Tag Archives: gdpr

  • -

Do digital board packs help your organisation to comply with GDPR?

Category:Services,UK Blog Tags : 

Do you have governance around your board back? Do you have meta-data and master data supporting your generation of the board packs? 

Now, first, we did pass the May 25th – and large organisations are still struggling with GDPR! No longer as a project, but typically more to absorb the endless amount of excels and small GDPR tools that eventually were delivered as the project outcome. Now another phase takes over – what to do with the project outcome?

This calls for another maturity level that cannot be provided by small point tools or excel. This calls for a larger piece of collaboration to make ‘stuff’ updated; typically, by having the GDPR processes embedded into a larger solution flexible enough for helping the executive team to steer the boat – it calls for the governance around the digital board pack!

That was then…

A lot was written about the impact the EU General Data Protection Regulation (GDPR) in the period up to May 25th 2018. And even though up to 60% may have slipped the deadline, see a recent survey, the fact is more likely that most organisations completed the GDPR project during 2018, but still will be working with GDPR also in 2019 – how can that be?

As mentioned in a recent blogpost, there is a natural progression towards being better at compliance, and also for GDPR – and that is way beyond the project outcome ending 2018. It is the progression..

  • to move from project to line organisation
  • to onboard managers and specialists to keep information fresh
  • to transition from project into process – and what is the IMACD of person-related data process activities are solved
  • to simplify the Article 30 report generation
  • to remove simple risk tools to consolidate the governance in the digital platform
  • to make ownership up to the board for the updated compliance views.

The data of the GDPR compliance will continue its journey to be alive, and it will continue down the maturity ladder to distinguish dataprocessors from data controllers, move away from text fields and into elements of meta-data to oversee the ocean of GDPR.

But most importantly, the transition is about getting the organisational ownership, where managers act on their responsibility and accountability to be compliant. Where the project 2018 was driven by fear of potential penalties, the new demand is much more to make it actionable within the line organisations where ‘stuff’ gets updated and the executive board can make decisions based on new evidence. This is often referred to as “EA”, the grid or architecture (A) space of an entire enterprise (E ).

How does this tie into my executive team?

Once you have completed the project, you may have data. Once you have moved it into a point tool, you may have reached slightly modified data so see the first patterns. It still doesn’t bring you much further. The heavy lifting involves more:

  • First, you need to move from free text and text fields into meta-data. This means that you don’t type pay-slip in a text field, but you check ‘pay-slip’, and you can afterwards analyse where ‘pay-slip’ is being processed by systems and processing or controlling activities
  • Second, you need to transition into the architecture portal where governance is typically managed, that is, who is the system owner? Who is the data process owner? Who should update this piece of data. Very often, we see BI solutions reporting long lists of data – but that is very distinct from the next maturity level where these people can do actionable reviews and updates. This if often is referred to as digital platforms or EA platforms (like MooD, ERP, etc).
  • Third, you need the escalation route embedded to the executive team. It is the management team that is accountable and needs to have the blind eye opened. Without their eyes open and provided insight – only the one-eyed will be king among the blinds.

So anyone within the board should be trained, concerned and be kept updated!

The way forward?

There is a natural progression towards maturity – but only if it is guided. You need to find an advisor who can helpyou to make a living architecture.

With a living architecture, you onboard the ‘softer’ side of and provide decision insight to your management.  When used properly, you get the connected enterprise where boards act when things start to drift. So, anyone within the board should be trained, concerned and be kept updated! That is what we provide as part of our digital board pack service.

Working with different next generation technologies, we offer a digital platform that help large organisations to have a digital board pack, not a PowerPoint! Online views where you can drill into data, updated by the responsible people in the organisation, supplemented by technical data so you can view the online portal and stay compliant. We talk about powering your digital ability.

Giving all your directors access to the information they need to know about your GDPR policies in one place, makes it much easier for them to find the information they need and ask the right questions when it is discussed – all managed as meta-data and by the relevant people. No more emails – no more point tools.

If you have questions, please do not hesitate to make contact. We are the leading organisation in digital governance helping large organisations to succeed with their business transformation. We power your digital mood!


  • -

GDPR – How to make it stick!

Category:EA,Services Tags : 

Many companies are spending large amount of effort to run  GDPR projects prior to May 25th, 2018, however, we face an increasing interest to migrate away from proprietary point-tools of GDPR assessments towards a permanent solution within the EA Portal to make the compliance a continuous process within the data-driven enterprise;

If you manage your EA well, the GDPR implementation it is a minor step to extend your EA Portal to a modern and managed regulations Portal.  However, if you do not have a solid, end-user accessible EA Portal, having control of data, integrations, and technologies, the GDPR project may be a big effort. Starting with architecture focus for architects will not help the journey – you need to apply evolved techniques to succeed and mature in time to meet business requirements.

We advocate to simplify the governance by applying the EA Portal to make a living architecture supporting the different legal rule-sets including the GDPR. As the core requirement to the GDPR requirements is about the processing of systems, processing of personal data, it easily extends to the architecture overview of managing systems data and integrations data. We see still more places that GDPR point solutions are migrated into the EA Portal to easily demonstrate degree of compliance. Using the principles of EA, it is straight forward to work out a plan to stay compliant before May 2018… Working with us, we provide ready-made solutions to your business.

What is the new with Personal Data Protection?
What is new is not as such the procedure to do so; the new is the regulatory framework that makes the consequences of failing compliance to something that in case of non-compliance will be a board issue… However, incentive or not, the GDPR operates with a new tiered fine structure.

Data protection and impact assessments
The GDPR includes also an article for data protection impact assessments. The Impact Assessments must be provided before new services or products are launched. So, it is acceptable to work with agile approaches and fail-fast approaches, but before the validated product goes live, there must be an impact assessment to secure personal data. This will force many project managers and IT departments to proactively consider what security measures that will be put in place to secure path for compliance assessments.

How to prepare for the GDPR?
May 2018 is soon, so for many companies the GDPR may come as something ­of a shock. An immediate action is to appoint a data protection officer who would will be accountable for advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority. Very often, this will have a call to the CIO or his/her delegate. However, this is a mandatory step to have an accountable person, but far from enough. The organisation must work with the responsibilities of the new GDPR, and this is where the EA and governance frameworks may be the hidden fuel.

Here is a list of focus areas to consider aligning with EA and governance frameworks:

  • Business Model Canvas – With the focus of reporting and getting coherency to the business, it is important to lay out a Business Model or Business Processing Map. This business model will serve to understand what functions and overall processing that takes place ‘where’ in the business. With the Business Model, it is possible to pin-point what types of classified data that is expected in each business area. The outcome of such assessment is a recommendation for what types of personal data each business area should have access to. The GDPR will require a gap analysis to be part of the ongoing processes to minimize the access to classified personal data. Without the Business Model, it will be difficult to provide a meaningful reporting of the gap analysis. It should be easy to demonstrate compliance and perspectives of where there is a high risk of personal data is accessed in much larger areas of the organisation. This is where information modelling, capability modelling and our business solutions can be helpful.
  • Business Applications Management – With the updated perspective of the Business Model, it is recommended to provide a Business Application Catalogue. Such a Catalogue should have strong relationships to the Business Model, hence, this is not an ITSM services catalogue.  The Business Application Catalogue should be governed and part of a living architecture. If such an APM catalogue or Business Application Catalogue is not available and managed, this is highly recommended to get in place alongside the Business Model. This will serve as the foundation for the Data Classification and Data Retention. This might be a simple cloud offering from us, or be a more integrated portfolio solution from us.
  • Data Classification– With knowledge to what business capabilities and what business applications, it is a simpler and more straight-forward task to assess where your personal data is stored. This includes structured electronic data as well as unstructured formats of documents, presentations, and spreadsheets. This is critical for both protecting the data and also to follow the impact of change of  personal data. To solve this puzzle, we would advise you to get the overall Business Model and Business Applications Catalogue in place first, then extend to master the presence of personal data with categorization. The categorized personal data is classified and mapped to the landscape of business applications and infrastructure information, and also against the intended usage – to pin-point irresponsible presence of personal data through-out the organisation.
  • Governance– With data comes also the operational processes to maintain this GDPR information daily. This will lead to establishing the processes to secure ‘data security by design’ and ‘data security by default’, alongside the roles and responsibilities of keeping the Business Applications Catalogue up to date and to understand ‘who has access to what’. We advise that companies first get the foundation in place, then the Data Classification, then to tailor and adapt this to the existing processes of the organisation. Some relevant frameworks would be IT4IT, TOGAF and COBIT to ensure there is a focus on controls, follow-up and management accountability.
  • Gaps and Digital Action Planning– With its requirements for limiting data retention, there is no firm metrics to follow. This means you’ll need basic information on what data is collected, why it is collected, for how long it is supposed to be collected, and how the processes are for ‘releasing’ information again – tailored to metrics that are justifiable. This must be an integral part of the processes for managing data. Personal data residing in business applications should be periodically reviewed to see whether it needs to be kept or removed. It is important that the Data Retention is supported and supporting the Governance. Also, it is obvious include the gaps identified in a digital actionable form to help with the ongoing compliance. Reports and alerts to non-compliance should be an integrated part of the Digital Action Planning. This is MooD-based solutions can help.

We can help you to build the GDPR compliance within your digital EA Portal. It is faster – and more sustainable. The conclusion is clear, if you manage your EA well, the GDPR implementation it is a minor step to extend your EA Portal to a modern and managed regulations Portal.

We help to align long-term planning with short-term planning, which is an ongoing process – and a digital process of information management. Long-live the digital planning. If you have questions, please make contact. We are a consulting house with senior profiles and business solutions; we provide deep expertise in digital planning, digital governance and process automation. We power your digital mood!