The General Data Protection Regulation of the EU requires organisations to document "Records of Processing Activities" - a job that can easily be done by SMW

1. www.kdz.or.atwww.kdz.or.at
October 5th, 2017
SMWCon Fall 2017
Bernhard Krabina
Data
Management
with SMW:
fulfilling GDPR
requirements

2. www.kdz.or.at
Introduction
 KDZ – Centre for Public
Administration Research
 Open Knowledge –
Austrian Chapter
 Semantic MediaWiki
 https://www.meetup.com/de-
DE/Semantic-MediaWiki-Austria/
05. Oktober 2017 · Seite 2

3. www.kdz.or.at
„Data centric“ management
 Smart City/Big Data:
Data that are/soon will be available
 Open (Government) Data:
First datasets are easy to publish. How to move on?
 Public Sector Information (PSI) directive:
Remove barriers that hinder the re-use of public
sector information.
 Freedom of Information vs. Official secrecy:
„Register of data“ – what is available?
 General Data Protection Regulation (GDPR):
from May 2018: Records of processing activities
05. Oktober 2017 · Seite 3

4. www.kdz.or.at
Need for Professional
Internal Data Monitoring
4. Oktober 2012 · Seite 4
http://www.kdz.eu/en/open-government-implementation-model

5. www.kdz.or.at
Internal data inventory vs.
published data catalogue
05. Oktober 2017 · Seite 5

6. www.kdz.or.at
Ratings based on 8 criteria, why or
why not a dataset can be published
05. Oktober 2017 · Seite 6
Non-disclosure/legal restrictions
Personal references
Copyright
Value
Effort
Content-related data quality
Technical availability
Synergy
Rating sum:
Rating by:
RateCapture Publish

7. www.kdz.or.at
GDPR: General Data Protection
Regulation
05. Oktober 2017 · Seite 7
 Effective from May 25, 2018
 No need for legal implementation in Member states
 Article 30 Records of Processing Activities
 Processing Register, Data Flow Chart, Data Mapping, Data Inventory, Data
Index
 Privacy Impact Assessments

8. www.kdz.or.at
Article 30
Records of Processing Activities
 companies with < 250 employees are exempt
 records shall be in writing, including in
electronic form
 shall make the record available to the
supervisory authority on request
05. Oktober 2017 · Seite 8

9. www.kdz.or.at
Article 30
Records of Processing Activities
 Record includes
 name and contact details of the controller (joint controller,
controller's representative and the data protection officer);
 purposes of the processing;
 description of the categories of data subjects and of the
categories of personal data;
 categories of recipients to whom the personal data have been or
will be disclosed;
 transfers of personal data to a third country or an international
organisation,
 where possible, the envisaged time limits for erasure of the
different categories of data;
 where possible, a general description of the technical and
organisational security measures referred to in Article 32(1).
05. Oktober 2017 · Seite 9

10. www.kdz.or.at
Your options?
 Create tons of
documents
and throw a
DMS at them
 Use a smart SMW
installation
05. Oktober 2017 · Seite 10

11. www.kdz.or.at
Contact
4. Oktober 2012 · Seite 11
Bernhard Krabina
 krabina@kdz.or.at
 www.kdz.or.at
 @krabina