In our last post, we already talked about the impending entry into force of EU Regulation 2016/679 on data protection at the end of May 2018.
We noted that Enterprise Architecture Management (EAM) tools are a natural starting point for collecting and managing the data needed to comply with the GDPR.
To properly utilize this starting point, we mentioned a three-step approach. Today we would like to describe these three steps in a little more detail.
Step 1 – Inform
First of all, it is necessary to familiarize yourself with the GDPR regulation and its requirements from both a legal and IT perspective. This can be done in a one-day workshop.
Such a “GDPR briefing” workshop should have at least the following points on the agenda:
- Introduction to the topic of GDPR in a holistic way
- Legal perspective
- Organizational perspective
- IT perspective
- Discussion of the need for action for the company and identification of priorities
- Derivation of initial top-level recommendations for the implementation of GDPR compliance
We offer these GDPR briefing workshops in collaboration with lawyers.
Step 2 – Define
The next step should be to take a closer look at the various perspectives of the GDPR. In addition to amending contracts or end-user license agreements from a legal perspective or installing new roles (e.g. a data protection officer) and the necessary revision of (in particular) end-user business processes, the readiness of the existing IT landscape for GDPR must also be reviewed:
- Analysis of the IT landscape with regard to GDPR (in particular Article 30)
- Assessment of GDPR readiness from an IT perspective
- Recommendations for implementing the GDPR with a focus on IT
These “GDPR Readiness Checks” are usually carried out in short-term projects and serve to prepare for the final step.
Step 3 – Implement
Finally, the recommendations and defined measures must be implemented. This should be based on a project plan derived from a “GDPR Readiness Check” and include the following points:
- Setting up and expanding the EAM tool for the GDPR use case
- Import the required data
- Applications and how they process business data
- Servers on which the applications are deployed and their physical location
- How applications support business functions and organizational units
- Automated updates for this data in the EAM tool
- Designate responsibilities and integrate the EAM tool into GDPR compliance processes
- Training of those responsible for GDPR
When it comes to setting up an EAM tool as a “golden resource” for GDPR compliance, there is always one reason that prevents quick results – the amount of data to be collected about the existing IT landscape.
For this hurdle, we offer various “workarounds” that automatically read out a certain part of the IT landscape and make it visible in EAM tools – and thus GDPR-compliant:
- Landscape Analyzer for SAP: This tool reads the basic data of entire ABAP-based SAP landscapes (systems, clients, interfaces). We are currently working on an extension to also capture interfaces between SAP systems and non-SAP systems via SAP PI.
- AWS integration: Servers running as virtual machines in the Amazon Cloud (Elastic Cloud Compute [EC2] service of Amazon Web Services) can be read out via this tool and automatically imported into an EAM tool.