Why Enterprise Architecture Is the Key to GDPR Compliance

In previous blog posts, we’ve outlined the new EU General Data Protection Regulation that will go into full effect in May of 2018. We’ve previously discussed the proposed penalties for noncompliance, which questions to ask your chief information security officer to gauge your organization’s level of compliance, what GDPR means for organizations effected by Brexit, and many other focus topics.

This blog post will address the prominant role that  Enterprise Architects can take to prepare their organization for compliance. 

Why Enterprise Architecture is Key

The EU GDPR will force companies to rethink how they handle personal data. To help ensure compliance, Enterprise Architects need a broad overview of how personal data is collected. They need to know almost everything about the data - down to which employees have access to it. 

Going forward, article 35 of the GDPR requires your company demonstrate compliance through routine data protection impact assessments (DPIA). During the DPIA, your organization must demonstration a coherent and deliberate connected view of everything related to personal data.

This can be a huge burden for EAs, who also are responsible for the task of preparing the organization for digital transformation, IoT, Microservices, and many other crucial topics. 

In most organizations, organizations don’t know much about their innerworkings of their data sets. The EU GDPR requires organizations to know everything about their data now: why it was collected, where it was used, where and how it is processed, which employees have access to it, where the data is stored, etc.

As Enterprise Architects have a unique and fully integrated vantage point of their organization, giving them the best opportunity to assess, improve, and ensure company-wide data protection.

Key changes under GDPR, and how EAs can help:

1. Consent

The conditions for consent have been strengthened. Companies will no longer be able to use 25-page terms and conditions documents full of difficult jargon and legalese.  The request for consent must be given in an easily accessible form, with the purpose of data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

2. Data protection by design

Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.

Article 25 requires data privacy by design and default, so that privacy must have a higher priority than before during every business service, process or product development.

As previously stated, GDPR will require a self assessment called the DPIA. It is imperative to clearly identify all data that is considered ‘personal’ under GDPR.  During the assessment, your company must show how you process personal data, how you deal with risks, and which measures you are taking to comply.

3. More rights for users

One of the main drivers behind requiring organizations to have a full view of their data is for this reason - to give end users more control over their data. Under GDPR end-users have the right to access their data, request a copy of their data on record,  and a right to quick data breach notifications. This change is a dramatic shift to data transparency and empowerment of data subjects.

4. Steep penalties

Article 84 outlines the fine schedule for noncompliance. The fees are as follows:

€10 million or 2% of global revenue of the prior year
If it is determined that noncompliance was related to technical measures:

• Not having records in order
• Failing to conduct impact assessments
• Failing to notify the supervising authority and data subject about a breach in a timely manner

€20 million or 4% of global revenue of the prior year
Applied to cases of noncompliance with key provisions of the GDPR.

Examples that fall under this category are:

• Non-adherence to the core principles of processing personal data
• Infringement of the rights of data subjects
• Transferring of personal data to third countries 
• Failing to ensure an adequate level of data protection

Figure 1: LeanIX dashboard showing which applications are at risk.

 The LeanIX dashboard can enable your organization answer the following questions with ease:

• What is the overall level of data architecture maturity?
• Which applications use which data?
• Which data is used where and by whom (location, users)?
• What information flows and interfaces exist; how is secure data transferred?
• Which data is stored where and is it done in a secure format?
• Do we share data with suppliers? Do they adhere to data security regulations?
• Why do we collect particular data? Is it possible to reduce the amount of private data in storage?
• Is a DPIA performed regularly?
• How well does my Application Portfolio adhere to security standards?
• How do security standards develop over time?
• How can data consistency be improved?
• Can I present a consistent CRUD Matrix?

Having clear access to the data to answer all of these questions will ensure that your company passes the DPIA and refrains from paying steep penalties. 

The LeanIX dashboard enables Enterprise Architects to lead the organization to successful GDPR compliance. Our heatmaps show you which applications are at risk, the survey feature proposes important questions that will constantly keep your company in the compliance mindset, and many other features can be used to display a continual compliance. May 2018 is closer than you think, and a lot of work may be needed, so don’t hesitate and start today!