1 X-GDPR - BPEng

Automate privacy management

X-GDPR is an innovative privacy solution designed and built to meet the requirements of the new European regulation GDPR (General Data Protection Regulation - Regolamento UE 2016/679). X-GDPR offers a proactive and multidisciplinary approach as imposed by the law allowing to manage organizational models starting from the design of privacy processes in he company according to the data protection by design and by default principle.

The change required by the new legislation is radical as it moves from a “bureaucratic“ type of privacy based on policies / documents to a procedural and process (substantive) privacy.
The GDPR based on our XBPR platform is a natural and intuitive implementation of the requirements imposed by the newer regulation and is able to adapt to any changes / additions as occurred for the Legislative Decree 101/2018 of harmonization of national legislation at the Regolamento UE n. 679 del 2016.

What the GDPR requires

The points that distinguish this brand new regulation:

  • Risk assessment according to a recognized international methodology: we go from a prescriptive privacy to a privacy based on the risk that oresees the creation of a “map“ with the references to the Data Processors external and internal to the company, to the data, and to the security measures necessary to ensure data security.
  • mplement a privacy by design: once the risk has been assessed, we proceed with the design of the privacy processes (art.25 of the Reg.): always taking into account IT, risks, costs, environment, we will have to draw the consistent processes of the regulation. All the actors involved in the processes must be involved from the beginning.
  • Creation of organizational models aimed at demonstrating good diligence in organizing processes to make them compatible with the regulation by minimizing the risk of incorrect management of privacy.
  • The maintenance of databases must be considered as a processing of personal data and must be analyzed and governed as such. It is necessary to map where necessario mappare dove sono archiviati i dati personali, su quali personal data is stored, on which applications are created / maintained / displayed and why they are managed in the way they are managed.
  • Right to be forgotten: connected to data retention, customers have the right to exercise this right and the company must respond promptly proving to know the ways in which personal / sensitive data are maintained and managed in the internal and external information system.

Il regolamento suggerisce caldamente l’adozione di sistemi software che siano in grado di mappare i flussi dei dati in ingresso/uscita dall’azienda e i flussi già presenti nei propri applicativi (processi di lavoro interni) in un’ottica estesa adottando metodologie riconosciute. X-GDPR a questo scopo utilizza la metodologia Event Driven Process Chain (EPC).

Features and functionality


  • Individualisation of the internal subjects responsible for data processing
  • Identification of external subjects responsible for data processing
  • Treatment register management
  • Data Protection Impact Analysis (DPIA).
  • mplement Report on Protection Measures (RIMP)


With XBPR, it is possible to automate the business processes required by the GDPR and enerate, in both automatic and manual mode, the documents necessary for regulatory compliance:

  • Appointment of Data Processing Holder (DPH).
  • Appointment of the Data Protection Officer (at the discretion of the DPO, manual only).
  • Appointment of External Data Processors (suppliers who process the data of the Data Controller).
  • Appointment of the subjects designated for data processing (referred to internal staff).
  • Self-appointment of Data Controller (if necessary, manual only).
  • Creation of the data processing register of the Data Controller and the Data Processor.
  • Data Protection Impact Analysis (DPIA) generation, adaptable version according to the customer.
  • Generating the Implementing Report on Protection Measures (RIMP) in compliance with the risks analyzed in the DPIA.


Both, automatic and manual authorization of documents necessary for GDPR regulatory compliance.
For each document generated and archived, it is also available the relative process instance that generated it with the details of the times and of all the entities involved (data, activities, organizational structures, application systems).
To simplify and reduce the duration of any checks by the guarantor or by the PO, X-GDPR provides a dedicated perspective with the aim of guiding the inspectors in the verification process through an autonomous pathway reducing to the minimum necessary the intervention by the owner


The main feature of X-GDPR is to implement a privacy consistent with the processes and organizational structures:

  • The adaptability to the GDPR legislation passes through the mapping of processes nd organizational structures, guaranteeing an implementation of privacy right from the design of computer systems (privacy by design).
  • The application of the GDPR legislation takes place by default through the automation of processes (privacy by default).
Return to web site