If you've checked your email anytime during the last week, chances are you've stumbled upon many emails from companies informing you of their changes due to GDPR. Customers are now aware of their rights granted to them by the upcoming regulation, while companies scramble to get everything under control. Below is the definitive guide to solving GDPR with Enterprise Architecture.
Introduction to GDPR
After many years of reform, European Commission set out a plan for data protection reform that was actually fit for the digital age.
One of the major contributors to the reform is the introduction of the General Data Protection Regulation (GDPR). This new EU regulatory framework applies to organizations in all member-states and has implications for businesses and individuals across Europe. The purpose of the GDPR is to provide a set of standardized and enforceable data protection laws across all the member countries. After GDPR, EU citizens will better understand how their data is being used, and also raise any complaints, even if they are not in the country where their data is located.
Major Changes Under GDPR:
Conditions for consent (Art. 7 GDPR)
After GDPR, companies will no longer be able to hide behind 25-page terms and conditions documents full of complicated jargon and legalese to obtain consent from their data subjects. Consent will have to be clearly obtained and demonstrated. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this regulation shall not be binding.
Notification of a personal data breach to the supervisory authority (Art. 33 GDPR)
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Click here to learn more.
Right to access by the data subject (Art. 15 GDPR)
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: including the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data will be disclosed to, the period for which the personal data will be stored, and much more.
Right to erasure ‘right to be forgotten’ (Art. 17 GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have an obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; the personal data have been unlawfully processed, and many more reasons.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Click here to read more.
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, of course.
Designation of the data protection officer (Art. 37 GDPR)
Your organization may be required to appoint a Data Protection Officer(DPO). A DPO is a controller and the processor shall designate a data protection officer in any case where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.
The GDPR also sets specific standards for organizations to uphold. If companies fail to comply, they face the highest penalties in data protection history.
The projected penalties for noncompliance are steep. Below is the penalty breakdown within the regulation:
Fine: 10,000,000 Euros or 2% of your company's Global Turnover, for offenses related to:
- Child consent;
- Data processing, security, storage, breach, breach notification;
- Transfers related to appropriate safeguards and binding corporate rules; and
- Transparency of information and communication.
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
- Data processing;
- Data subject rights;
- Non-compliance with GDPR order; and
- Transfer of data to a third party.
To put it simply, GDPR should be taken very seriously, and everyone in your company should be alert to the steps they can take to ensure compliance. Here's how Enterprise Architecture can help.
Steps Enterprise Architects can Take for gdpr
Although in most organizations, Enterprise Architects do not have the designated responsibility for ensuring regulatory compliance. This responsibility may lie within other places in your organization, including the Chief Risk Officer, Chief Compliance Officer, or the above-mentioned Data Protection Officer. Together with these officials, Enterprise Architecture can provide information to help ensure compliance.
Enterprise Architects may identify all data that counts as ‘personal’ according to the GDPR through the LeanIX Survey. Enterprise Architects may classify this data with respect to its privacy sensitivity. Enterprise Architects should make this research a part of their standard security processes, while assigning other information security attributes including confidentiality, integrity, availability to the data.
Detail the purpose for which this data was collected, and ensure you possess or obtain the consent of the data subjects to use it in that way. Add an extra focus on personally identifiable data, which is data related to health, biometrics, politics, religion, ethnicity or trade union membership. Use of personally identifiable data is explicitly prohibited by the GDPR.
Enterprise Architects may analyze the use of personal data, and leverage your existing architecture models to provide a backbone for the analysis. Enterprise Architects may use model data flows: Which applications, processes, people and parties use this data, at which locations, for which purpose?
Risks to sensitive data must be assessed, in particular concerning the rights and freedoms of data subjects:
a. Where in your landscape do you notice vulnerabilities?
b. What are the major threats that may exploit these vulnerabilities?
c. What are the potential consequences?
4. Define controls
Enterprise Architects can define controls and mitigating measures, using widely referenced standards such as the ISO/IEC 27001 as a basis for identifying useful controls.
Prioritize risks, allocate budgets and plan the requisite changes and improvements:
- Evaluate the cost of measures against the risks (the expected loss) create the optimal budget
- Integrate this decision-making with your overall portfolio management and supporting roadmaps.
Implement the controls and measures you have defined in your organization, processes and systems, and test their security. Demonstrate compliance to the proper regulatory authorities, showing how you process personal data, how you deal with risks, and which mitigation measures you have implemented.
Case study: Learn how McKesson uses Enterprise Architecture to demonstrate GDPR compliance
Andreas Bosch, Enterprise Architect for leading health wholesale and retail company McKesson, gave an in-depth speech at EA Connect Day on how McKesson uses LeanIX to demonstrate GDPR compliance. McKesson was founded in 1835 and services 2 million customers daily in 13 countries across Europe. With about 600 employees in IT, McKesson Corporation is #5 on the Fortune 500 and delivers 1/3rd of all prescriptions in North America. As McKesson Corporation has US $199 billion in combined revenue in the last fiscal year, they have a lot to lose - upwards of $4 billion.
Video: GDPR & LeanIX with Andreas Bosch, McKesson
Is your organization prepared to solve GDPR with Enterprise Architecture? Take the quiz below to gauge your GDPR readiness.