+90 (216) 599 00 50 / +90 (312) 265 00 72

HOPEX Privacy Management

Achieve and demonstrate Data Protection Compliance

HOPEX Privacy Management

Data Protection Summary

  • EU GDPR has increased data protection for individuals and given regulatory authorities greater powers to take action against businesses that breach the new laws.
  • Following the European example, all countries around the globe (e.g. California with CCPA, South America, Asia) are updating their privacy regulations.
  • Among the points in common between these legislations there are:
    • powerful rights to data subjetct,
    • large sanctions in case of non compliance.

Software + Experience = Solution

  • Founded in 1991
  • Software Solutions
  • Global Services
  • Help Drive Digital Transformation
  • Present in 40 Countries
  • 9 Subsidiaries  & 100 partners worldwide
  • Founded in 1997
  • Consulting Services and Data Protection Experts
  • Drive Business Corporate Governance
  • Quality Certified ISO 9001: 2008

HOPEX Privacy Management Benefits

  • Manage compliance efforts from a collaborative workspace and centralized repository
  • Inform and accelerate remediation activities with up-to -date regulatory details and legal templates
  • Documents and demonstrate compliance with a full range of reports designed for the Supervisory Authority
  • Maintain control over protection with Data Protection Impact Assessments
  • Influence data protection by design efforts and know when to assess new and evolving processing activities

HOPEX Privacy Management – Main Features

HOPEX Privacy Management – Assign Responsibilities

HOPEX Privacy Management Benefits

HOPEX Privacy Management gives you the tools necessary to manage your stakeholders:

  • Create and manage your own Privacy team using 7 different roles
  • Document your company organizational model
  • Scale your team to your organization’s legal structure, departments
  • Delegate Processing Activities to the relevant deputy DPOs
  • Identify the different data protection roles such as Data Controllers, Processors and National Representatives
  • For each Processing Activity, assign the right Activity Owner and Application Owner who are expected to describe processing activities and their relevant Applications.

Assign Responsibilities Features

Chief Privacy Officers can build their organization with Legal Entities, Sites & Departments.

  • Legal Entities are located on specific Sites
  • Departments are part of a Legal Entitiy

Assign Responsibilities Features

  • The Chief Privacy Officer can detail the organigram of the organization, to build a complex hierarchy, with several nested levels of legal entities amd departments
  • The organization will be able to create its own roles and functions to describe the different responsibilities
  • Based on the organigram, the user can define the visibility rights of the different roles with the desired level of granularity, e.g. a member of the data protection team may have access only to the processings of a specific legal entity or department/sub-department

Assign Responsibilities Features

  • Chief Privacy Officers can assign a DPO to a Legal Entity and a deputy DPO for each Department.
  • A department can also have an IT correspondent for privacy related requests.

HOPEX Privacy Management – Record of Processing Activities

HOPEX Privacy Management enables DPOs ana Data Controllers to quickly build and maintain an accurate record of processing activities:

  • Create processing activities
  • Identify already existing processes & applications handling personal data categories and convert them into processing activities*
  • Add Data Protection relevant information to your processing activity (purpose, legitimacy, assignments…)

Processing Activities Features

DPOs can manually create Processing Activities and specify which Department they are performed by.

New Processing Activities will be assigned to the relevant DPO and DPO deputy as specified in Assign Responsibilities.

Processing Activities Features

DPOs can export the record of processing, choosing what legal entity they are interested in and if the record applies to the data controller or the data processor.

Processing Activities Features

DPOs can identify already existing processes* handling personal data categories and convert them into processing activities with a single drag and drop action.

Diagrams describing processes can be consulted prior to converting process into processing activity.

Processing Activities Features

DPOs can identify already existing applications* handling personal data categories and convert them into processing activities with a single drag and drop action.

Processing Activities Features

  • DPOs can follow the validation of newly created activities, through pre-defined workflows
  • Automatically notify activity owners to get them to complete the description of a processing activity
  • Validate the provided information and carry out a pre-evaluation and DPIA

Processing Activities Features

  • DPOs can specify the level of responsibility of the Legal Entity (Data Controller, Processor or Joint Controller) regarding the processing activity.
  • The processing activity owner can inform the legal basis for the processing.
  • Data Controllers can also rate the Legal Basis Compliance level.

Processing Activities Features

  • Data Controllers are able to specify which security measures are put in place to ensure processing activities are carried out safely.
  • Data Controllers can also rate Compliance of Data Transfers & Security Measures at this stage.

Processing Activities Features

  • Data Controllers are able to specify which Data Subject Rights apply to their processing activities, along with the type of notice and consent requirement.
  • Data Controllers can also rate the Data Subject Rights & Notice Management Compliance Level.

Processing Activities Features

Data Controllers are able to rate the degree of minimization of specific data handled by processing activities.

HOPEX Privacy Management – Manage Processing Activities

Data Controllers can further describe processing activities with:

  • coverage by national representatives
  • third parties performing the processing and set contractual agreements with them
  • comparison of countries (where the processing takes place vs where the data was collected) and implementation of the necessary measures (data protection, DPIA, risk evaluation).

National Representatives Features

  • DPOs can specify National Representatives for each Legal Entity. Countries covered by National Representatives are defined.
  • A National Representative coverage is then given to the Processing Activities performed by the Legal Entity (Null, Partial, Full).

Third-Parties Management Features

DPOs can not only create but also manage Third Parties.

  • Third Party Sites, along with Transfer Safeguards, can be defined.
  • DPOs can be assigned to Third Parties
  • National Representatives can also be assigned
  • Contractual Agreements can be uploaded

Third-Parties Management Features

  • DPOs and Data Controllers can, for Processing Activities, specify which Third Party is taking in the form of a sub-processing.

A Third Parties Report provides an overview of the Processing Activities that Third Parties are participating, along with the Risks they present and their Compliance Level.

Data Transfer Management Features

DPOs and Data Controllers can capture Data Transfers performed by a processing activity. These data transfers can then be represented on a Data Transfer Map.

HOPEX Privacy Management – Manage Data Breaches

Record all potential data breaches allowing internal staff to report incidents through an ad hoc web form. Data Controllers can:

  • Collect all the information required by the regulation and build a detailed record of data breaches
  • Assess the seriousness of every breach and take action within 72 hours:
    • implementing remediation measures
    • identifying impacted people and potentially notifying supervisory authorities and data subjects.

Data Breaches Management Features

  • Stakeholders can report Data Breaches, without needing to log into HOPEX Privacy Management.
  • DPOs can then assess Data Breaches and keep track of notifications sent to Data Subject and supervisory authorities.

HOPEX Privacy Management – Manage Data Subject Requests

HOPEX Privacy Management helps Data Controllers with Data Subject Requests management. Within a dedicated section, Controllers can:

  • Collect request
  • Categorize them by type and monitor their status
  • Assign every request to impacted legal entities, departments and processing activities
  • Receive reminders when deadline approaches

Data Subject Requests Management Features

Data Controllers can keep a log of all Data Subject Requests and monitor their progress.

HOPEX Privacy Management – Pre-assessment of Processing Activities

HOPEX Privacy Management enables DPOs to:

  • Assess risk ad compliance level of every processing activity
  • Review and Comment on latest DPIA in progress

Pre-Assessment Features

  • DPOs are able to assess overall level of risk and compliance of processing activities. Reminders of previous compliance ratings given by the Data Controller responsible for the processing activity are provided at this stage.
  • This is where the DPO determines if a DPIA is required or not.
  • Pre-assessments can be recorded for future analysis of the evolution of the processing activity’s compliance and risk levels.

Advise on DPIA Features

DPOs can review and add comments to DPIAs. They can also finalize or discard each DPIA.

HOPEX Privacy Management – Data Protection Impact Assessments

HOPEX Privacy Management enables Data Controllers to carry out a Data Protection Impact Assessment:

  • Identify processing activities requiring a DPIA
  • Launch a DPIA, identify data protection risks and provide recommendations
  • Produce detailed reports to prove accountability to the supervisory authority

DPOs also get the opportunity to:

  • Review the Risks identified during DPIAs
  • Validate Recommendations
  • Receive Notifications of DPIA awaiting validation (available in Update 4)

DPIA Features

Data Controllers can identify at a glance the processing activities requiring a DPIA.

DPIA Features

  • Data Controllers can start a new DPIA or clone a previous one.
  • Previous DPIAs can also a consulted.
  • Data Controllers are reminded of the pre-assessment measures given to the processing activity by the DPO.

DPIA Features

Data Controllers can create Data Protection risks represented by the processing activity. There are 5 types of Data Protection Risks:

  • Illegitimate Access
  • Data Loss
  • Data Corruption
  • Daa Unavailability
  • Unlawful Processing
  • Each Risk is assessed in terms of Impact and Likelihood.
  • Once Risks are assessed, Data Controllers can issue Recommendations with the aim to reduce the level of a specific data protection Risk.

DPIA Features

Controllers can attach external files as evidence supporting their DPIA.

DPIA Features

Data Controllers then get to pass a final judgement on the Processing Activity by setting a Final Compliance Level, a Final Risk Level and pronounce him/herself on the Subsequent Actions to be taken.

DPIA Features

Data Controllers can generate a DPIA document containing the regulatory texts, background information on the Processing Activity and results of the DPIA. This document can then be modified if necessary before it is submitted to the authority.

DPIA Features

DPOs can review the Risks identified during DPIAs.

DPIA Features

Company Policies can also be attached to a DPIA for future reference. Enterprise Architects can use both Recommendations and policy documents to transform the assessed processing activity.

DPIA Features

  • DPOs can review Recommendations made to mitigate a particular Data Protection Risk identified during the DPIA.
  • Recommendations are validated alongside their DPIA.

HOPEX Privacy Management – Inform & Advise Data Controller

DPOs can use HOPEX Privacy Management to support Data Controllers in an overseeing capacity with the following reports:

  • Data Risk Reports
  • Data Protection Risk
  • Consistency Reports

Inform & advise Features

Data Risk Reports provide an overview of levels of Risk and Compliance of each processing activity, organized by Data Category or by Data Subject Categories

Inform & advise Features

Data Protection Risk Report provides an overview of the evolution of a Processing Activity’s Data Protection risk rating throughout its many DPIAs.

HOPEX Privacy Management – Carry Out Audit

DPOs can use HOPEX Privacy Management to audit progress of Compliance efforts as well as potential gaps with the following reports:

  • Processing Activity Status
  • Record of Notices

Monitor Compliance Features

DPOs have the opportunity to create their own reports in one click to respond to their monitoring needs.

The bubble chart below shows a distribution of processing activities by level of compliance and risk rating whilst the bubble size is based on the time elapsed since last assessment. The heatmap presents a distribution by risk rating and compliance level.

Monitor Compliance Features

The pie chart below allows DPOs to monitor the number of processing activities already assessed against those yet to be assessed.

DPOs can have a closer look at the processing activities by clicking on the corresponding section of the pie chart. The list of relevant processing activities is displayed.

Monitor Compliance Features

  • Processing Activity Owner can capture the notice requirements for a specific Processing Activity.
  • The notice actually sent to the concerned Data Subject can be attached to the processing activity for future reference.
  • Processing Activities without notices can be monitored with the relevant reports.

HOPEX Privacy Management – Liaise with Regulatory Authority

DPOs get to generate and provide the following reports to the authority:

  • Record of processing activities
  • DPIA documents

Liaise with Regulatory Authority Features

DPOs can generate a Record of Processing report in MS Word format form a list of processing activities.

The reports contain information from HOPEX Privacy Management and is enriched with content based on the GDPR regulation. Information is organized according to the regulation by section & allows DPOs to modify the report according to their stakeholders’ expectations.

Liaise with Regulatory Authority Features

Organizations and their DPOs can now export the record of processing directly in the format suggested by the French authority (CNIL).

Liaise with Regulatory Authority Features

DPOs can generate a DPIA documents in MS Word format for a given DPIA.

The document contains information from HOPEX Privacy Management and is enriched with content based on the GDPR regulation. Information is pre-organized and DPOs can add further information before it is submitted to the supervisory authority.

Business Transformation & Data Protection

  • Worldwide data protection legislations stipulate that Data Controllers should implement appropriate technical and organizational measures to ensure that processing is compliant and follows the principle of data protection by design and by default.
  • Compliance to data protection legislations involves changes to how Organizations conduct their business.
  • Decisions regarding such changes cannot be taken nor implemented without clear visibility of said organizations.
  • By describing how an organization conducts its business, Enterprise Architecture not only helps identify processing activities but also enables privacy teams to drive business transformation.

Compliance & Business Transformation

HOPEX EA +  HOPEX Privacy Management

Reusing Business Process & Applications

Re-use IT Applications

Users can now document what IT applications are used within a  processing activity, directly linking existing ITPM/ITA applications and access to all their properties

Re-use Org-Units

The user can now reuse existing EA org-units and convert them into: Legal Entities, Departments and Third Parties. The conversion creates a link between the two objects allowing continuous synchronization.

Enterprise Architecture
IT Architecture
Information Architecture