GDPR Data Governance

Scope

The regulation applies if the data controller (organisation that collects data from EU residents) or processor (organisation that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore, the Regulation also applies to organisations based outside the European Union if they collect or process personal data of EU residents.

What is personal data privacy?

According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Penalty

Fine of up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in the case of an enterprise, whichever is greater.

Why Architects’ involvement is needed to comply with GDPR:

Many of GDPR’s questions can only be answered by architects with the help of an up-to-date architecture knowledge base:

• Where is personal data collected? – Is personal consent / opt-out available?
• Where is personal data stored?
• Where is personal data transferred?
• Where is personal data processed?
• Who are the data owner of such data elements?
• Is personal data pseudonymised? (meaning that personal data is transformed in a way that the resulting data cannot be attributed to a specific data subject without the use of additional information)

Additionally, architects can maintain the application development guidelines which meet the principles of data protection by design and by default.