Realize GDPR Compliance with Enterprise Architecture Management
Data protection becomes more and more important in a world where many aspects of life are supported by IT systems processing personal data and a lot of organizations running these systems.
General Data Protection Regulation (GDPR)
With Regulation (EU) 2016/679 of the European Parliament and of the Council data protection becomes a prominent issue for all organizations operating inside the European Union. That is because both the rights of individual users on information against organizations and the obligations of organizations for reporting and disclosure have been extended. Some examples:
- Consent: Stronger conditions apply as to how consent about personal data processing is given.
- Breach notification: Loss, theft or unauthorized access to personal data must be notified.
- Subject access: Subjects can demand information whether their personal data is processed by an organization or demand porting their data to another provider.
- Right to be forgotten: Subjects can demand data to be erased or restrict the processing of their data.
- Data governance: Measures to ensure data governance must be put in place, e.g. privacy impact assessments (PIA), audits, or the appointment of a data protection officer.
Disregard of the new legislation can lead to severe penalties. GDPR Article 83 demands up 20 m Euros or up to 4 % of the total worldwide annual turnover.
In order to reach compliance with GDPR a lot of information about all data handling activities and the data processed needs to be collected, analyzed and made accessible. Action must be taken now as the regulation comes into force on May 25th 2018.
Enterprise Architecture Management supports GDPR Compliance
Enterprise Architecture Management (EAM) is the part of IT management that deals with documenting the existing IT landscape, defining standards and planning the future IT landscape. As this task needs to collect and maintain a lot of meta data about the IT of an organization, EAM is usually tool-based.
First of all, these tools already come with a lot of information about the IT that is relevant for GDPR:
- Documented applications show where (inside and outside of an organization) data are processed and how.
- Information Flows describe how data are exchanged between applications.
- Cataloges for business data define categories of data used by applications and business processes.
Such repositories are easily amended with the information specific for GDPR and thus lead to a much more complete view of an organization’s IT processing activities.
EAM tools also provide strong reporting capabilities. Alfabet, for instance and among others, offers the following reports and views:
- Applications and their interrelation via information flows can be made visible using information flow diagrams.
- Data processing activities (create, read, update, delete) are listed in so-called CRUD matrices.
Methodical Setup of GDPR compliance
We support your organization in realizing GDPR compliance in a three-step approach:
- Inform: Get to know the GDPR regulation and its requirements from the legal and IT point of view in a one-day workshop.
- Define: Define the measures that need to be taken based on your individual requirements (e.g. how to configure EAM tools to provide information needed for GDPR, how to change processes to incorporate GDPR steps, etc.).
- Realize: We help you to implement the measures defined in step 2. Among other things: We set up and enhance your EAM tool for the GDPR use cases from step 2 and import the necessary data. We offer various tools to automate the retrieval of data about the IT landscape, e.g. with our Landscape Analzer for SAP systems and Amazon Web Service (AWS).