Three Steps towards GDPR Compliance
We stated that Enterprise Architecture Management (EAM) tools are a natural starting point for collecting and managing the data that are necessary for GDPR compliance.
In order to use this starting point properly we mentioned a three-step approach. Today, we would like to go a little further describing these three steps.
Step 1 – Inform
First of all it is necessary to get to know the GDPR regulation and its requirements both from a legal and IT point of view. This can be done in a one-day workshop.
Such a “GDPR Briefing” workshop should at least have the following items on the agenda:
- Introduction to the topic of GDPR in a holistic manner
- Legal perspective
- Organizational perspective
- IT perspective
- Discuss the “need for action” for the company and identify main points
- Derive first top-level recommendations for GDPR compliance implementation
We offer these GDPR Briefing workshops in cooperation with lawyers.
Step 2 – Define
In the next step the different perspectives of GDPR should be considered in more detail. Besides changes to contracts or end user license agreements on the legal perspective or the installation of new roles (e.g. a data protection officer) and the necessary overhaul of (especially) end user business processes one needs to check the readiness of the existing IT landscape for GDPR:
- Analysis of the IT landscape regarding GDPR (in particular Article 30)
- Evaluation of the GDPR Readiness from the perspective of IT
- Recommendations for the implementation of GDPR with focus on IT
These “GDPR Readiness Checks” are usually performed in short-time projects and are used to prepare the final step.
Step 3 – Realize
Finally, recommendations and defined measures need implementation. This should be based on a project plan derived from a “GDPR Readiness Check” and encompasses points like:
- Set up and enhance the EAM tool for the GDPR use case
- Import the necessary data
- Applications and how they process business data
- Servers where applications are deployed and their physical location
- How applications support business capabilities and organizational units
- Automate updates for these data in the EAM tool
- Name responsibilities and incorporate the EAM tool in GDPR compliance processes
- Train GDPR responsibles
When it comes to the setup of an EAM tool as the “golden source” for GDPR compliance there is always one reason that hinders quick results – the amount of data to be collected about the existing IT landscape.
We offer various “remedies” for this particular obstacle which automatically read a specific part of the IT landscape and make it visible in EAM tools – and thus accountable in terms of GDPR:
- Landscape Analzer for SAP: This tool reads the basic data about entire ABAP-based SAP landscapes (systems, clients, interfaces). We are currently working on an enhancement to also gather interfaces between SAP systems and non-SAP systems using SAP PI.
- AWS integration: Servers running as virtual machines in the Amazon cloud (Elastic Cloud Compute [EC2] service of the Amazon Web Services) can be read via this tool and automatically imported in an EAM tool.
Do you have questions or comments? Feel free to let us know what you think about this approach and whether it makes sense to you. Let us know when you have questions the post did not cover deep enough. We’re glad to help: sales(at)cti-consulting.de.