use of their functionalities, organizations and companies can quickly, easily and economically harmonize with the new regulations and significantly improve doing business, as, apart from accelerating their way to the GDPR, such platforms bring other different business advantages.

Do you want to learn more about applying content management and the BPMN solutions? Do you have any questions? Let us know by posting your comment below or by contacting me directly.


Your email address will not be published. Required fields are marked *