Most organizations are unsure about GDPR and just what the road ahead will bring.
Do they need a roadmap? Do they need a guide? Organizations need to see that GDPR is not just another roadside attraction; it is one of the most far-reaching rules to come along in years. The European Union’s General Data Protection Regulation (GDPR) has pushed the Data Protection Officer (DPO) quite suddenly into the spotlight. If this is a leading role in GDPR, then surely the enterprise architect plays a supporting role – and a critical one at that.
As DPO’s are putting their teams together to assess what needs to be done to ensure compliance by May 25, 2018, astute DPO’s are making sure the chief enterprise architect has a seat at the table.
Why does enterprise architecture (EA) play such an important role in GDPR compliance? To answer this, let’s first look at what GDPR requires of companies which are doing business with EU subjects.
As we have said in previous blogs, as a data controller and/or processor you need to know what data falls under the regulation’s definition of personal data; how it was obtained; what is it being used for; and whether it is for that purpose a) minimized, b) accurate and c) stored only for the time necessary for fulfillment.
So what are the consequences of this for you as the controller/processor? First of all, in order to know what data you have, where it is located and how it is processed you need a type of map of all your data stores and applications so you can see what you have and where it is. Then you can set about analyzing and classifying them according to various GDPR-relevant attributes in a record of processing activities.
This is like a guidebook to accompany the map that tells you what you’re going to find at each location. It will describe the data sets as to whether they are ascribable to a person and what kind of information they hold; e.g. location information, invoicing information, purchases, legal fines, community or forum information, device identification, credit ratings or user activity tracking.
To the applications it will ascribe properties such as the purpose of the application (e.g. billing, marketing analysis, direct marketing, monitoring, incident management, recruiting or customer scoring), whether there is a security concept for the application, what kind of security concept it is, whether there is a separate test system and whether test system data is anonymized.
Finally, it will provide information on how the data sets are handled (e.g. retention policy, deletion method, processing geography, processor, origin of the data, who has access, whether accesses are logged, who or what system is a recipient of the data and stakeholder types such as private or enterprise customers, employees, or applicants).
Now back to our enterprise architect. EA is pre-destined to be the foundation for this record of processing activities. Comprised of business architecture, information architecture, technical architecture and application architecture, EA inherently has the structure and content to provide the insight into the IT landscape needed as your company is embarking on its GDPR journey.
So, even in this phase of GDPR readiness where we are all somewhat unsure about the road that lies ahead, look to the company’s chief enterprise architect, who is armed with that essential map and guidebook to take that first step towards compliance.