Automating your Assessment Process with BeyData Librarian

BeyData Librarian ships with many templates but you may need to create a company specific Assessment.  This may seem like a daunting task but it is quite simple. This blog post is designed to take you through the steps to automating a manual or spread sheet process that you currently use.  For this example, we will use the Cloud Accountability Projects, Data Protection Impact Assessment.  You can view the PDF here: Assessment PDF  and more information regarding the cloud accountability project can be found here: http://www.a4cloud.eu/ . This assessment is provided under creative Commons with an Attribution and ShareAlike requirement (https://creativecommons.org/share-your-work/licensing-types-examples/).

What we want to do is replicate the “Cloud DPIA Questionnaire” from this document so that instances of the assessment can be run and rerun in an automated process. Here are the steps:

 

  1. Create a new Assessment: We will call the project CDPIA by Selecting the [ Add] button and then renaming the default new name of “Assessment Definition 1” to “CDPIA”

Assessment Manager

 

  1. Now let’s go ahead and Edit the New Assessment by Selecting the [Edit] button which brings up the assessment editor.Assessment Editor
  2. From here we can start adding blocks. To save time we have completed this assessment before writing the blog post.  For your information, this is a simple process of dropping blocks and connecting them.  Let us talk about block types used.

 

The Task Block is simple and can be identified by its shape of a rectangle. The first         one we have is EU Activities and more importantly it corresponds with the first         question in the assessmentQuestion and rules

So, in this first line there are some questions regarding the type of project and defining territory

First, “Is the establishment of your activities in European territory?”

Then there is an Explanation section for the Privacy Pro completing the Assessment: “Whether the processing of personal information of your undertaking takes place in the European Union or not is not relevant. If you are not established in European Union territory, but you offer goods or services to individuals in the EU or monitor them, then you should answer Y to this question.”

 

The type of question is a Yes/No and for our purposes we will turn this into a checkbox and Checked\Unchecked (Yes/No or True/False) as we will need to test this answer.

Here is what the Task block pages look like with descriptions:

The first page defines the task, you can have one or many.  There is the Task Subject /Question and then the description. There is of course the assignment and whether you want to send an email alert. The “Assessment Team” as shown here is a user group, you could also just send it to an individual.  Some people prefer not to use email updates as part of the workflow, this is not required.

Task Subject

The Assessment comes with Guidance related to the Response, in Column one the Response Yes is: You have to comply with European Union laws, and Response No is blank. The Actions for each item are important.

The status of this task can be an Open/Done value or the approval type.

Task Status

Some Privacy Pros will want to attach or review attachments for any instance of the assessment. This tab is where you define those items.

attachments

The Answers Page is where we define the items for which we want answers. It can be one to many items and how the answer is provided is up to you. In this case we want a check box but you can also use text, date time, memo, drop down choices.   In many cases in this assessment we will use both Check boxes and drop downs.

Answers

 

Finally, there is the task expiration page, and this can be set to whatever you require. The assessment that ships with BeyData Librarian by default ships with no expiration.

Expiration Page

 

Actions

The Actions are important and step one has the following actions:

If Yes: Go to the next question

If No: This Questionnaire is addressed to businesses and/or organisations which are established in the European Union. Since you are not established in the EU, this Questionnaire does not apply to you. (So Exit the Assessment)

You can see this clearly in the flowchart:

Flowchart Showing Flow to end

 

A “Yes” answer continues to the next step and a “No” answer ends the assessment.

 

Risk

The Score, Weight and Indicators need to be set on this first task block:

And for this first block it is: N/A – This answer is not counted in the overall score with a weight of zero and no risk indicators in this assessment they describe risk indicators as follows.

There are seven privacy indicators:

Sensitivity (SEN): Risks related to a sensitive market (i.e. elderly, children, etc.) and/or sensitive data (i.e. health or medical conditions, finance, sexual behavior)

 

Compliance (C): Risks related to compliance with external standards, policies, laws, etc.

 

Trans-border data flow (TB): Risks related to transfer of information across national borders

 

Transparency (T): Risks related to transparency in the areas of notice/user messaging and choice/consent

 

Data control (DC): Risks related to control of the data lifecycle (i.e., collection, usage, quality, and/or retention)

 

Security (SEC): Risks related to security of data and data flows

 

Data sharing (DS): Risks related to sharing data with third parties

 

  1. Now we have to decide programmatically what to do next, and we therefor put a decision block on the flowchart.Decision Block

And here we ask if we are collecting European data  and as required the answer “NO” ends the assessment and the answer “Yes” goes to the next step.

 

  1. Now we go on to line number two and question number two defines a checkbox question, “Do you handle information that can identify other people through one or more of the following activities?” With guidance, “Think for instance, if you use names, identification numbers or location data. The collection of information related to individuals can be potentially intrusive to the information privacy rights of these individuals. In some types of projects information provided is more sensitive than in other ones e.g. Financial data”. Regardless of the answer when complete we go to the next question.

 

  • Web Browsing
  • Account and/or Subscription Management
  • Authentication and Authorization
  • Customization
  • etc

We can handle both line two and three in this task block

Line Two

Line two and three description

Variables

What is different here is there are risk indicators that we must deal with

If “health, employment, social security and law enforcement” then 1, else if “historical, scientific statistical or research purposes” then 1/4, else if “exercise of the right to freedom of expression or information” then 3/4, else 0.  With a weight of 1 and code SEN, here is an example:

 

So, to set risk for this task we would select the [ Set Risk] button

Demo Risk

And under Risk to Individual set values as required.

PLEASE NOTE: You could also set these in the flowchart programmatically, please see the help file for more information on programmatic options.

 

  1. You repeat these steps as much as required, this assessment has 50 steps and branching based on conditions. And in the end the assessment looks like this in the assessment editor.Full Assessment in Editor

 

  1. Once created you need to test the Assessment and you do that by opening the assessment manager and selecting the [Run New] button and giving the test assessment a name and select [OK]BlogDemo Instance

 

 

Remember even if you are setting the risk programmatically you must create the risk table for the instance as this is where risk values are stored for the assessment. After selecting [OK] you will get a message that the assessment instance and risk table are created – Once the instance is created the assessment is running.

Comfirmation

 

 

Summary

 

To create the BeyData Librarian Assessment took three (3) hours and to run a complete test of the assessment and branching took 17 minutes.   So in under 3.5 hours the assessment was created and new instances could be created at will.  If we had the original spreadsheet it would have been quicker because when copying and pasting from a PDF many formatting updates are needed. It would have been under two hours if we had the original content.

Running our Example

You can Update your software to the latest build, or request that your account representative send you the new assessment template and import the template via the share functionality

Share

If you do not have the software and want to see this in operation simply request a demo.  https://www.beydata.com/RequestTrial.htm

Example Output

Example Output