Compliance Simulator · Case 2 of 3

NordChem Faces the Data Audit

Build a GDPR-compliant data register from scratch — under a real audit deadline.

🏭 Finnish Chemical Industry
🎭 You play the DPO
🇪🇺 GDPR · Tiedonhallintalaki
~75 min · 5 Tasks · 700 XP
Maria Lindqvist CEO

"Do we actually have a proper data register? Six weeks. I need you to lead this."

Jarkko Virtanen IT Manager

"I can tell you what systems we have — ERP, the HR system, a CMS, a chat system, and a payroll system. But what personal data each one processes or who's responsible under GDPR? That's never been formally documented."

How do you respond to the CEO?
"I'll start by mapping our data stores in Cyberday's Privacy module — that gives us the register structure the Ombudsman needs."
This is the right approach. GDPR Article 30 requires a structured record. Starting with data stores (what data you hold as controller) and linking data sets and systems to them is the correct methodology — and it's exactly how Cyberday's three-level hierarchy works.
"Let's hand this to our lawyer — it's a legal matter."
The DPO owns this process. A lawyer can advise on legal bases, but the register must reflect operational reality. Without IT and DPO input into the actual system, any document produced will fail a real audit.
"I'll make a spreadsheet of our systems and send it to the Ombudsman."
A one-off spreadsheet doesn't demonstrate ongoing compliance. The Ombudsman expects a living register — updated as systems and processing change — not a document created for the audit alone.
How this works: Run Cyberday in split-screen alongside this simulator. Complete each task in Cyberday, then answer the questions here to earn XP. You need 450 / 700 XP to pass.
Reference

Data Hierarchy & Key Terms

Keep this page open in a separate tab. You'll refer back to it during tasks.

The Three Levels

DATA STORE
The broad category — "Employee register", "B2B customer register." Found in All documentation → Asset documentation lists. Each store = one section of your GDPR Article 30 register.
↓ contains
DATA SET
A specific subset — "Employment contracts", "Customer billing info." Found in All documentation → Asset documentation lists. Describes exactly what is processed and for which purpose.
↓ processed in
DATA SYSTEM
The technical system — ERP, HR system, CMS. Found in All documentation → Asset documentation lists. Systems become visible in a data store only once data sets link to them.
Data stores → data sets → data systems. Systems never link directly to stores — the data set is always the bridge.

Key Terms

TermMeaning
RoPARecords of Processing Activities — the Article 30 register
Data controllerDecides why and how data is processed (NordChem for its own data)
Data processorProcesses data on behalf of the controller (e.g., a payroll SaaS)
DPAData Processing Agreement — contractually required with every processor (Art. 28)
DPIAData Protection Impact Assessment — required before high-risk processing (Art. 35)
Special category dataSensitive data under Art. 9 — health, biometric, racial origin, etc. Requires explicit legal basis beyond standard Art. 6 grounds
TiedonhallintalakiFinnish Information Management Act — affects how data stores appear in public administration reports. Private companies like NordChem answer "No" to case management questions
Assurance valueHow much documented evidence backs a compliance claim — not just whether a task is marked done
Quick check
Which Cyberday element acts as the bridge connecting a data store to its data systems?
The system interface
The data set
The task in the System management theme
The external data store entry
Quick check
NordChem uses a cloud payroll service that stores employee salary data on NordChem's behalf. Under GDPR, what is the payroll provider's role?
Data controller — they decide what salary data to hold
Data processor — they handle NordChem's employee data under NordChem's instructions
Joint controller with NordChem
Neither — GDPR doesn't apply to payroll data
Quick check
Order these elements from broadest (1) to most specific (3):
⋮⋮ Data system (e.g., ERP-System)
⋮⋮ Data store (e.g., B2B customer register)
⋮⋮ Data set (e.g., Order information)
Task 1 · 15 min

Build the Privacy Register — Create NordChem's Data Stores

Jarkko Virtanen IT Manager

"The main data categories I see: customer and order information, employee records, and a marketing contact list."

1
Create NordChem's data stores and configure B2B customer register
⏱ 15 min
✓ Complete
  1. In Cyberday: All documentationAsset documentation listsData stores. Click + Add data store.
  2. Create three data stores by selecting from the general library:
    • B2B customer register — covers customer and order data
    • Employee register — covers HR and personnel data
    • Marketing register — covers the marketing contact list
  3. Open B2B customer register. Each data store has five sections — work through them in order:
    • 01 — Who's responsible for the data? Set the Controller field. Confirm personal data is processed (Yes). Add the DPO as the Unit responsible for the data store.
    • 02 — From which datasets does the data store consist of? Skip adding datasets for now (Task 2). Answer the case management question (No for NordChem).
    • 03 — How is personal data on the data store utilized? Click + Add new processing purpose and add "Marketing". Answer the automated decision-making question.
    • 04 — Is the data regularly disclosed to other parties for other uses? Answer Yes/No and add any regular disclosures.
    • 05 — Have data subjects been informed of the processing? Confirm a privacy notice has been published and how.
    Section 02 asks "Does the data store include data about case management or provided services?" Answering Yes affects how the store appears in Finnish public administration reports (Tiedonhallintalaki). For NordChem as a private company, the answer is No.
Platform check
Where in Cyberday do you create data stores?
All documentation → Asset documentation lists → Data stores
Privacy theme → Tasks → Add data store
System management → Additional information
Risk management and leadership → Registers
Knowledge check
Section 03 of the data store card ("How is personal data on the data store utilized?") maps directly to which Article 30(1) requirement?
Categories of recipients
Purposes of processing
Technical security measures
Contact details of the DPO
Scenario
NordChem's maintenance team keeps a paper visitor signature log at the factory gate. Does this need to be documented as a data store?
No — GDPR only covers digital systems
Yes — GDPR covers any structured personal data, including paper filing systems
Only if the log contains sensitive data categories
Only if more than 50 visitors are logged per month
Key Takeaways
  • Data stores are the top level of GDPR documentation — each one maps to an Article 30 record of processing
  • GDPR applies to all structured personal data, including paper records like visitor logs
  • Creating stores from library templates saves time, but each must be customised to your actual processing activities
Task 2 · 12 min

Add Data Sets in Data Stores — Specifying What NordChem Processes

Jarkko Virtanen IT Manager

"For customers we hold survey responses, order data, and payment records. For employees: HR has staff lists and health records from occupational services. These all live in different systems and serve different purposes."

2
Create data sets inside NordChem's data stores
⏱ 12 min
✓ Complete
  1. On the Data stores page, open B2B customer register → Section 02 (From which datasets does the data store consist of?) → + Add data set. Add:
    • Customer surveys (marketing)
    • Order information (customer management)
    • Payment information (financial management)
  2. Click on the Data stores link at the top of the page and open Employee register → Section 02 → + Add new data set. Add:
    • Customer lists (Customer management)
    • Employee lists (human resources management)
    • Occupational health information (human resources management)
    Health data is "special category" under Article 9 — it needs an explicit legal basis beyond the standard ones and must be clearly flagged in the register. Retention periods are a common audit gap: for each data set, ask yourself What data? For what purpose? How long is it held?
Platform check
To navigate back to the data stores list after opening a data set, what do you click?
The browser back button
The Data stores link at the top of the page
All documentation → Asset documentation lists
The sidebar navigation → Privacy
Scenario
NordChem wants to start using employee working-time data to generate performance scores for promotion decisions. Under GDPR's purpose limitation principle (Art. 5(1)(b)), what is required?
Nothing — NordChem already holds the data, so any new use is fine
The new purpose must be compatible with the original, or a new legal basis is needed — and the register should be updated to reflect the new purpose
Employees must be re-hired under new contracts that mention the performance scoring
Scenario
The occupational health information data set contains pre-employment medical records. What makes this different from an ordinary data set in GDPR terms?
It must be deleted after 12 months under Finnish law
Health data is "special category" (Art. 9) — it requires an explicit legal basis beyond the standard Article 6 grounds and additional protective measures
It is exempt from GDPR because employees provided it voluntarily
Key Takeaways
  • Data sets specify the exact processing activities within each store — they are the operational detail behind your register
  • The purpose limitation principle (Art. 5(1)(b)) means data collected for one purpose cannot be repurposed without legal basis
  • Special category data (health, biometrics) under Article 9 requires explicit legal basis and additional safeguards
Task 3 · 15 min

Working with Data Sets — Managing Sensitive Data

Jarkko Virtanen IT Manager

"Occupational health data is processed in our HR system. It's sensitive — medical prescriptions, treatment history, physical characteristics. We store it only for active employees and contractors, and it's not in any external system."

3
Configure the Occupational health information data set
⏱ 15 min
✓ Complete
  1. In Cyberday: Return to the Data stores page. Click Employee register. In section 02 From which datasets does the data store consist of?, click Occupational health information (human resources management) in the section for Connected data sets.
    A new card will appear. Employee register should be listed under Data stores.
  2. The first section, How is the data in the material processed? is where data systems can be added. Click Edit, and add HR-system (human resources) as the data system.
  3. Complete the remaining fields in the first section:
    • Is part of the data store stored outside your own data systems? Click Edit and answer No.
    • Does the material include information about the processing of the case? Click Edit and answer No.
    • Does the material include information about service information management? Click Edit and answer Yes.
  4. The second section, Does the data set contain confidential information? concerns confidential information:
    • Does the data set contain confidential information. Click Yes.
    • Data classification. Select Internal / Security level IV.
  5. The third section, How long will the data be retained? concerns data retention:
    • Data retention time. Select Duration of the contract.
    • Reasoning for retention time. Write "Contractual necessity and legitimate interest."
  6. The fourth section, What kind of data is included in the data set? concerns the nature of the data:
    • Does the material contain personal data? Click Yes.
    • Registrant groups. Add Contract workers, Previous employees and Trainees.
    • Personal data categories. Add Physical characteristics (height, weight, age, skin color).
    • Does the material contain special categories of personal data? Click Yes.
    • Special personal data. Add Medical care information, Medical prescriptions, Patient treatment history.
    • Other important data categories in the material. Leave blank.
  7. The fifth section, What happens after retention time? concerns data destruction and archival:
    • Is data destroyed after retention time? Click Yes.
    • Is personal data anonymized? Click No.
    • Is data archived? Click Yes.
    • Description of archiving. Write "Moved to secure drive."
Platform check
In which section of the data set card do you add a data system like HR-system?
Does the data set contain confidential information?
What kind of data is included in the data set?
How is the data in the material processed?
What happens after retention time?
Knowledge check
NordChem sets the data retention time for occupational health records as "Duration of the contract." Under GDPR's storage limitation principle (Art. 5(1)(e)), what else must be documented alongside the retention period?
A list of every employee whose data is held
The reasoning that justifies the retention period
Approval from the Finnish Data Protection Ombudsman
Scenario
The auditor asks why occupational health data is classified as "Internal / Security level IV" rather than a lower classification. What is the correct justification?
All HR data must use the highest classification by default
The data set contains special category data (health information under Art. 9), which requires stricter access controls and a higher confidentiality classification
Finnish law mandates Security level IV for all employee data
Key Takeaways
  • Occupational health data is special category data requiring the strictest controls and classification
  • The storage limitation principle requires documented retention periods with clear justification for each dataset
  • Data classification (e.g., Security Level IV) must reflect the actual sensitivity of the data, not just convenience
Task 4 · 15 min

Document Data Systems — The Technical Layer

Jarkko Virtanen IT Manager

"Confirmed systems: an ERP for purchasing, the HR system, a chat system, a CMS, and a payroll system. The HR system is on-premises in the EU. It connects to the payroll system for worktime export, and to the CRM for employee action data."

4
Add NordChem's data systems and fully configure the HR system
⏱ 15 min
✓ Complete
  1. In Cyberday: All documentationAsset documentation listsData systems. Add each system and assign an owner:
    • ERP-System -Purchasing — Responsible authority: Jarkko Virtanen
    • HR-system (human resources) — Responsible authority: Henkilöstöjohtaja / Human resources director
    • Chat system — Responsible authority: Jarkko Virtanen
    • CMS-system — Responsible authority: Jarkko Virtanen
    • Payroll system — Responsible authority: Henkilöstöjohtaja / Human resources director
  2. Open the HR-system (human resources) card and complete each field. Under data sets (top of page), click Select. Add Occupational health information (human resources management), Working time records and Employment contracts.
  3. 01 - Who's responsible for the data system?
    • Provide the responsible authority.
    • Describe the purpose of the data system (for example, "Managing human resources.").
    • Add Human Resources / HR as an optional connected unit.
    • Indicate the system is relevant for the tasks of the authority (click Yes).
    • Indicate the system is not used to process cases (click No).
    • Indicate the system is used to perform data management for services (click Yes).
  4. 02 - How is the system maintained?
    • Indicate you are responsible for the development and maintenance of the system (click Yes) — note: this will trigger a new dropdown.
    • For Backups, add Internal networks general storage drive.
    • For System log information, add Log of HTTP requests and API errors.
    • For Other security measures, click Personnel security: Cyber security in contracts. Select Reviewing confidentiality agreements.
    • For Is the data system offered to customers as-a-service, click No.
  5. 03 - Where is the data system located?
    • Select On-premises as the Hosting type.
    • Select EU / EEA as the System's location.
  6. 04 - What factors can be used to retrieve information from the data system?
    Add Search criteria describing the search terms with which information can be retrieved. Examples include social security numbers, email addresses, usernames, or primary and foreign keys.
  7. 05 - How are system permissions managed?
    • For Multi-factor authentication (MFA) status, select Enforced.
    • For Connected access roles, select HR and Information management.
    • For connected authentication methods, select Biometric ID (e.g. fingerprint) and Personal ID account (e.g. google, AD).
  8. 06 - What kind of connections does this system have with other data systems?
    • For Interfaces to other systems, select Export of different customer actions to a CRM system and Export of worktime monitoring data to payroll.
    • For Direct data sources, select Company employee.
    All linked data systems will now appear in the Data systems in Assets documentation lists. Search for the Data system listing and owner assignment task from All tasks in the sidebar — the linked text should read 5 data systems answered.
Platform check
When configuring the HR system, clicking "Yes" to being responsible for development and maintenance triggers what?
An automatic task is created for a security review
A new dropdown appears with additional maintenance fields
The system is flagged as high-risk in the register
The hosting type field becomes mandatory
Knowledge check
The HR system is hosted on-premises in the EU/EEA. Why does this matter for GDPR compliance?
On-premises systems are exempt from GDPR documentation requirements
Hosting within the EU/EEA means no third-country transfer safeguards (e.g., SCCs) are required for this system
The Data Protection Ombudsman must be notified of any on-premises system
Scenario
An employee submits a GDPR Article 15 data access request — they want all personal data NordChem holds about them. Using your Cyberday documentation, what is the best starting point?
Employee register → its data sets → linked systems (including HR-system) → interfaces from those systems to downstream locations
Ask the HR Manager to recall which systems they use
Search the ISO 27001 compliance report for the employee's name
Knowledge check
In Cyberday, the "Data system listing and owner assignment" task is marked as Critical priority. What does the assurance value on this task measure?
Whether the task is marked as "Done"
How complete the supporting documentation is — the more fields filled in for each system, the higher the value
The number of employees who have read the policy
Key Takeaways
  • Data systems document where and how personal data is processed — they connect your register to your actual IT infrastructure
  • EU/EEA hosting avoids complex Chapter V transfer requirements, simplifying your compliance obligations
  • Access management (MFA, role-based access, authentication) is both a security control and a GDPR accountability measure
Task 5 · 13 min · Final

Audit Preparation & DPIA — Ready for the Ombudsman

Maria Lindqvist CEO

"The auditor confirmed they want the full RoPA, evidence of DPAs, and confirmation of any DPIAs. What is a DPIA and do we need one for our health data processing?"

A DPIA is mandatory before processing likely to result in high risk to individuals' rights. Key triggers: systematic and extensive profiling; large-scale processing of special category data (e.g., health data); systematic monitoring of publicly accessible areas. If high residual risks remain after mitigation, the controller must consult the supervisory authority before proceeding (Art. 36 prior consultation).

5
Execute and document a DPIA for sensitive health data processing
⏱ 13 min
✓ Complete
  1. Click All tasks in the sidebar. Search for Executing and documenting data protection impact assessments. Click Add to policy. Create a new DPIA called Processing sensitive health data.
  2. 01 Which processing does the DPIA target?
    • Associated information assets on management system. Under Data stores, select Employee register. Under Data systems, select HR-system (human resources).
    • Freely describe planned data processing. Write "Processing necessary employee health data. The controller is the Hallintopäällikkö / Administrative manager. The processor is Jarkko Virtanen."
    • Reasoning for the necessity of processing. Write "Necessary to maintain accurate health records of employees."
  3. 02 What kinds of risks does the processing cause?
    • Connected data subject's privacy risks. Add Exposure of confidentiality protected information and Profiling reveals confidential data of subjects.
    • Which actions are used to reduce risk?
    • Risk management measures. Under Privacy: Privacy by design and default, add "Ensuring and documenting the accuracy of personal data".
  4. 04 Are the risks for data subjects too high, or can the processing be continued?
    • Does the processing result in a high risk, which can't be sufficiently mitigated? Click No.
    • Reasoning. Write "Access to the data is strictly regulated and is inaccessible to the public."
Scenario
Which NordChem activity most clearly requires a DPIA under Article 35?
Maintaining a list of B2B customer contacts for account management
Processing occupational health records (special category data) shared with external health providers
Storing employee names and job titles in an HR directory
Sending opted-in marketing newsletters
Knowledge check
A completed DPIA concludes that high residual risks remain even after mitigation. What does Article 36 require?
Abandon the processing activity
Prior consultation with the supervisory authority before proceeding
Obtain individual consent from every affected data subject
Scenario
The auditor finds NordChem's Marketing store lists no retention period and no legal basis. What is the most likely outcome under Article 58?
An immediate fine of €10 million
A corrective measure — typically a formal warning and a remediation deadline
No action — the Ombudsman only acts on data breaches, not documentation gaps
Quick sort
Order these activities for sustainable ongoing compliance (most foundational first):
⋮⋮ Conduct DPIA reviews when processing activities change
⋮⋮ Create and document data stores in the Privacy register
⋮⋮ Document data systems and verify processor agreements
⋮⋮ Define data sets and configure sensitive data classifications
🏆

Case Study Complete!

NordChem's GDPR register is ready for the Ombudsman. You've mapped data stores, data sets, systems, sensitive data classifications, and conducted a full DPIA — building the accountability evidence to back it all up.

0
Total XP
5
Tasks Done
0
Checks Passed
0m
Time Spent
View All Certificates

What's next?

Continue Learning
Incident Management
ISO 27001 · ~45 min · 4 tasks
Put it into practice
Build your GDPR register in Cyberday
Apply what you learned to your real organisation
Key Takeaways
  • A DPIA is mandatory under Article 35 when processing is likely to result in high risk to individuals
  • If high residual risks remain after mitigation, Article 36 requires prior consultation with the supervisory authority
  • Sustainable compliance is built from the bottom up: registers first, then documentation, then ongoing monitoring