GDPR – Gaining accountability using Enterprise Architecture

13 December 2017

By now most companies should have heard about the new EU General Data Protection Regulations (GDPR). https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

The deadline is looming ever closer, and there are some hefty fines for companies that fail to implement it. The penalties for not complying with the legislation are potentially going to put a huge dent in your profits and viability. These include fines of up to €20 million or 4% of annual global revenue. This is then a huge reason for your company to be using Enterprise Architecture to deal with the GDPR changes.

And GDPR does not just have to be affecting European based companies, it applies to any company dealing with European citizens. And what’s more, even BREXIT won’t help. The UK government is already committed to GDPR after BREXIT. Sorry!

Companies that already have a healthy and strategic Enterprise Architecture Capability will be in a much stronger position. I don’t just mean EITA here of course, but real Enterprise Architecture.
GDPR is not just about IT change, but also about business change. Your existing Enterprise Architecture models will make it very much easier to identify the impact of the EU GDPR regulations, using new attributes and heat maps on existing catalogues, matrices and diagrams.

Purpose of GDPR

The purpose of GDPR is to improve on the previous data protection rules. In this digital eCommerce world, this is absolutely essential. This is no longer a so called box ticking exercise but a cultural change in mindset and levels of trust and integrity.
Companies, such as UBER, can no longer be blase and hide being hacked for months and losing huge amounts of customers personal data, without coming clean about it, and consequentially stopping it happen again.

See http://ec.europa.eu/justice/data-protection/reform/index_en.htm

The aim of the General Data Protection Regulations is to ensure that personal data is stored with customers informed consent, where the customer knows for what purpose data about them will be used and for how long it will be kept. Customers will want to know how their personal data is being used afterwards, especially after a merger or acquisition. What, for example does Facebook plan to do with WhatsApp data now that it has acquired Facebook?
It is certainly not transparent, is it? A customer might have trusted WhatsApp, but do they still trust the new owners Facebook? Facebook seems to be increasingly pushing fake news and becoming more political, which is troubling. Don’t just worry about SkyNet but also about Big Brother.

GDPR has been introduced to help companies be honest and increase their data security and their overall integrity. Luckily Enterprise Architects are already skilled at providing details about party data, data models, data flows and data security to support information security audits and personal impact assessments, and other regulatory requirements.

Something like GDPR is exactly the kind of strategic change scenario that Enterprise Architecture is designed to support.
What are the requirements? How do they affect the various EA domains? Strategy, Business Architecture, Information and Data Architecture of course, Services and Application Architecture and also the technology and infrastructure Architecture, where the personal data will be stored.
The same considerations apply whether the data is stored on premises or in the cloud. Enterprise Architects now need to build privacy by design.

Organisations will need to know why the data is needed? Is it always really needed, or is it just for future cross selling and data analytics?
Is that personal data compliant with GDPR? Probably its not longer compliant. Who uses the personal data? What business processes are involve? Too many process models that I’ve seen fail to show access to read and update data objects in their process models, let alone the business events that re related to customers data. What data services are involved? What applications need to be upgraded or replaced? I expect many package applications are being updated to ensure their compliance with GDPR. How do we ensure visibility of data to the customers, in the background of continual changes?
How do companies prove that they are being honest with customers data and especially how do they keep customers informed? If customer data increasingly has a value, then how will customers gain value from how companies use their data without their informed consent?

The Enterprise Architecture repository should already be able to answer all of these questions.
If not then why not? If not now, then when?

Companies without any credible Enterprise Architecture will be in a huge disadvantage and have to rapidly catch up. It’s never too late.
And once again, this is not simply about IT Architecture or just Data Architecture, it’s about the whole enterprise. The enterprise will include partners and suppliers as well. You will need to know what your contractors are doing with customers personal data.

In many organisations, the application architecture is only about so called Business Applications, that are approved and managed by the IT department. You also have to model the End User Computing (EUC) applications like those Excel spreadsheets, Access Databases, Sharepoint tables and Cloud databases (like Box, DropBox, Google Drive etc) that business users have created (unbeknown to IT) in order to do their job outside the main business applications. These EUC applications and databases must also be considered.

EA Governance and Compliance

Enterprise Architects, Business Architects, Risk Managers and Compliance Managers are in a strong position to assist the business to review their existing data flows and applications against the GDPR requirements.

See http://ec.europa.eu/justice/data-protection/reform/index_en.htm

Companies with an Enterprise Architecture capability will also normally have set up an EA Governance and Compliance capability. For GDPR, the Strategies, Goals, Objectives, Measures, Policies, Business Rules and Governance organisation structure need to all be reviewed and enhanced.
The Enterprise Architecture team should already be playing a key role in these EA governance bodies, the Architecture Governance Board of strategic changes and in ensuring compliance with policies, rules, patterns and standards in a Technical Design Authority.

Risk management and Audit processes also need to be reviewed and updated. Enterprise Architects are usually involved as key stakeholders for these. Are there adequate controls and monitoring of events? Is the data secure against hacking and accidental loss?

Enterprise Architecture Modelling

As per any enterprise architecture work, you need to identify the current and target architectures, identify gaps and change initiatives and then plan a roadmap of those changes. Heatmaps for GDPR related changes are an essential way to identify and prioritise GDPR changes needed.

After Enterprise Architecture changes for GDPR, then it is important to maintain continual operation, monitoring and reporting, so that the target Enterprise Architecture will need to include new end to end processes, roles and responsibilities for the business, to ensure continual compliance. Is data being captured with consent and a clear purpose, fully communicated to customers? ‘Security by Design’ is the new normal. This requires enterprise architects, compliance managers and C level executives to build compliance into the design of all current and future Enterprise Architecture models.

Enterprise Architecture models need at minimum, to review the following deliverables:

Data Catalogue
Data Model diagram
Process model
Process flow diagrams (Event-driven Value streams)
Application Service models (Catalogues and Diagrams)
Application model (Catalogues and Diagrams)
Application Integration/Flow diagrams
Data storage models (Databases, Data stores, Messages)
Data flow Diagrams
Infrastructure Service Catalogues
Infrastructure Component Catalogues
Infrastructure Diagrams

What are the key Changes for GDPR?

Compared to the current data protection framework under the Data Protection Act 1998, the GDPR will bring a number of important changes and enhancements including:

Increased accountability and greater level of responsibility within organisations to ensure that personal data is fully protected and processed according to the regulations
More data will be classified as customers personal data, not just in normal databases but also in EUC component and in Cloud data storage
New internal role of a Data Protection Officer
External Roles outside the company will also be regulated, such as contractors, partners and service providers
Eye-wateringly high cost of non-compliance
New requirements for notification of data losses through hacking and lack of compliance
Greater rights for customers to understand how their data is to be used, to give their informed consent, and to make future requests to change their consent
Risk Assessments
Privacy Impact Assessments

Benefits of GDPR

What are people expecting your company to do with their data? It’s about re-establishing your customers’ trust, and that you won’t change your mind and do something different or evil with their data. This trust will provide an increased business advantage for companies that get it right.

If a company cannot demonstrate that they are using Enterprise Architecture to achieve compliance with GDPR, then they are risking their reputation, which ultimate means less business and less profits.

With Digital Architecture, companies are designing their business with an Outside -In approach, designing their value proposition around what customers really want in their customer journeys.

GDPR is essentially designing the Outside-In approach for the protection of customers private data.

Enterprise Architecture perspectives

From an Enterprise Architecture perspective you need to ensure that:

Decision makers and C level executives are aware that the law is changing to the GDPR and time is running out to plan the changes
They use Enterprise Architecture to drive this as a strategic change, with new initiatives to be designed in the target Enterprise Architecture model and managed in the EA Roadmap
There is full knowledge of how information and data is managed, flows around the company and is changed by processes, services and applications
New business processes are created to handle customers new rights
Enterprise Architecture is used to managed and rapidly create an EA roadmap for strategic changes needed
A new meta model is designed to include customers consents, breach events and other change events
New business processes are created to handle data breaches and GDPR reporting requirements
Risks, issues and mitigations are well modelled
New Application Services are created
New package Applications are procured, which have updated support for GDPR data and processes

Conclusion

Yes, it’s a big strategic piece of work to do, with a May 2018 deadline that is getting ever closer, but luckily Enterprise Architecture is designed for managing just this kind of strategic change scenario.

So to avoid GDPR fines in 2018, start using Enterprise Architecture now, to plan and execute the strategic changes needed.

It makes sense!

How can you not already be using Enterprise Architecture?