If you’re already grappling with compliance with the EU’s General Data Protection Regulation (GDPR) coming into force in 2018, then you’re ahead of the curve. If you haven’t started yet, it’s reassuring to know that enterprise architects are in a strong position to use existing data to support an EU privacy regulatory affairs strategy for GDPR compliance.
Enterprise architects can access both the data and analytic techniques needed to accelerate IT audits, model data flows and infer where sensitive data might be stored. They also have tools to pull together reports for the C-suite, with marketing and beyond.
Already both private and public organisations are adding extra resources, running a fine tooth comb over their privacy and data protection policies, and gearing up to audit their IT systems and data governance strategies to make sure don’t end up on the wrong side of the EU data sheriffs come 2018.
Penalties for not complying with the legislation are potentially eye-watering, including fines of up to €20 million or 4% of annual global revenue. The peculiarity of the GDPR is also that it extends the reach of EU data protection law to non-European businesses. GDPR also pushes compliance “down” the IT architecture stack, requiring much more granular information than existing data-governance regulations.
Multinationals and particularly large financial services companies, such as banks and insurers, are proving more proactive than most in getting their data warehouses in order, but most other industries will also need to pay attention.
The aim of GDPR is to ensure that personal data is stored with consent, for a specified purpose and for a duration that is in keeping with the reason for obtaining the data in the first place. It is designed to strengthen data protection for individuals in the EU.
However, any company anywhere in the world could be caught by this legislation if it processes personal data relating to EU citizens, has a European presence, or has a website offering goods or services to EU citizens. Business holding personal data, such as data for marketing, human resources or for more specific functions such as external payroll services, are also potentially affected.
GDPR introduces new – and quite tough – data protection rules. Businesses may need to implement strict technical and organisational security measures, including pseudonymisation and data encryption. They will be required to notify data breaches to the relevant data protection authorities within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects. Companies will also have to conduct privacy impact assessments before carrying out high-risk data processing and build in privacy by design when processing personal data. Organisations of a certain size will have to appoint a data protection officer.
Enterprise architects are already skilled at providing details about data security for information security audits and other regulatory requirements. However, GDPR goes a step further, requiring the organisation to capture the purpose for which the data is stored and understand whether it is compliant. To do this, executives need in-depth knowledge of the organisation’s architecture, including people, processes, system and applications.
There are two broad parts to gearing up for GDPR compliance: designing the compliance machine and then running it. Designing the compliance machine means designing the processes, defining the roles and building an understanding of the organisation’s end-to-end personal information processing activities, which will enable you to meet your GDPR obligations.
Running the compliance machine means running those processes day-in, day-out, responding to individual requests from customers and regulators, dealing with breaches and monitoring compliance activity. These are operational activities and are where you’ll deploy your existing line-of-business systems, process automation, collaboration and reporting technologies and processes.
But design is not a one-hit activity. The pace of change for modern enterprises means that even if the design of the compliance processes themselves stay static, the design of what they’re regulating – the systems and processes that process personal data – are an ever-shifting target. And that means architecture is needed to play a key role in ongoing compliance assurance.
Here are six steps you can take to gain visibility of the data flows and data provenance in your organisation, ultimately helping you to comply with GDPR.
1. Form the team and understand the mission
Each organisation works differently. In some, enterprise architects may be directly responsible for ensuring GDPR compliance. In others, architects may not have even been invited to the party. But don’t doubt that the architecture team – or more accurately, the architecture of your enterprise – has a big role to play in compliance. The consistent thread here is the need to understand your end-to-end business and IT operations. Architects don’t just have that mandate, they also have the standards, frameworks and the modelling tools to understand exactly how to build the end-to-end picture of the business needed to ensure compliance.
So the first thing for architects to do is buddy up with their risk and compliance colleagues. As an architect, if you’re not already on first-name terms, don’t be afraid to introduce yourselves – this is a big job and will need all the hands it can get. Grab a coffee and start the conversation with, “I think we can help.” Next, it’s very important you, and the organisation’s legal counsel and executives, have a thorough understanding of GDPR.
2. Model your IT and personal data stores
The GDPR legislation governs information – how it’s captured, why it’s processed and who it’s shared with – so your starting point needs to be a description of the Information itself. A data model or business dictionary is the best foundation for understanding the types of personal information your organisation captures and processes (and don’t forget that “personal information” is wider than just your customer information).
Once you understand the data you capture, you’ll need to understand why it’s captured, how it’s processed and who does that processing, where it’s stored, and until when it can be retained. This means linking that data description up, down and across your end-to-end architecture.
Now this can be a lot of work and while there is no easy way to short-cut the process, there are things you can do to accelerate it. To maintain a common view of your business and IT operations it’s important to ensure the tool you’re using provides a truly shared repository and supports multi-user collaboration. Without this, you will waste valuable time reconciling different views of the same IT applications, or different descriptions of the same data or activity. And if you yourselves don’t have transparency of your operation, you’ll struggle to demonstrate it to a regulator. A shared repository provides that “single version of the truth” that means everybody’s looking at the same thing.
It’s faster to re-use and conform existing information than to start with a blank sheet. Start by understanding existing sources of the information described above – application catalogues, process maps, project design documents can all give you a jump-start in populating your end-to-end view. Chances are, you already have a pretty good list of the parts, leaving you to focus on the insight you really need to create. Understand how those parts connect together in the end-to- end processing of personal data.
3. Algorithms and integrations to find shadow IT
Here’s the thing that keeps your compliance and infosec practitioners awake at night: information proliferates. Even in the best-regulated organisations and businesses, it’s very hard to prevent information from being copied, distributed, saved to a local drive or loaded into an access database your IT service team have never even heard of. If you truly want to understand your end- to-end information flows you’re going to need to cast your net a lot wider than just your IT department. This means having a solution that can reach deep into your shadow IT estate.
The end result of these data audit and modelling missions is that you’ll have a complete picture and an unparalleled understanding of your end-to-end capture, processing and storage of personal data. If you’re smart, you can accelerate your knowledge capture by using the information you already have to figure out which areas to look at next. For example, if you know that a sales system stores customer data, it’s reasonable to infer that the processes that use it also process the same data, and the people who perform those processes also access it.
4. Analyse compliance risks
So, you’ve mapped your end-to-end estate. Finished? Not yet. For each element on that map, be it a business process, an application or a cloud hosting provider, you will need to analyse where the non-compliance risks are. GDPR requires a raft of control measures around your processing of personal data. These include: consent (is data capture consistent with the provisions? Look at your customer-facing processes and systems. Do they clearly seek consent where required? Is the purpose for data capture made clear to customers?), protection by design (are there adequate access controls around personal data? Is data capture restricted to only that required for the processing purpose?), secure processing (are technical security mechanisms in place to protect against unauthorised loss or disclosure of personal data?), and sharing (where data is shared with third-party organisations or third countries, are appropriate controls in place?). Your objective here is to produce a compliance heatmap showing the most critical remediation areas which need attention in order to move towards GDPR compliance.
5. Roadmapping your route to green
In some cases your organisation will need to wrap tighter controls around existing business processes and IT systems and technologies. In other cases, it will be necessary to discontinue or replace them altogether. Roadmaps allow you to articulate how you plan to get there. Your heatmap is already a basic roadmap, showing the strategic intent for each business process, application or technology. Now you can start to add detail, modelling migration activities, dependencies and, crucially, timescales.
As your organisation works through this process, you will have new roles, processes and controls to introduce. These may include a data protection officer, processes for personal data access, rectification, erasure or transfer, or processes for breach notification and impact assessment.
6. Monitoring and reporting
The GDPR legislation makes it clear that “security by design” is the new normal. This requires architects, compliance professionals and executives to build compliance into the design of all current and future business and IT processes. That sounds straightforward, but balancing the requirement for rigorous information controls with business demands for market agility, quick customer insight or migration to the cloud is a tall order. Here’s the good news: If you’ve completed the previous steps, you’ve already built the means to monitor the compliance of your business process and IT system designs. Now your task is to ensure that changes to that baseline are tracked, and that you have the ability to intercept and remediate non-compliant designs before they go live.
Enterprise architects and risk and compliance professionals are in a strong position to assist the business to review its existing data flows and systems against the GDPR requirements. They are also critical to identifying the actions they need to take to be compliant with GDPR by 2018.
Architecture teams already play a key role in the governance of IT and business change and in ensuring compliance with policies and standards. This includes assessing project designs and issuing build permits or waivers. They are also responsible for escalating non-compliant designs for resolution.
GDPR compliance teams who plug into existing architecture methods can move more quickly than those which start with a blank sheet. A rigorous data and systems audit, and clear documentation of processes, will pay off when showing that your business has demonstrated compliance with the GDPR principles relating to personal data.
The need to maintain a proactive approach and to regularly carry out data mapping and compliance audits means it is worth investing time and effort in getting the correct systems and tools in place up front so that this process is time-efficient, rigorous and also future-proofed as your organisation evolves.
Dr Tim O’Neill is a recognised authority and strategic advisor who has guided delivery of multi-billion-dollar transformations for Fortune 500 companies and governments. He is a founder of Avolution, which provides the leading enterprise modelling and IT strategy toolset, ABACUS.