McKesson Successfully Uses EAM Software to Demonstrate GDPR Compliance

Andreas Bosch, Enterprise Architect for leading health wholesale and retail company McKesson, gave an in-depth speech at EA Connect Day on how McKesson uses LeanIX to demonstrate GDPR compliance.

About McKesson:

McKesson was founded in 1835 and services 2 million customers daily in 13 countries across Europe. With about 600 employees in IT, McKesson Corporation is #5 on the Fortune 500 and delivers 1/3^rd of all prescriptions in North America.  

Why use an EAM tool for GDPR compliance?

McKesson initially onboarded with LeanIX just to demonstrate GDPR compliance, but in the end, the EAM software has helped to solve many other use cases.

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The main purpose of the GDPR is to provide a set of standardized data protection laws to protect the Personally Identifiable Information (PII) of EU citizens. Penalties for noncompliance are high.

The penalty breakdown within the regulation:

Fine: 10,000,000 Euros or 2% of your company's Global Turnover, for offenses related to:

• Child consent;
• Data processing, security, storage, breach, breach notification;
• Transfers related to appropriate safeguards and binding corporate rules; and
• Transparency of information and communication.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

• Consent;
• Data processing;
• Data subject rights;
• Non-compliance with GDPR order; and
• Transfer of data to a third party.

As McKesson Corporation has US $199 billion in combined revenue in the last fiscal year, they have a lot to lose. 2% of $199 billion is $4 billion. McKesson must take GDPR very seriously.

The two GDPR documentation approaches:

1.  Business process driven
   - this approach starts with a full process inventory
   - links PII data objects, apps, IT components, and involved providers
   - asks the question, "how well documented is your process landscape?"
   
   
2. IT/application driven
   - this approach starts with a full application inventory
   - links PII data objects, interfaces, involved providers of IT components in order to document data. 
   - asks the question, "how well documented is your application landscape?"
   

McKesson chose the application approach.

GDPR Documentation support by LeanIX:

As the best way to prepare for GDPR is to know exactly where your data is stored, who has access to it, why it was collected, and to be able to quickly manipulate it – it is important to have all of this information at hand.

• Who are the user groups accessing this application?
• Who are the application owners?
• Is this particular data stored on premise? Is it SaaS hosted?
• Who is the data controller?
• Is the information collected considered PII? (Personally Identifiable Information?)
• There is an area to describe why you collected this particular data.
• Who are the service providers used to process the data?
• Where are the service providers located? EU? The US? Asia?
• Who is the data manager for this particular application?

Bosch urged the crowd of 230 Enterprise Architects to get started on their GDPR projects as early as possible. Other key takeaways:

• Inform the application owners which rights the data objects now have
• Overcommunicate with your application owners to generate readiness and raise awareness
• Alert them of which questions will be raised in the next year
• Link your annual GDPR review with LeanIX repository
• Develop KPIs to measure GDPR documentation completeness

Bosch was also clear to point out that even with such a complex and widespread IT landscape,  they did not have to customize LeanIX to get these stellar outcomes. The out-of-box solution worked for them. Learn what LeanIX can do for you by scheduling a demo.