In a world where many aspects of life are supported by IT systems that process personal data, and where many organizations operate these systems, data protection is becoming increasingly important.
General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 of the European Parliament and of the Council makes data protection an important issue for all organizations operating within the European Union. This is because both the rights of individual users to information vis-à-vis organizations and the obligations of organizations to report and disclose have been extended. Some examples:
- Consent: Stricter conditions apply to how consent to the processing of personal data is given.
- Reporting of breaches: Loss, theft or unauthorized access to personal data must be reported.
- Access for data subjects: Data subjects can request information about whether their personal data is being processed by an organization or request that their data be ported to another provider.
- Right to be forgotten: Data subjects can request the erasure of their data or restrict the processing of their data.
- Data management: Measures must be taken to ensure data governance, e.g. data protection impact assessments (PIA), audits or the appointment of a data protection officer.
Failure to comply with the new legislation can lead to severe penalties. GDPR Article 83 calls for up to 20 million euros or up to 4% of total annual global turnover.
In order to achieve compliance with the GDPR, a lot of information about all data processing activities and the data processed must be collected, analyzed and made accessible. Action must be taken now as the regulation comes into force on May 25, 2018.
Enterprise Architecture Management supports compliance with the GDPR
Enterprise Architecture Management (EAM) is the part of IT management that deals with the documentation of the existing IT landscape, the definition of standards and the planning of the future IT landscape. As a lot of metadata about an organization’s IT needs to be collected and maintained for this task, EAM is usually tool-based.
EAM tools such as Alfabet (Software AG) or LeanIX (LeanIX GmbH) can help companies achieve GDPR compliance for various reasons.
First of all, these tools already contain a lot of information about IT that is relevant to the GDPR:
- Documented applications show where (inside and outside an organization) data is processed and how.
- Information flows describe how data is exchanged between applications.
- Business data catalogs define categories of data used by applications and business processes.
Such repositories can easily be supplemented with GDPR-specific information, resulting in a much more complete overview of an organization’s IT processing activities.
EAM tools also offer strong reporting capabilities. Alfabet, for example, offers the following reports and views, among others:
- Applications and their interaction via information flows can be visualized with the help of information flow diagrams.
- Data processing activities (creating, reading, updating, deleting) are listed in so-called CRUD matrices.
Methodical structure of GDPR conformity
We support your company in implementing GDPR compliance in a three-stage approach:
- Inform: Learn about the GDPR regulation and its requirements from a legal and IT perspective in a one-day workshop.
- Define: Define the actions that need to be taken based on your individual requirements (e.g. how EAM tools need to be configured to provide the information required for the GDPR, how processes need to be changed to incorporate the GDPR steps, etc.).
- Realize: We help you implement the measures defined in step 2. Among other things: We set up your EAM tool and extend it for the GDPR use cases from step 2 and import the required data. We offer various tools to automate the retrieval of data across the IT landscape, e.g. with our Landscape Analyzer for SAP systems and Amazon Web Service (AWS).