Three Steps towards GDPR Compliance

In our last post we already talked about the upcoming enactment of the EU regulation 2016/679 for data protection by the end of May 2018.

We stated that Enterprise Architecture Management (EAM) tools are a natural starting point for collecting and managing the data that are necessary for GDPR compliance.

In order to use this starting point properly we mentioned a three-step approach. Today, we would like to go a little further describing these three steps.

Step 1 – Inform

First of all it is necessary to get to know the GDPR regulation and its requirements both from a legal and IT point of view. This can be done in a one-day workshop.

Such a “GDPR Briefing” workshop should at least have the following items on the agenda:

  • Introduction to the topic of GDPR in a holistic manner
    • Legal perspective
    • Organizational perspective
    • IT perspective
  • Discuss the “need for action” for the company and identify main points
  • Derive first top-level recommendations for GDPR compliance implementation

We offer these GDPR Briefing workshops in cooperation with lawyers.

Step 2 – Define

In the next step the different perspectives of GDPR should be considered in more detail. Besides changes to contracts or end user license agreements on the legal perspective or the installation of new roles (e.g. a data protection officer) and the necessary overhaul of (especially) end user business processes one needs to check the readiness of the existing IT landscape for GDPR:

  • Analysis of the IT landscape regarding GDPR (in particular Article 30)
  • Evaluation of the GDPR Readiness from the perspective of IT
  • Recommendations for the implementation of GDPR with focus on IT

These “GDPR Readiness Checks” are usually performed in short-time projects and are used to prepare the final step.

Step 3 – Realize

Finally, recommendations and defined measures need implementation. This should be based on a project plan derived from a “GDPR Readiness Check” and encompasses points like:

  • Set up and enhance the EAM tool for the GDPR use case
  • Import the necessary data
    • Applications and how they process business data
    • Servers where applications are deployed and their physical location
    • How applications support business capabilities and organizational units
  • Automate updates for these data in the EAM tool
  • Name responsibilities and incorporate the EAM tool in GDPR compliance processes
  • Train GDPR responsibles

When it comes to the setup of an EAM tool as the “golden source” for GDPR compliance there is always one reason that hinders quick results – the amount of data to be collected about the existing IT landscape.

We offer various “remedies” for this particular obstacle which automatically read a specific part of the IT landscape and make it visible in EAM tools – and thus accountable in terms of GDPR:

  • Landscape Analzer for SAP: This tool reads the basic data about entire ABAP-based SAP landscapes (systems, clients, interfaces). We are currently working on an enhancement to also gather interfaces between SAP systems and non-SAP systems using SAP PI.
  • AWS integration: Servers running as virtual machines in the Amazon cloud (Elastic Cloud Compute [EC2] service of the Amazon Web Services) can be read via this tool and automatically imported in an EAM tool.


Do you have questions or comments? Feel free to let us know what you think about this approach and whether it makes sense to you. Let us know when you have questions the post did not cover deep enough. We’re glad to help: sales(at)

Realize GDPR Compliance with Enterprise Architecture Management

Data protection becomes more and more important in a world where many aspects of life are supported by IT systems processing personal data and a lot of organizations running these systems.

General Data Protection Regulation (GDPR)

With Regulation (EU) 2016/679 of the European Parliament and of the Council data protection becomes a prominent issue for all organizations operating inside the European Union. That is because both the rights of individual users on information against organizations and the obligations of organizations for reporting and disclosure have been extended. Some examples:

  • Consent: Stronger conditions apply as to how consent about personal data processing is given.
  • Breach notification: Loss, theft or unauthorized access to personal data must be notified.
  • Subject access: Subjects can demand information whether their personal data is processed by an organization or demand porting their data to another provider.
  • Right to be forgotten: Subjects can demand data to be erased or restrict the processing of their data.
  • Data governance: Measures to ensure data governance must be put in place, e.g. privacy impact assessments (PIA), audits, or the appointment of a data protection officer.

Disregard of the new legislation can lead to severe penalties. GDPR Article 83 demands up 20 m Euros or up to 4 % of the total worldwide annual turnover.

In order to reach compliance with GDPR a lot of information about all data handling activities and the data processed needs to be collected, analyzed and made accessible. Action must be taken now as the regulation comes into force on May 25th 2018.

Enterprise Architecture Management supports GDPR Compliance

Enterprise Architecture Management (EAM) is the part of IT management that deals with documenting the existing IT landscape, defining standards and planning the future IT landscape. As this task needs to collect and maintain a lot of meta data about the IT of an organization, EAM is usually tool-based.

EAM tools like Alfabet (Software AG) or LeanIX (LeanIX GmbH) can support organizations in gaining GDPR compliance for various reasons.

First of all, these tools already come with a lot of information about the IT that is relevant for GDPR:

  • Documented applications show where (inside and outside of an organization) data are processed and how.
  • Information Flows describe how data are exchanged between applications.
  • Cataloges for business data define categories of data used by applications and business processes.

Such repositories are easily amended with the information specific for GDPR and thus lead to a much more complete view of an organization’s IT processing activities.

EAM tools also provide strong reporting capabilities. Alfabet, for instance and among others, offers the following reports and views:

  • Applications and their interrelation via information flows can be made visible using information flow diagrams.
  • Data processing activities (create, read, update, delete) are listed in so-called CRUD matrices.

Example of a CRUD matrix in Alfabet


Methodical Setup of GDPR compliance

We support your organization in realizing GDPR compliance in a three-step approach:

  1. Inform: Get to know the GDPR regulation and its requirements from the legal and IT point of view in a one-day workshop.
  2. Define: Define the measures that need to be taken based on your individual requirements (e.g. how to configure EAM tools to provide information needed for GDPR, how to change processes to incorporate GDPR steps, etc.).
  3. Realize: We help you to implement the measures defined in step 2. Among other things: We set up and enhance your EAM tool for the GDPR use cases from step 2 and import the necessary data. We offer various tools to automate the retrieval of data about the IT landscape, e.g. with our Landscape Analzer for SAP systems and Amazon Web Service (AWS).


Would you like to know more…? For further information, please, visit our web page on GDPR. Feel free to contact us: sales(at)

The Roadmap to Digitalization – Episode 6: How to Integrate the AWS Cloud in Enterprise Architecture Management

Digital transformation or digitalization is widely discussed today. Digitalization offers an abundance of products based on new technologies and technological platforms that possess the capability to reshape business processes, organizational structure and ways of working. It holds the power to reshape complete business models or even overall market situations.

One main element of digitalization is cloud computing, the usage of IT resources (CPU time, storage, etc.) only up to the amount that is necessary at a certain point in time. Enterprise architecture management (EAM) needs to include the resource used in the cloud (be it private, public or a community cloud) to prevent the IT landscape from spontaneous growth. Measures on how to govern the usage of cloud services should (or need to be) implemented. Today, we’d like to show you how.

Get Architecture Information from AWS

Cloud services like Microsoft Azure, OpenStack or Amazon Web Services (AWS) offer APIs by which many different cloud resources can be created and managed.

We had a closer look at AWS. Its API allows control of instances (virtual servers), virtual machine images, volumes, hosts or network infrastructures, etc. For our first implementation, we concentrated on the instances, to be exact, on the AWS Elastic Cloud Compute (EC2) instances. These are the resource most likely used by our customers – i.e. moving applications from an on-premise server to instances in the cloud.

We created a command line tool that runs regularly to request the instance information from the cloud provider and download it in a standardized format.

Integrate with Enterprise Architecture Management

Based on that an automated import job is started to draw the information in Alfabet. Alfabet is a powerful EAM tool that we use frequently in customer EAM projects. Alfabet provides an object type called “device” that represents a server where an application can be deployed on. We used this object type to describe the AWS instances in the realm of Alfabet:


Imported AWS EC2 instance

The import job also connects the imported instances to the existing IT landscape:

  • Instances are connected to the location where they are running (i.e. “eu-central-1” for the AWS data center in Frankfurt, Germany).
  • Users are assigned to the instances to manage them.
  • A workflow is run to ask responsible users what applications are running on the instances. This is necessary to link instances and applications, and thus make clear how instances are used for.

The steps above provide transparency about the cloud IT landscape. They are the preliminary work for the “actual” use cases:

  • One could review all running applications whether they can be deployed on a cloud instance or not. This would enhance IT standardization as cloud services are built on standardized hardware and software platforms.
  • One could import and collect cost information per instance and use this for reporting and budgeting purposes.

Presentation at EAMKON 2017

We will talk about the integration of the Alfabet EAM tool with AWS at the EAMKON 2017 conference in Stuttgart, 30th May 2017. Looking forward to seeing you there!

Would you like to know more…? If you’re interested in the big picture, refer to the first episode of our digitalization blogs, for enterprise architecture management see this list of posts.

Interested? Please, contact us: sales(at) For further information, please, visit our website.

Custom EAM Reporting with LeanIX

Enterprise Architecture Management (EAM) belongs to the most important organizational capabilities these days. As we showed earlier, EAM comprises the necessary methodologies and means for a prudent IT landscape planning based on an organization’s strategic (and digital) objectives.

EAM tools offer functionality to collect and correlate information about many aspects of your IT landscape (i.e. applications, components, information flows, business supports, business services, service products) and come with several reports and views to make this abundance of information visible and “digestible”.

An architecture management is most effective when the information collected in the EAM tool can be queried and displayed individually for all intended target groups. Each user (be it CIO, enterprise architect, application owner or else) gets exactly the information about the architecture that is most relevant for his/her tasks.

LeanIX is a relatively young member of the EAM tool group (compared to tools like Alfabet or ADOit). It is developed by the Germany-based LeanIX GmbH, is based on a very compact meta-model and is completely web-based.

It offers several reporting capabilities out of the box, e.g. application and project portfolios, cost reports, application and component landscapes, matrices and roadmaps and even a free-drawing capability.

Beyond that, LeanIX can be customized for the individual questions of an organization. It comes with an open interface (API) based on common web technologies (JavaScript, JSON etc.) which is used to integrate custom developed reports or also dashboards.

EAM 01 Leanix Reporting

For example: An IT transition project might need a specific view of only a section of the IT landscape, or one would like to analyze specific information about some applications (is the application business critical, which data protection requirements should the application fulfil etc.) in preparation for an IT project (as shown in the picture above).

We support you designing your EAM reporting: As certified LeanIX partner we help you identify the information needs of the various user groups, design the report, realize it and integrate it into your LeanIX workspace. Feel free to contact us: sales(at) For further information, please, also visit our website.

The Roadmap to Digitalization – Episode 5: Idea Workshops as Means of Innovation and Participation

Digital transformation or digitalization is widely discussed today. Digitalization offers an abundance of products based on new technologies and technological platforms that possess the capability to reshape business processes, organizational structure and ways of working. It holds the power to reshape complete business models or even overall market situations.

A few months back we already talked about a four-step approach to digitalization in which one steps comprises an analysis phase where workshops are used to collect ideas and rethink business models. Today, we would like to elaborate on this step.

Innovation Phase with Idea Workshops

To find out what you can do in a particular field of digitalization in an organization – say mobility or big data analytics – you have to look two ways: There are the technological and market developments you need to consider. They offer new ways of doing work or new ways of work and business at all. And there are the people in the departments of the organization who know most of the daily processes, customers and applications.

We design or idea workshops to incorporate both sources of information:

  1. Introduction: Workshop participants get an introduction to the workshop topics and objectives. The customer project leader is invited to says something about how the workshop fits into the digitalization efforts of hers/his organization.
  2. Impulses: We offer information related to the workshop topics in one or more keynotes. This could encompass a general introduction to digitalization (followed by a few lead questions), an overview of a specific digital topic (i.e. what is big data all about) or the presentation of new features of a specific software. Sometimes impulses are also given by customer subject matter experts or the project leader.
  3. Idea collection and discussion: The workshop participants are given time to think about ideas. Ideas are written on cards and collected on a pin board. Each person pinning a card to the pin board is asked to present her/his idea. If desired, ideas are collectively prioritized.

We have already performed several such workshops for the last year and a half and always ended up with a surprisingly high number of proposals. Most of the proposals were quite straight forward offering ideas for quick win solutions making existing processes better. Some of the proposals were quite unorthodox – but we considered them valid nonetheless, because in today’s business world it’s the unorthodox business idea that wins the day.

Momentum for Change

Digitalization efforts – like all change efforts in an organization – should include and rely upon all members of an organization. They will be the ones to put the changes in strategies, services and processes into action.

We see these workshop as a means of participation and use them explicitly to include the people in the transformation process: They are allowed to think about their work, put it in different perspectives with the impulses given and make useful suggestions.

The customer’s organization management is called to follow up on the idea workshops with a transparent process about how and why the collected ideas are handled further – which of them are prioritized, which are realized in (pilot) projects and finally introduced to a department or the whole organization. In the workshops, we always experienced people willing to contribute and cooperate. This momentum can be made a strong support for changes driven by digitalization.

Interested? If you are interested in digitalization and enterprise architecture management, please, have a look at the other episodes in our blog and contact us: sales(at) For further information, please, also visit our website.

The Roadmap to Digitalization – Episode 4: Research Project «Digital Corporate Roadmapping»

Digital transformation or digitalization is widely discussed today. Digitalization offers an abundance of products based on new technologies and technological platforms that possess the capability to reshape business processes, organizational structures and ways of working. This, thus, holds the power to reshape complete business models or even overall market situations.

Numerous magazine and research articles, books and conferences on digitalization cannot disguise the fact (they rather underline) that digitalization still is a novel concept. Decision-makers struggle with the question what this concept means for their department, product or business and which measures need to be taken.

We as a consultancy company are called upon to put a great deal into researching digitalization. We already wrote about findings from a study in our recent episode. Today, we would like to continue introducing you to our research activities.

Research project «Digital Corporate Roadmapping»

For almost all sectors in business opportunities for changeover and redesign are offered by digitalization (e.g. data storage and processing technologies for big data analytics, web-based application platforms for the realization of elaborate cloud strategies, sensors, processing and analytics for predictive maintenance, methodologies for agile [project] management).

But how can organizations put these opportunities into practice? How does an organization start adequately into this comprehensive subject? Which areas of the organization should the CIO put focus on in concrete proposals?

In our research project «Digital Corporate Roadmapping» we would like to identify these areas of concern where companies see the greatest need for action. From this we would like to develop an approach for the coordination and control of digitalization activities in companies, a “digital roadmap”.

We will use the result from the research project to improve and amend our roadmapping approach we presented in our first digitalization blog episode. The approach is primarily intended for CIOs. It is intended to help them to develop concrete options for the digitization of their organization. It will enable them to support the business in the identification of new business models.

As a „digital roadmap“ is only reliable if it comprises practical insights of those involved in digitalization, we will conduct expert interviews – e.g. with CIOs, enterprise architects, demand managers, business developers – with organizations from various sectors (automotive, energy, pharmaceuticals, etc.) within our study. Participants will benefit in two ways:

  • They will receive the complete results of the research project exclusively in written form. This will give them an insight into the developments on this current topic in general and in their respective business sector.
  • We will provide them with the results in a digitalization workshop in detail and discuss with them the implications for their organization.

Works on the study have already started and interviews will begin shortly. Evaluation and publication of the results is expected to happen in March or April 2017. We hope to share some of the results with you in the blog in early summer.

Interested? If you are interested in digitalization and Enterprise Architecture Management or in participating in our research project, please, contact us: sales(at) For further information, please, also visit our website.

The Road to Digitalization – Episode 3: Digital Practice

Digital transformation or digitalization is a widely (and wildly) discussed topic these days. Digitalization does not only offer an abundance of opportunities to reshape processes with new technology. It rather promises to change your company completely based on (data-driven) business models.

While we wrote about the general approach to digitalization and the Smart Scan for application architecture evaluation in the first two episodes, we would like to share some insights from practice with you today.

Market Study on Digitalization

In the above episodes we have already emphasized the importance of business strategy for each digitalization effort. Digitalization used solely as a means of introducing some arbitrary new technology to an organization grossly misinterprets the idea of the digital transformation. Digitalization will only have room for development when it is used to rethink and then reshape one’s business strategy and business model.

In order to get some ideas and directions on how to shape a business model in particular we conducted a study into the ways companies are addressing digitalization these days.

The study was realised by a team of students of the University of Applied Sciences and Arts Hanover (Germany). They investigated 18 German and international companies from various industrial sectors (automotive, engineering, retail). The investigation was based on publicly available material about the companies; with one company an interview was conducted.

Study Results (excerpt)

All companies show that simply selling the product that has been produced for years does not work any more. They both create new products (13 out of 18) and enhance existing products (5 out of 18).

New products are often software services, designed as a platform and offered in the cloud. These efforts direct to the transparency of data:

  • Data from the original products (i.e. from a farmer’s harvester) are gathered, collected in the cloud and made available to the customer (i.e. the farmer) for better planning of work (i.e. the deployment of harvesters or grubbers or the analysis of work based on KPIs).
  • This is supplemented by adding more data sources to the cloud platform (i.e. from seed or fertilizer manufacturers).

Having established a platform like this, enhancements are possible in order to build an eco system of products and services around the original product: One engineering company from the sample usually sells sensors and the like, amongst others sensors for cars and car parks that are used by its customers to build parking management solutions. Data from the sensors are pushed to the company’s own cloud platform where it also offers an app one can use to retrieve the sensor data (e.g. to find a vacant lot).

It seems as if all of the examined companies are still struggling with digitalization, looking for the right initiative to realize and the right overall strategic way to go. In connection with that it is apparent that there is a lot of work to be done “on the inside”: speaking of business processes and data management. Customers will notice quickly if a new app is only some “digital front” or truly provides added value to them.


But apart from all digitalization efforts and business model discussions: Merry Christmas and a Happy New Year 2017!

Would you like to know more…? If you’re interested in the big picture, refer to the first episode of our digitalization blogs, for a quick-start check out the second episode. In the next episode we plan to give you an introduction to the innovation phase of our Digital Roadmap approach.

Interested? Please, contact us: sales(at) For further information, please, visit our website.