The General Data Protection Regulation, or GDPR EU (Regulation EU 2016/679 of the European Parliament and of Council of 27 April 2016) is a regulation of the European Union introduced to improve and unify personal data protection of individuals within the European Union. It enters into application in May 2018. Although this is a purely EU regulation, it applies NOT only to EU based companies but also to Non-EU: “rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.” (source).
Is that all serious? – Yes! Apart from written warnings and regular audits, “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year“ are subject of sanctions (Article 83). Moreover, in case of any data breaches, the information about it must be provided to the Supervisory Authority within only 72 hours (Article 33) with the notifications of the affected individuals (Article 34).
Just to be clear regarding terminology: “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life.”
After numerous discussions with our clients about this new EU regulation, LeanIX developed recommendations regarding compliance with this new regulation, which we would like to share with you in this article.
First of all, we believe that company compliance with the new regulation is a great opportunity for Enterprise Architects although Data Protection Officers (DPOs) are the center of the GDRP action (Articles 37-39 and more). Not only IT systems or processes, but all the people and the entire enterprise should demonstrate compliance with the new regulation. Article 25 requires data privacy by design and default, so that privacy must have a higher priority than before during every business service, process or product development.
Enterprise Architects have a unique role in the company. They define the overall company architecture, involve all stakeholders, and therefore have answers almost to all the questions which should be posed in order to ensure compliance with the new regulation. Of course, this is only possible if the architectural work is done properly and best enterprise architecture practices are adopted and performed on a regular basis using modern tools. For example, Article 35 requires a Data protection impact assessment (DPIA) to be conducted systematically and extensively.
GDPR compliance preparation steps:
- Get common understanding of the definition of applications with affected stakeholders (e.g. DPOs, Business, etc.)
- Assign responsible people or parties for every application.
- Align data objects and data attributes with DPOs.
- Decide how to collect more data.
Here are some important questions you need to be able to answer to address for a data protection impact assessment (DPIA) and to ensure regulation compliance:
- What is the overall level of data architecture maturity?
- Which applications use which data?
- Which data is used where and by whom (location, users)?
- What information flows and interfaces exist; how is secure data transferred?
- Which data is stored where and is it done in a secure format?
- Do we share data with suppliers? Do they adhere to data security regulations?
- Why do we collect particular data? Is it possible to reduce the amount of private data in storage?
- Is a DPIA performed regularly?
- How well does my Application Portfolio adhere to security standards? How do security standards develop over time?
- How can data consistency be improved? Can I present a consistent CRUD Matrix?
On the screenshots below you can see how the above questions are supported by LeanIX:
Automatic visualizations allow you to see which particular Data Objects are used by which Applications, which in turn can be mapped further to reveal dependent Business Capabilities.
Automatic visualizations allow you to see Data Objects, their formats and transfer protocols
You can access the full GDPR text on the EUR-Lex website.