The primary goal of digital transformation is to improve an enterprise’s focus on its customers. Given the complexity of today’s digital enterprises, however, there are often additional priorities that are every bit as important, if not as strategic as customer focus.
In particular, the primary business driver of digital transformation is frequently regulatory change. Regulatory compliance is essentially a risk mitigation business driver. Furthermore, compliance with new or changed regulations typically comes with a firm deadline.
In the case of the General Data Protection Regulation (GDPR), regulatory change is driving cross-organizational transformation at companies in Europe and around the globe.
At the same time, such efforts also improve those firms’ focus on their customers as well, as the GDPR mandates how companies deal with information about any EU citizen – in particular, their customers. GDPR compliance is thus adding additional urgency to transformation efforts that are already strategic to the enterprise.
About the GDPR
The GDPR is the European Union’s legal framework for the privacy and protection of the personal data of all EU citizens. Once the May 2018 deadline for implementing the regulation passes, it will apply not just to European companies, but to any company anywhere in the world that has information about EU citizens.
The GDPR thus establishes ground rules for any company that holds or processes personal data of such citizens. It requires companies to maintain records of data processing activities, appoint Data Protection Officers (DPOs), conduct privacy impact assessments, implement enhanced transparency in the form of privacy notices and consent forms, as well as the rights of EU citizens to be forgotten and to move their data from one company to another.
The penalties for non-compliance can be draconian – up to €20 million or 4% of a company’s annual worldwide turnover. The regulation supersedes all relevant national laws within EU countries, and extends the scope of the current EU data protection law to all foreign companies processing EU citizens’ data.
There are many facets to the GDPR, but the minimum mandatory requirements include maintaining accurate records of all sensitive personal data storage and processing, implementing processes that account for personal data privacy, and the ability to demonstrate to regulators that the company has put forth a ‘best effort’ to comply with the GDPR.
Enterprise Architects’ Essential Role
Although the DPO is primarily responsible for compliance with and implementation of the GDPR, this individual will need a team of specialists to be successful. The Enterprise Architect (EA) plays a critical role on this GDPR compliance team.
In particular, EAs can help answer important questions based upon an updated EA repository, such as the one that Atoll SAMU offers.
Some of these questions apply directly to personal data:
- How is the organization collecting personal data?
- Where do personal data reside in the organization?
- Where does the organization intend to store personal data?
Other questions focus more on business processes involving personal data, for example:
- How is the organization implementing personal consent mechanisms like opting out?
- How do personal data move through the organization? Where do they go?
- How and where does the organization process personal data?
- How is the organization dealing with the confidentiality of personal data? For example, does it have a means to pseudonymize such information?
A third set of questions focus more on individuals and their roles:
- Who is the DPO and how will they execute their role?
- Who within the organization owns the processes involving personal data?
The “Customer support” process with used applications (some of them SaaS) and data flows. Data elements transferred are listed on the data flow. Data elements also appear on the right – if you click them, the data flows and applications get highlighted where that particular data is transferred or processed.
All data processing records related to the “Customer support” business process. Purpose and consent status is also visible.
Given the diversity of such questions, EAs are particularly well-suited to support the DPO’s efforts because they have broad visibility into the business, the technology, and the data within the organization.
EAs can support the DPOs they work with by providing insights into all processes, applications, and data that are relevant to GDPR compliance. Furthermore, they can offer information on data objects, data flows, and associated responsibilities.
EAs are also well-situated to draw attention to risks and potential compliance breaches. Outside of the GDPR compliance team, EAs can also help technology owners identify technology risks and prepare preventative measures within the scope of their responsibility.
In fact, this risk identification role for EAs is especially important for the data protection impact assessment (DPIA), which organizations must perform before they deploy a new technology.
Additionally, EAs can be instrumental in defining application development guidelines that conform to the principles of data protection. Such guidelines will naturally apply to developers, but they also apply to system architects, database architects, security analysts, and other personnel who must be up to speed on how GDPR affects their roles.
Finally, EAs are well-situated to ensure continuous compliance with GDPR, and therefore they serve a critical day-to-day role within the processes that the regulation impacts.
” EAs can support the DPOs they work with by providing insights into all processes, applications, and data that are relevant to GDPR compliance. Furthermore, they can offer information on data objects, data flows, and associated responsibilities.
The Intellyx Take
As with all compliance mandates, it is insufficient simply to be compliant with GDPR. Every organization must also be able to prove that they are complaint.
In other words, in addition to the rules about collecting, using, and managing data on EU citizens, the GDPR also establishes corresponding rules for information on how each company is complying with the regulation, for example, compliance auditing processes and requirements.
In addition, compliance is never static. Today’s world is extraordinarily dynamic, and the rate of change is only increasing. Such change complicates the GDPR compliance challenge.
Adequate compliance today may not mean adequate compliance tomorrow. In such turbulent environments, Enterprise Architecture is instrumental to facilitating continuous governance and compliance within a context of flexible control.
Furthermore, an Enterprise Architecture collaboration tool and repository like SAMU is an essential tool in the toolbelt of EAs as they support the DPO and the rest of the organization. Such a tool also provides essential visibility to auditors who must determine the level of compliance within an organization.
In the final analysis, GDPR compliance touches many different people across a wide range of processes and supporting technologies within any company. EAs are well-positioned to coordinate the necessary communication and collaboration in order to avoid the organizational and technological silos that are so common in large organizations, and yet anathema to successful implementation of a GDPR compliance effort.
Without an effective EA role, the GDPR compliance effort will face unnecessary risks – which might lead to a costly mistake.
Copyright © Intellyx LLC. Atoll is an Intellyx client. At the time of writing, none of the other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this paper. Image credit: Atoll.