MEGA Community

New products features:

• HOPEX Integrated Risk Management
• HOPEX Privacy Management (previously “HOPEX GDPR”)
• HOPEX Information Architecture

---

1. HOPEX Integrated Risk Management

1.1.New Desktop

A new desktop for Integrated Risk Management is available encompassing Enterprise Risk Management (ERM), Internal Control (IC) and Incident Management. Therefore, a user who combines the roles of Internal Control Director, Risk Manager and Incidents & Losses Administrator, will get a desktop with all possible menus, functionalities and lists relevant to all 3 functional roles.

 

Additionally, a reduced version of the desktop is available to users with one or more profiles but without all three. For example, a Risk Manager will not have access to the Test menu item as this is an Internal Control Director (HOPEX IC) only functionality.

1.2.New Risk Assessment Templates (ERM)

Risks can now be assessed in all their possible contexts with new assessment templates:

• Risks per Business Process
• Risks per Organizational Process
• Risks per Applications
• Risks per Business Lines
• Risks per Entities

   

These templates are based on the original Risks per Entities template. The Assessed Characteristics and their aggregation are still the same (Likelihood, Impact, Control Level).

They are all available whether the Risk is assessed directly, via campaigns or through a multiple assessment table.

1.3.New Multiple Assessment Table (ERM and Internal Control)

Multiple Assessment Tables have been updated to present Assessment Templates of both ERM and Internal Control. This type of assessments enables users to quickly assess multiple risks or controls in a single list, improving productivity.

A more intuitive wizard guides the user through the steps to follow when using this functionality.

 

It is also available for assessing Controls.

 

 

1.4.New Direct Assessment Properties Page (ERM and Internal Control)

The Assessment tabs for both Risk and Control properties have been updated to accommodate the new Risk Assessment templates and provide a better user experience with an assessment wizard.

 

Results from past assessments can also be filtered by the method/context utilized. Instant reports are also available to analyze the evolution/distribution of past assessment results.

 

1.5.New Widgets (ERM)

The following new widgets are available from the new dashboard:

• Risk Mitigation
• Risks per Status
• Risk Heatmap Report (Aggregated)
• Risk Assessment

   

1.6.New ‘My Tasks’ Section

To support Integrated Risk Managers during their daily activities, a specific menu dedicated to their tasks has been designed.

Risk Managers will be reminded of the following:

• Questionnaires to Answer
• Questionnaires to Review
• Assessment Sessions due to Close
• Risks to Review

 

Incidents and Losses Administrators will be reminded of the following:

• Incidents to Review

   

Internal Control Directors will be reminded of the following:

• Questionnaires to Answer
• Questionnaires to Review
• Assessment Sessions due to Close
• Checklists to Complete
• Checklists to Reassign
• Activities to Review
• Test Activities to Perform
• Tests Due to Close
• My Vacation Requests
• Vacation Requests to Review
• My Timesheets
• Expenses to Review
• My Expenses

   

  

   

Other profiles including Action Owners, Action Plan Owners and/or Recommendation Owners (issued from Internal Audit) will be reminded of the following:

• Action Plans to Implement
• Actions to Implement
• Recommendations to Implement

 

1.7.New Cross-Concept Lists

The new desktop allows users a seamless view of several concepts:

• Risks by Materialization

Presents a list of Risks that have at least one or more Open Incidents.

 

 

• Controls by Deficiencies

Presents a list of the Controls that have Open Issues recorded during their Testing or a list of Controls where the Mitigated Risks have materialized.

 

 

• Requirements by Non-Compliance

Presents only Requirements that have had either

• A Risk materialized by an Incident against one of its constrained elements, or
• an implementing Control with recorded Issues, or
• an Implementing Control not executed satisfactorily, or
• A Non-Compliance Risk.
• Incidents by Impact

Presents Incidents that could potentially trigger other Risks’ materialization or Incidents potentially threatening compliance to certain Requirements.

 

• Action Plans by Scope

View Action Plans by type of benefit: “manage Incidents”, “remediate Issues”, “implement Control” or “mitigate Risks”.

 

• Remediating Action Plans (Testing)

Presents Action Plans that specifically address Issues identified during the Control testing phase.

 

 

1.8.New List of Controls by Execution and Assessment Results (Internal Control)

Internal Control Directors now have the possibility to view either detailed or aggregated results of their Control Execution from each Control’s properties page.

 

Aggregated Execution Rates and Aggregated Control Pass Levels are also available from the ‘All Controls’ list.

 

Quantitative Instant Reports allow for quick analysis of Control’s efficiency and performance.

2. HOPEX Privacy Management (previously “HOPEX GDPR”)

1. EA Integration

This release further enhances the integration of HOPEX Privacy Management with the EA suite. The main topics that are addressed in this version are:

• Possibility to re-use EA org-units
• Automatically populate GDPR processing activities with properties of ITPM applications
• Solve an issue preventing the conversion of BPA processes of level 2 into GDPR processing activities

1.1. Org-Units

A new section has been added to the “Import” menu. This section displays all existing org-units objects that are inherited from EA. The user can now select any number of existing org-units and convert them into:

• Legal Entities
• Departments
• Third Parties

Once the conversion is made, an object of type organization is created, with the same name of the org-unit it was created from. From now on the two objects are bound together. From within the property page of the newly created organization, a synchronization button allows to sync the name of the GDPR organization with the one of the EA org-unit, if it ever changes.

Displaying the synchronization button is an option, disabled by default, that can be enabled by going in the GDPR section in the user options and selecting the checkbox “Enable EA integration options”.

Convert org-units into organizations

 

1.2.    ITPM Integration

ITPM and IT Architecture applications have two sections in the property page that are specific to privacy management. These are:

1. "Data", showing the data categories being processed by the application, and
2. Data Subjects' Rights & Notice Management which is identical to the same section of the GDPR processing activity property page (apart from the two comment fields for notice & consent which are missing in ITPM)

When an application is linked to a Privacy Management processing activity, the property page of the processing activity related to the IT application now replicates the info of the above-mentioned sections. In particular:

• All data categories in the "Data" section are reported in the "Personal data risk" section. For every line in the Data section a line is created in the Personal data risk section with the personal data categories specified in ITPM. Since ITPM also uses a concept of “Data” which doesn’t exist in HOPEX Privacy Management, this info is reported in the “comment” column
• The section data subjects' rights & notice is a filled exactly like the ITPM one

From within the HOPEX Privacy Management module users can edit everything. A button lets the user synchronize the HOPEX Privacy Management info with the ITPM one, using ITPM as master and thus discarding all changes done in HOPEX Privacy Management.

This button, as for the one to be used to synchronize org-units, is hidden by default (check previous chapter to see how to show it).

Button to synchronize processing element with ITPM application

1.3. Business Process Analysis (BPA)

Update 4 had a bug preventing users from converting BPA processes of level 2 and subsequent into HOPEX Privacy Management processing activities. This has now been fixed and therefore all BPA processes of any level can be converted into processing activities from the dedicated import section.

2. Notifications

This version of HOPEX Privacy Management introduces application notifications. Below is the list of actions that trigger a notification. The users receiving the notification are all those with visibility right over the involved object.

• If a user completes a DPIA on a PrAc
• If a user completes a pre-assessment on a PrAc.
• If a user creates a new PrAc
• If a user deletes an existing PrAc
• If a user creates a department
• If a user creates a legal entity
• If a user creates a new data breach
• If a user creates a new data subject request
• If a user assigns a PrAc to me
• If a user assigns a data breach to me
• If a user assigns a data subject request to me
• If a user modifies an object that I follow

Notifications

3. CNIL Reports – Record of Processing

Users can now export the record of processing using the CNIL Excel format. The report is hidden by default and it can be shown by selecting the option show in the image below.

CNIL Report user option

CNIL Report button

 

In order to support a few specificities of the CNIL template, the following improvements have been done to the solution:

• A new checkbox in the data category property page allows to flag the category as “sensitive”
• A new dropdown field allows to category data transfers by type

4.Data Breaches & Data Subjects’ Requests Scope Management

Up to version V2R1 Update 4, data breaches and data subjects’ requests (DSRs) were visible to every user. We have now added a scope section to the data breach, similarly to what was already done for the DSR. Data breaches and DSRs without a defined scope are visible to every user, otherwise they inherit the same permissions defined for the processing activities: a user has access to a data breach or a DSR only if he is assigned to a legal entity or department in its scope.

5. DPIA and Pre-Assessment Auto Completion Rules

To help the user during the completion of a pre-assessment and DPIA, the application now pre-computes the values of final risk and compliance level and subsequent action based on the 5 KPIs recalled in the assessment dashboard (legal basis, minimization, data subjects’ rights and notice management, data transfers and security measures).

The user can always override the pre-computed value.

Below is a detailed description of the implemented autocompletion rule.

6. Visibility Rights Enhancement

Users visibility rights have been enhanced.

Visibility rights can be defined based on three main objects:

1. Legal entities
2. Departments
3. Processing Activities

Within HOPEX Privacy Management, a legal entity is made of zero or more departments, each one of which has zero or more processing activities. Therefore, by default, the following visibility rights apply:

• A user only has access to the legal entities he is assigned to. A user who has access (i.e. visibility) over a legal entity, automatically has access to all the departments of the legal entity and all the processing activities linked to these departments.
• A user who has access over a department has automatically access to all its processing activities

HOPEX Privacy Manager has 7 user roles:

1. Chief Privacy Officer
2. DPO
3. DPO deputy
4. GDPR Team
5. Activity Owner
6. Application Owner
7. Functional Administrator

Chief Privacy Officer

No restrictions are applied to this role. The user can see everything.

DPO, DPO deputy, GDPR Team

Users with these roles can only see:

• the legal entities they are assigned to.
• the departments belonging to the legal entities they are assigned to
• the departments they are directly assigned to
• the processing activities belonging to departments and legal entities they are assigned to.

Activity Owner

Users with this role can only see:

• the processing activities they are assigned to
• no access to organization section
• no access to data subjects management section
• no access to data breaches section

Application Owner

Users with this role can only see:

• the processing activities with IT applications they are assigned to
• no access to organization section
• no access to data subjects management section
• no access to data breaches section

Functional Administrator

These users can't see the processing activities section.

7. Application Owner Profile Removed

The application owner profile has been removed and merged with the ITPM application owner. Now the user who has licenses for both ITPM and GPDR and logs into HOPEX with application owner role, will be asked to select what product to access to.

8. Minor Improvements

Following is a list of other minor improvements that have been introduced in this new release.

8.1. Making the solution less “GDPR” centric

Since the privacy market is evolving and we receive more and more requests from prospects wanting to have a more generic privacy solution, we have started to do a cleanup of the GUI, removing the term “GDPR” whenever possible. This is just a simple improvement that is part of the bigger plan to make HOPEX Privacy Management a global data privacy compliance solution.

8.2.    Physical Person Dropdowns

We have been simplifying the way fields with create and connect options work. For the time being this has only been done for physical persons fields, but we envisage to apply the same approach to all other meta-classes. The objective is to get rid of the double arrow, to either connect or create a new object, and simply use a dropdown field whose first option is to create a new object (see pt. 1 in image below), and below it lists the existing ones (see pt. 2 in image below).

 

 

Connect/Create physical person dropdown field

 

8.3. Processing Activity Assessment Status and Last Assessment Date

A new column “Last Assessment Date” has been added in the record of processing activities table to display the date of the last assessment (either Pre-Assessment or DPIA, whichever is the latest).

Also, the “Assessment Status” field has been improved. Before it was a field whose value was either “Ongoing” if a DPIA was indeed ongoing, or “Done” if either a pre-assessment or a DPIA had been completed. Now, instead, we differentiate between pre-assessment and DPIA, applying the following rules:

• If a pre-assessment has been completed and there's no finalized DPIA with a later date or DPIA in progress, the status is "Pre-Assessment Done".
• If the latest assessment being completed is a DPIA, and no DPIA is ongoing, the status is "DPIA Done".
• If there is an ongoing DPIA, the status is "Ongoing DPIA".

8.4. Other Improvements

Other minor improvements include:

• Addition of two new tiles to the user home page with counters of data breaches and data subjects’ requests
• The newly created “Functions” section now has a dedicated popup when creating a new function
• The section “Personal Data Risk Analysis” in the details tab of the processing activity property page has been renamed in “Processed Personal Data”
• Add a field “Assigned Person” to assign a user to a data breach
• Few property pages improvements in terms of fields distribution, labels alignment and help text

   

3. HOPEX Information Architecture

1. Term and Definition Import

A new Excel template is available to import business terms and business information.

1.1. Case of simple Import

Users can import a list of terms with their definition and language by using the “Term” tab provided in the template. This import will create a list of terms in HOPEX and the corresponding concepts that include the definitions.

For Example:

 

Result of the imported file in HOPEX

 

 

1.1.2.    Case of advanced Import

Users can import terms that are defined by multiple concepts, synonyms, components and states by using the corresponding tabs provided in the template (i.e. “term”, “Concept”, “Synonym”, “Component”, “State”)

Identification columns (Term_Ident, Concept_Ident, Concept_State_Ident) are used to connect objects to each other.

For Example:

List of Terms

 

List of Term Definitions

 

List of synonyms

 

2. Information Reports

2.1. Business Glossary Report with Computed Components

The Business Glossary Report has been improved to include the computed components of a concept.

Example

In the example below, for “Order Item” concept, the “Order Item Amount” property is computed by the Rule “Order Item Amount Computation” that has 2 input parameters: “Unit Price” and “Order Item Quantity”. The rule description is: “Order Item Amount” = “Unit Price” * “Order Item Quantity”

 

Corresponding Glossary Report

 

 

2.2. Realization Graph Report

The Realization Graph report is a new report available from the reporting Tab in the properties box of an information. It displays the list of realized and realizer objects (i.e. concepts and classes). Users can navigate from Information components to their realized and realizer objects. It helps data architects to clearly understand the links between the business glossary and the data dictionary. It demonstrates lineage between business data and technical data.

 

2.3. Data Usage Reports Improvement

Dendrogram reports for data usage are now improved to view realized objects (I.e. concepts), so that Data Users can view data that are used in applications and business data in the same report providing traceability from data dictionary to application usage and business concepts.

 

3. Realization Matrix

The realization matrix now manages Information Area and Information Map and their corresponding items in the logical and physical layers. Three additional matrices have been added:

• Business information map realization matrix,
• Business information area realization matrix,
• Logical data area realization matrix

Existing matrices were: Conceptual to Conceptual matrix, Logical to Conceptual Matrix (or Logical to Logical Matrix), Physical to Conceptual Matrix:

 

Once the matrix is selected, rows (list of realizer objects) and columns (list of realized objects) of the matrix are defined by the user.

UI Matrix Improvement

• Object icons are now displayed in the rows and columns of the matrix.
• By clicking on an object in the Matrix row or Column, it automatically opens the corresponding Properties tab in a pane located on the right side.

   

 

Example of Information Map Realization

 

---

Read the second part of our release note to get information on new products features for:

• HOPEX Enterprise Architecture Products
• UX Improvements
• Reports