A strong Enterprise Architecture practice will help prepare organizations for GDPR

By: Pedro Robledo, BPM process management expert

Any private or public organization anywhere in the world could be caught by General Data Protection Regulation (GDPR, EU Regulation 2016/679) if it processes personal data relating to EU citizens, has a European presence, or has a website offering goods or services to EU citizens. And it critically affects all personal data, changing the way that entire organizations interact with personally identifiable information. It requires changes in both security and processing as well as in the comprehensive documentation they must maintain. It came into force on May 25, 2016 with a moratorium of two years, so they must be ready by May 25, 2018. Penalties for not complying with the legislation are potentially eye-watering, including fines of up to €20 million or 4% of annual global revenue.

The problem lies in how to adapt to regulations (with more than 99 different rules and stipulations around data), which is not obvious and as usual depends on interpretation. According to analyst IDC, 78% of European companies' technology managers still do not know what impact it will have on their business, and the rest only confirm that they already comply with 20%, making it an urgent task for most of European companies. It is estimated that more than 50% of organizations that have to comply with GDPR regulations will not be fully prepared by the end of 2018.

The Regulation is the most significant change in the fundamental rights of data privacy in 20 years, ensuring that personal data are protected regardless of where they are sent, processed or stored. It includes 8 fundamental rights: right to be informed, right to access, right to rectification, right to forget (to erase data when they are not necessary for the purpose with which they were collected), right to restrict processing, right to data portability, the right to object, and the right to make decisions and create automatic profiles.

Companies must take action to have Active Responsibility for these rights.  It is not enough to act against an infraction. It must be proactive and be able to demonstrate compliance with the rules and it is a process of continuous compliance that forces to think and work constantly within the legal framework of regulation. They will have to protect data from design and default, implement security measures, maintain a record of treatments, know the flow of data, manage data as they change over time, conduct impact assessments on data protection, appoint a Data Protection Officer (DPO) with legal competence and technological security infrastructure (it is estimated that 28,000 DPOs will be required in Europe), notify any security breach within 72 hours to the Spanish Data Protection Agency, and promote codes of conduct and certification schemes.

Companies will have to establish barriers in their processes, so that the sensitive information is treated according to the purpose of its use, with confidentiality and integrity. Technology plays a key role in ensuring legal compliance, and must meet privacy requirements (from collection, treatment ... to destruction) and not just security requirements.

Data has become a competitive asset. Companies are collecting as much data as possible on consumers, sometimes before knowing exactly what, how or when that data will be used, causing imbalances between what we know and what they know about us. This practice of data maximization changes with the GDPR towards the principle of data minimization, forcing companies to capture only the least amount of personal data for the shortest time possible and to eliminate it as quickly as possible after have completed their specific purpose.

Although the DPO is primarily responsible for compliance with and implementation of the GDPR, this individual will need a team of specialists to be successful. The Enterprise Architect plays a critical role on this GDPR compliance team. Enterprise architects are uniquely positioned to help their organization to demonstrate that they comply. Leveraging their architecture models for security and privacy analyses, architects can provide cross-cutting analyses on the use and protection of data across the enterprise, its processes, people and IT systems.

Gartner proposes to focus on five high priority changes to cope quickly with EU GDPR:

1. Determine your role under the GDPR.
2. Appoint your data protection officer.
3. Demonstrate accountability in all processing activities.
4. Check your cross-border data flows.
5. Prepare for data subjects exercising their rights.

As Enterprise Architecture (EA) is a key for GDPR compliance, most EA solution vendors are providing extensions to their products and specific information that helps compliance:

• Atoll Technologies explains that EAs can help answer important questions based upon an updated EA repository:

1. How is the organization collecting personal data?
2. Where do personal data reside in the organization?
3. Where does the organization intend to store personal data?
4. How is the organization implementing personal consent mechanisms like opting out?
5. How do personal data move through the organization? Where do they go?
6. How and where does the organization process personal data?
7. How is the organization dealing with the confidentiality of personal data? For example, does it have a means to pseudonymize such information?
8. Who is the DPO and how will they execute their role?
9. Who within the organization owns the processes involving personal data?

• BOC Group has developed product extensions to the EU GDPR for both its Business Process Management suite ADONIS and its Enterprise Architecture Management tool ADOIT.  This allows a simple expansion of documentation and evaluation for existing customers, while new prospective customers can also address the requirements of the GDPR. To enable GDPR, BOC Group has extended their products with a new artefact, the processing activity:

1. From the point of view of the process-driven GDPR documentation, ADONIS supports you in detailing the processing directory. The starting point is the process map and the process sequences described. From there, the processing activities are described and the relevant data categories are identified.
2. If you are following an IT-driven approach, ADOIT can help you in capturing the processing activities from the point of view of your application map, and in turn assigning the corresponding artefacts to them.

• Software AG offers its GDPR Framework to provide companies with the necessary capabilities to comply with the obligations imposed by the new regulations as processors of personal data. This includes the means for creating a detailed record of data processing activities, providing transparency in the information, processes and applications in the context of the GDPR. This is a complex process that involves important internal changes in the companies and demands an orderly planning in the coming months. The GDPR Framework allows organizations to establish a framework within the GRC model (corporate governance, risk management and regulatory compliance) for internal communications to ensure the execution of the GDPR, allowing them to continue doing business within the framework of the European Union (EU).

• BizzDesing proposes 8 steps Enterprise Architects can take to deal with GDPR:

1. In most organizations, enterprise architects do not have final responsibility for ensuring regulatory compliance. This responsibility may lie with your legal department, Chief Risk Officer, Chief Compliance Officer, Chief Information Security Officer, or with the Data Protection Officer newly required by the GDPR. Teaming up with these officials and making them aware of the potential contribution of architecture is the first step.
2. Any work in ensuring compliance will rely on a good overview of the personal data involved. Creating a ‘privacy inventory’ is crucial.
3. Analyze the use of personal data, and if possible, leverage your existing architecture models to provide a backbone for your analysis.
4. Assess risks to sensitive data, in particular concerning the rights and freedoms of data subjects.
5. Define controls and mitigating measures. Use common standards such as the ISO/IEC 27001 as a basis for identifying useful controls.
6. Prioritize risks, allocate budgets and plan the requisite changes and improvements.
7. Implement the controls and measures you have defined in your organization, processes and systems, and test their security.
8. Demonstrate compliance to the regulatory authorities, showing how you process personal data, how you deal with risks, and which mitigation measures you have implemented.

• Planview provides 5 tips to help you get started with GDPR compliance:

1. Identify key groups’ stakeholders in the company and create a committee
2. Work with those stakeholders to ensure they understand what GDPR is, how it will affect your organization, and how YOUR team will support them
3. Schedule a meeting to discuss which departments, technology, processes, and data could be impacted
4. Put a plan in place for adhering to the regulation within your organization
5. Begin documenting information assets that contain personal data and how it is used within the organization

• Avolution presents six steps you can take to gain visibility of the data flows and data provenance in your organization, ultimately helping you to comply with GDPR:

1. Form the team and understand the mission. Architects have the standards, frameworks and the modelling tools to understand exactly how to build the end-to-end picture of the business needed to ensure compliance.
2. Model your IT and personal data stores. Once you understand the data you capture, you’ll need to understand why it’s captured, how it’s processed and who does that processing, where it’s stored, and until when it can be retained.
3. Algorithms and integrations to find shadow IT so you’ll have a complete picture and an unparalleled understanding of your end-to-end capture, processing and storage of personal data.
4. Analyse compliance risks.
5. Roadmapping your route to green.
6. Monitoring and reporting.

GDPR has been designed to strengthen data protection for individuals in the EU. Companies need to review its existing data flows and systems against the GDPR requirements. They are also critical to identifying the actions they need to take to be compliant with GDPR by 2018.

Enterprise architects and risk and compliance professionals are in a strong position to assist the business, and the GDPR compliance teams who plug into existing architecture methods can move more quickly than those which start with a blank sheet. 

GDPR requires to capture the purpose for which the data is stored by the organization and understand whether it is compliant. Enterprise architects are already skilled at providing details about data security for information security audits and other regulatory requirements. However, they need in-depth knowledge of the organization’s architecture, including people, processes, system and applications. A rigorous data and systems audit, and clear documentation of processes, will pay off when showing that your business has demonstrated compliance with the GDPR principles relating to personal data.