Build and transform technology landscapes to support evolving business strategies and operationalize innovation.
Learn moreMaximize market potential through a partner program offering LeanIX solutions tailored to your business model.
Learn moreTake your capabilities to the next level and arm yourself with the knowledge you need
See all resourcesEverything about what is GDPR and what it means for your company, major changes under GDPR and Steps Enterprise Architects can take for GDPR.
► Find out how Enterprise Architecture is key for overcoming your data protection and GDPR struggles.
The General Data Protection Regulation, in short GDPR, is a regulation in EU law that is intended to strengthen and unify data protection and privacy not only in the European Union (EU) but the entire European Economic Area (EEA). It was issued by the European Commission and includes a set of standardized protection laws that are designed to protect the Personally Identifiable Information (PII) of all EU citizens. However, the GDPR also regulates the transfer of personal data outside the areas of the EU and EEA.
The GDPR was first adopted in 2016 and came into full effect two years later. Since the GDPR is a set of regulations and not a directive, it became immediately enforceable as law in all member states of the EU in May 2018. As a new regulatory framework aimed to protect personal data and to provide a regulatory environment for businesses, it had implications for all organizations, enterprises, and individuals across the EEA. Thus, it set clear rules for companies on how to process and store the personal data of individuals.
As the protection of personal data is the main focus of the GDPR, it is now easier for EU citizens to understand what companies are doing with their information. Consequently, online customers have increased awareness when it comes to their rights. This in turn means that businesses need to adapt their operations to the new regulations in order to create the required transparency. If your company processes PII and operates within the EU, you are obliged to adhere to the GDPR. However, this is easier said than done.
On the one hand, the standardization that the GDPR has introduced to the digital business world comes with numerous benefits. On the other hand, implementing the regulations can be a real challenge for companies that aren’t well-prepared or have a lack knowledge. Plus, the complexity and quality of their data can make it difficult to transition into a new modus operandi. As of now, there’s still a big number of enterprises that don’t fully meet the GDPR. This comes at a high price as non-complying business owners face heavy penalties.
In order to become fully compliant with the GDPR, businesses need to work through a set of complicated steps. This might include an overhaul of their privacy policy, cleaning up newsletter mailing lists, or adjusting how cookies and plugins are being used. It is especially in the beginning when some degree of legal uncertainty slows down the process or causes confusion. Since expert help is required more often than not, companies need to account for additional expenses and increase their data security budget.
The GDPR has brought a lot of changes to the digital business landscape, many of them involving transparency and consent when it comes to collecting personal data. Here’s a non-exhaustive list of the key changes every business doing trade with EU citizens should be aware of.
Art. 3 GDPR: Increased territorial scope
This new regulation addresses the processing of personal data done by companies operating in the EU, regardless of whether the processing takes place in the EU or not. This is how the legislator wants to ensure comprehensive protection of the data subjects’ rights and create a level playing field.
Art. 7 GDPR: Conditions for consent
Companies are not allowed to hide behind complicated terms and conditions anymore when processing personal data. Thus, they’re required to get the data subjects’ consent while presenting their request in a clear manner using accessible and plain language.
Art. 33 GDPR: Notification of a personal data breach to the supervisory authority
Despite the strictest data security measures, data breaches can occur. If the rights and freedoms of natural persons are at risk, a company has to act within 72 hours after having become aware of the data breach and notify the supervisory authority.
Art. 15 GDPR: Right to access by the data subject
The data subject is entitled to receive confirmation from the company or controller whenever personal data concerning him or her are being processed. This includes the nature of the data, the purpose of the processing, how long the data will be stored, who will obtain access to it, and more.
Art. 17 GDPR: Right to erasure “right to be forgotten”
The data subject has the right to have his or her personal data erased without undue delay. Among other circumstances, this applies when the data is no longer necessary in relation to the purpose of collection or processing or when the data has been processed in an unlawful way.
Art. 20 GDPR: Right to data portability
Whenever the data subject is sharing personal data, he or she has the right to receive this data in a well-structured and machine-readable format. The company or controller also has to make sure that the data can be transmitted to another controller if requested by the subject.
Art. 25 GDPR: Data protection by design and by default
When processing personal data, the company or controller needs to implement data-protection principles such as pseudonymization, data minimization, and other appropriate measures that are within technical and organizational reasons. This is to ensure that personal data is properly safeguarded.
Art. 37 GDPR: Designation of the data protection officer
Whenever the data processing is carried out by a public authority or if an organization is dealing with a large scale of special categories of data, a Data Protection Officer (DPO) needs to be appointed. It is the DPO's role to monitor data and make sure that data protection measures are on par with state-of-the-art technology.
The projected penalties for noncompliance are steep. Below is the penalty breakdown within the regulation:
Fine: 10,000,000 Euros or 2% of your company's Global Turnover, for offenses related to:
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
To put it simply, GDPR should be taken very seriously, and everyone in your company should be alert to the steps they can take to ensure compliance. Here's how Enterprise Architect can help.
In most cases, a data protection officer will need support during the beginning stages of the GDPR implementation. A study has shown that the biggest challenges when it comes to GDPR compliance are ensuring data quality (73%) and handling data complexity (67%). Enterprise Architects help the DPO achieve compliance by offering insights into all existing data, processes, and apps used by the enterprise. Furthermore, they provide vital information on data subjects and data flows, pointing out risks and potential security breaches.
EAs also identify which specific technology is needed to put the new GDPR measures in place and run a data protection impact assessment (DPIA) before rolling out new applications. This might even involve consulting technology owners. Since integrating the GDPR is challenging the existing architectural framework of a company, it’s the enterprise architect’s role to redesign the enterprise architecture by applying best practices and modern EA tools. In fact, this is the prerequisite for a smooth and successful GDPR implementation.
But the enterprise architect isn’t the only one responsible. EAs and DPOs work closely together and coordinate all necessary steps on the road to GDPR compliance. At the same time, key managers and stakeholders need to be kept in the loop, which is why the EA also acts as an interface between the DPO and the rest of the company. Thus, working with a skilled enterprise architect isn’t just a way to speed up the implementation process. It’s also the best way to avoid costly GDPR fines or readjustments in the future.
In the previous section, we outlined the importance of an enterprise architect when implementing the new GDPR into an existing architectural framework. EAs make sure that a company has the appropriate architecture including all the technological requirements and a structured approach when it comes to handling the personal information of all data subjects.
But what does that look like in practice? Below are five typical steps that help EAs create a successful GDPR architecture.
In the first step, enterprise architects identify all data that are considered “personal” under the GDPR. Since there are different degrees of privacy sensitivity, the EA may categorize the data according to various attributes including confidentiality, integrity, or availability.
The EA has to outline the purpose of the data collection and make sure the data subjects have given their consent. The GDPR prohibits the use of data that concerns identifiers like health, biometrics, or personal information about politics, ethnicity, religion, or trade union membership.
In this step, the EA analyses how the enterprise uses PII, including which applications, processes, or people handle the data and why. This helps in assessing all the security risks as the EA needs to find the biggest threats and weaknesses within the architectural landscape.
In order to mitigate the threats from the previous step, the EA needs to define useful controls and determine a budget. It’s important to evaluate the cost of data protection measures against the identified risks and their possible consequences for the company.
Once technology risks have been reviewed and controls are defined, concrete security checks and preventative measures are being implemented. At the end of this process, the EA needs to be able to demonstrate GDPR compliance and transparency to the regulatory authorities.
When it comes to achieving perfect GDPR compliance with the help of enterprise architecture, leading health wholesale and retail company McKesson serves as a prime example. With its headquarters in North America, McKesson also has over 2 million daily customers in 13 EU countries and was therefore affected by the new GDPR issued by the European Commission.
The in-house Enterprise Architect Andreas Bosch who successfully implemented the new and complex General Data Protection Regulation for the Fortune 500 company used LeanIX to overcome IT and business challenges.
Is your organization prepared to solve GDPR with Enterprise Architecture? Take the quiz below to gauge your GDPR readiness.
In a highly digitized world, most business transactions are conducted online which has created unique challenges for data protection. Therefore, the new GDPR issued by the European Commission intends to create standardization and transparency when it comes to the processing and use of personally identifiable information. Mandatory GDPR compliance for businesses operating within the EU and the European Economic Area has come into full effect in May 2018.
However, there’s still a significant number of companies who don’t meet the new data protection regulations risking fines of up to €10 million for less severe infringements and penalties of up to €20 million for more serious infringements. This failure to meet the GDPR is largely due to legal insecurities, data complexity, and gridlocked enterprise architecture. That is why every company needs to designate a data protection officer who closely works with an enterprise architect during all stages of implementation.
A skilled enterprise architect knows the ins and outs of the current enterprise architecture including its pitfalls and data security risks. With the help of state-of-the-art EA tools and software, EAs are able to handle large amounts of complex data and ensure data quality. By gaining an overview of the data and creating a proper GDPR architecture, the EA can master all data protection obstacles, so GDPR compliance is met.
Free White Paper