How to master GDPR compliance with enterprise architecture
With the deadline now only one month away, and the threat of massive fines of up to 4 percent of global annual revenue, companies have a lot on the line when it comes to General Data Protection Regulation compliance.
Yet, according to a recent study out of Forrester, an estimated 80 percent of organizations are expected to be unable to comply even by the end of 2018.
Becoming GDPR compliant begins with understanding where data lives throughout your organization. For many companies, increasing volumes of data quickly become unorganized and extremely complex, creating a massive challenge right out of the gate. In fact, a recent study from Compuware found that companies consider data quality and data complexity to be the greatest obstacles to compliance.
Enterprise architecture (EA) is one solution for better identifying, structuring and protecting data, and in four steps, can be a secret weapon for ensuring compliance success.
Step 1: Build your stakeholder team
Under the GDPR, many organizations will be required to appoint a data protection officer (DPO). While this person is the primary stakeholder responsible for ensuring compliance, compliance can’t - and shouldn’t - rest on the shoulders of just one individual.
Before you dig into your data, stakeholders from every department or division where customer data lives or is used - from sales to marketing to legal - should be assigned and work in alignment with the appointed DPO. With the role well-positioned to identify potential technology risks for compliance breaches, and the data protection impact assessment which must be performed before a new technology is deployed, enterprise architects can serve as a valuable GDPR liaison, ensuring full alignment across all stakeholders.
Step 2: Organize your data landscape
With the complexity of modern IT services and the increasing amount of data obtained by companies today, it’s not uncommon to lose visibility into everywhere information exists -- and for data to float to unexpected areas -- especially within large organizations.
The first step towards achieving full compliance is establishing a clear view of your data -- where it lives, how your company processes it and how to quickly access it to make key changes. While a daunting and time-consuming task, leveraging EA and application portfolio management (APM) tools can help you gain full visibility into your organization’s data landscape.
Regardless of your existing EA sophistication, taking an application-centered approach will create a strong foundation for success.
First, identify all existing applications inside of the organization. Use surveys of application owners to uncover which applications involve personal data as defined by the GDPR, ensure that consent has been received by all data subjects and identify all business capabilities that use the impacted applications.
With the help of an APM tool, you can easily assign ownership for both the applications and the processing of the associated data, link GDPR documents such as records of processing activities, and tag each data object or application according to level of privacy sensitivity. The ultimate goal should be on creating a data economy, minimizing the amount of user data, consolidating where it lives and minimizing the number of users that have access to it.
Step 3: Detect and assess risks
Without the right risk protocol in place, the GDPR can leave you vulnerable to failure. For example, the right to be forgotten includes giving individuals the power to completely revoke or delete their data from the possession of your organization -- a major challenge if you lack visibility into the applications where that personal data lives, or if the data has been duplicated across multiple areas of the business.
Automated visualizations and data flow models can quickly show you which data objects are used by which applications, which business capabilities depend on them, and the critical consequences to the company in the event of an application failure, hacking attack, or data breach.
With a snapshot of your application landscape, you can then assess risk. Risk level can be determined through risk assessment surveys, and be based on varying factors, including business impact, application dependencies, criticality levels, failure scenarios and previous incidents. The more dependencies an application has and the higher the level of connectivity, for example, the higher the level of risk in the event of a failure.
Once risk levels have been assessed, identify potential gaps and address varying failure scenarios, starting with the highest risk areas that process sensitive data.
Answer questions such as:
- Where could potential vulnerabilities in the business and IT landscape lie?
- What are frequent threats that could exploit these vulnerabilities?
- What are the possible consequences?
The creation of heat maps or risk dependency maps can help you gain an overview of your company’s risk portfolio, and thus serve as important decision-makers as a first basis for risk management and control.
Step 4: Implement checks and balances and demonstrate compliance
Once you’ve assessed the technology risks, implement concrete security checks and preventative measures. When it comes to ongoing security and compliance, it’s critical to ask not only how well your application portfolio meets security standards today, but how your security standards will develop over time.
Findings from risk assessment surveys can be used as a starting point for defining useful security checks and appropriate measures. For example, if it was uncovered that customer data collected by your content management system was transferred to a mailing tool or CRM system, leaving no demonstrable consent from the addresses, a double opt-in process can be implemented as a preventative measure.
By creating a scalable and repeatable process for uncovering vulnerabilities and systematically following up on their correction, you can ensure all deficits in your IT landscape are addressed.
Documenting the chosen process for how personal data is processed, how risks are handled and the measures that have been implemented to limit risk will allow you to successfully demonstrate GDPR compliance, particularly when conducting a DPIA, which is required for every implementation of a new system that uses personal data. Inventory snapshots - including a clear overview of all applications, interfaces, data objects and technologies - can serve as a key tool for regularly reviewing and presenting compliance.
GDPR compliance will continue to be one of the largest IT challenges - in the run-up to the May deadline and beyond. With compliance requiring accessible, adjustable data and precise information on what data your company stores and where, EA will be the unsung hero of GDPR success.