Many companies are spending large amount of effort to run GDPR projects prior to May 25th, 2018, however, we face an increasing interest to migrate away from proprietary point-tools of GDPR assessments towards a permanent solution within the EA Portal to make the compliance a continuous process within the data-driven enterprise;
If you manage your EA well, the GDPR implementation it is a minor step to extend your EA Portal to a modern and managed regulations Portal. However, if you do not have a solid, end-user accessible EA Portal, having control of data, integrations, and technologies, the GDPR project may be a big effort. Starting with architecture focus for architects will not help the journey – you need to apply evolved techniques to succeed and mature in time to meet business requirements.
We advocate to simplify the governance by applying the EA Portal to make a living architecture supporting the different legal rule-sets including the GDPR. As the core requirement to the GDPR requirements is about the processing of systems, processing of personal data, it easily extends to the architecture overview of managing systems data and integrations data. We see still more places that GDPR point solutions are migrated into the EA Portal to easily demonstrate degree of compliance. Using the principles of EA, it is straight forward to work out a plan to stay compliant before May 2018… Working with us, we provide ready-made solutions to your business.
What is the new with Personal Data Protection?
What is new is not as such the procedure to do so; the new is the regulatory framework that makes the consequences of failing compliance to something that in case of non-compliance will be a board issue… However, incentive or not, the GDPR operates with a new tiered fine structure.
Data protection and impact assessments
The GDPR includes also an article for data protection impact assessments. The Impact Assessments must be provided before new services or products are launched. So, it is acceptable to work with agile approaches and fail-fast approaches, but before the validated product goes live, there must be an impact assessment to secure personal data. This will force many project managers and IT departments to proactively consider what security measures that will be put in place to secure path for compliance assessments.
How to prepare for the GDPR?
May 2018 is soon, so for many companies the GDPR may come as something of a shock. An immediate action is to appoint a data protection officer who would will be accountable for advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority. Very often, this will have a call to the CIO or his/her delegate. However, this is a mandatory step to have an accountable person, but far from enough. The organisation must work with the responsibilities of the new GDPR, and this is where the EA and governance frameworks may be the hidden fuel.
Here is a list of focus areas to consider aligning with EA and governance frameworks:
- Business Model Canvas – With the focus of reporting and getting coherency to the business, it is important to lay out a Business Model or Business Processing Map. This business model will serve to understand what functions and overall processing that takes place ‘where’ in the business. With the Business Model, it is possible to pin-point what types of classified data that is expected in each business area. The outcome of such assessment is a recommendation for what types of personal data each business area should have access to. The GDPR will require a gap analysis to be part of the ongoing processes to minimize the access to classified personal data. Without the Business Model, it will be difficult to provide a meaningful reporting of the gap analysis. It should be easy to demonstrate compliance and perspectives of where there is a high risk of personal data is accessed in much larger areas of the organisation. This is where information modelling, capability modelling and our business solutions can be helpful.
- Business Applications Management – With the updated perspective of the Business Model, it is recommended to provide a Business Application Catalogue. Such a Catalogue should have strong relationships to the Business Model, hence, this is not an ITSM services catalogue. The Business Application Catalogue should be governed and part of a living architecture. If such an APM catalogue or Business Application Catalogue is not available and managed, this is highly recommended to get in place alongside the Business Model. This will serve as the foundation for the Data Classification and Data Retention. This might be a simple cloud offering from us, or be a more integrated portfolio solution from us.
- Data Classification– With knowledge to what business capabilities and what business applications, it is a simpler and more straight-forward task to assess where your personal data is stored. This includes structured electronic data as well as unstructured formats of documents, presentations, and spreadsheets. This is critical for both protecting the data and also to follow the impact of change of personal data. To solve this puzzle, we would advise you to get the overall Business Model and Business Applications Catalogue in place first, then extend to master the presence of personal data with categorization. The categorized personal data is classified and mapped to the landscape of business applications and infrastructure information, and also against the intended usage – to pin-point irresponsible presence of personal data through-out the organisation.
- Governance– With data comes also the operational processes to maintain this GDPR information daily. This will lead to establishing the processes to secure ‘data security by design’ and ‘data security by default’, alongside the roles and responsibilities of keeping the Business Applications Catalogue up to date and to understand ‘who has access to what’. We advise that companies first get the foundation in place, then the Data Classification, then to tailor and adapt this to the existing processes of the organisation. Some relevant frameworks would be IT4IT, TOGAF and COBIT to ensure there is a focus on controls, follow-up and management accountability.
- Gaps and Digital Action Planning– With its requirements for limiting data retention, there is no firm metrics to follow. This means you’ll need basic information on what data is collected, why it is collected, for how long it is supposed to be collected, and how the processes are for ‘releasing’ information again – tailored to metrics that are justifiable. This must be an integral part of the processes for managing data. Personal data residing in business applications should be periodically reviewed to see whether it needs to be kept or removed. It is important that the Data Retention is supported and supporting the Governance. Also, it is obvious include the gaps identified in a digital actionable form to help with the ongoing compliance. Reports and alerts to non-compliance should be an integrated part of the Digital Action Planning. This is MooD-based solutions can help.
We can help you to build the GDPR compliance within your digital EA Portal. It is faster – and more sustainable. The conclusion is clear, if you manage your EA well, the GDPR implementation it is a minor step to extend your EA Portal to a modern and managed regulations Portal.
We power your digital MooD!