Three Steps towards GDPR Compliance

In our last post we already talked about the upcoming enactment of the EU regulation 2016/679 for data protection by the end of May 2018.

We stated that Enterprise Architecture Management (EAM) tools are a natural starting point for collecting and managing the data that are necessary for GDPR compliance.

In order to use this starting point properly we mentioned a three-step approach. Today, we would like to go a little further describing these three steps.

Step 1 – Inform

First of all it is necessary to get to know the GDPR regulation and its requirements both from a legal and IT point of view. This can be done in a one-day workshop.

Such a “GDPR Briefing” workshop should at least have the following items on the agenda:

  • Introduction to the topic of GDPR in a holistic manner
    • Legal perspective
    • Organizational perspective
    • IT perspective
  • Discuss the “need for action” for the company and identify main points
  • Derive first top-level recommendations for GDPR compliance implementation

We offer these GDPR Briefing workshops in cooperation with lawyers.

Step 2 – Define

In the next step the different perspectives of GDPR should be considered in more detail. Besides changes to contracts or end user license agreements on the legal perspective or the installation of new roles (e.g. a data protection officer) and the necessary overhaul of (especially) end user business processes one needs to check the readiness of the existing IT landscape for GDPR:

  • Analysis of the IT landscape regarding GDPR (in particular Article 30)
  • Evaluation of the GDPR Readiness from the perspective of IT
  • Recommendations for the implementation of GDPR with focus on IT

These “GDPR Readiness Checks” are usually performed in short-time projects and are used to prepare the final step.

Step 3 – Realize

Finally, recommendations and defined measures need implementation. This should be based on a project plan derived from a “GDPR Readiness Check” and encompasses points like:

  • Set up and enhance the EAM tool for the GDPR use case
  • Import the necessary data
    • Applications and how they process business data
    • Servers where applications are deployed and their physical location
    • How applications support business capabilities and organizational units
  • Automate updates for these data in the EAM tool
  • Name responsibilities and incorporate the EAM tool in GDPR compliance processes
  • Train GDPR responsibles

When it comes to the setup of an EAM tool as the “golden source” for GDPR compliance there is always one reason that hinders quick results – the amount of data to be collected about the existing IT landscape.

We offer various “remedies” for this particular obstacle which automatically read a specific part of the IT landscape and make it visible in EAM tools – and thus accountable in terms of GDPR:

  • Landscape Analzer for SAP: This tool reads the basic data about entire ABAP-based SAP landscapes (systems, clients, interfaces). We are currently working on an enhancement to also gather interfaces between SAP systems and non-SAP systems using SAP PI.
  • AWS integration: Servers running as virtual machines in the Amazon cloud (Elastic Cloud Compute [EC2] service of the Amazon Web Services) can be read via this tool and automatically imported in an EAM tool.

 

Do you have questions or comments? Feel free to let us know what you think about this approach and whether it makes sense to you. Let us know when you have questions the post did not cover deep enough. We’re glad to help: sales(at)cti-consulting.de.

Realize GDPR Compliance with Enterprise Architecture Management

Data protection becomes more and more important in a world where many aspects of life are supported by IT systems processing personal data and a lot of organizations running these systems.

General Data Protection Regulation (GDPR)

With Regulation (EU) 2016/679 of the European Parliament and of the Council data protection becomes a prominent issue for all organizations operating inside the European Union. That is because both the rights of individual users on information against organizations and the obligations of organizations for reporting and disclosure have been extended. Some examples:

  • Consent: Stronger conditions apply as to how consent about personal data processing is given.
  • Breach notification: Loss, theft or unauthorized access to personal data must be notified.
  • Subject access: Subjects can demand information whether their personal data is processed by an organization or demand porting their data to another provider.
  • Right to be forgotten: Subjects can demand data to be erased or restrict the processing of their data.
  • Data governance: Measures to ensure data governance must be put in place, e.g. privacy impact assessments (PIA), audits, or the appointment of a data protection officer.

Disregard of the new legislation can lead to severe penalties. GDPR Article 83 demands up 20 m Euros or up to 4 % of the total worldwide annual turnover.

In order to reach compliance with GDPR a lot of information about all data handling activities and the data processed needs to be collected, analyzed and made accessible. Action must be taken now as the regulation comes into force on May 25th 2018.

Enterprise Architecture Management supports GDPR Compliance

Enterprise Architecture Management (EAM) is the part of IT management that deals with documenting the existing IT landscape, defining standards and planning the future IT landscape. As this task needs to collect and maintain a lot of meta data about the IT of an organization, EAM is usually tool-based.

EAM tools like Alfabet (Software AG) or LeanIX (LeanIX GmbH) can support organizations in gaining GDPR compliance for various reasons.

First of all, these tools already come with a lot of information about the IT that is relevant for GDPR:

  • Documented applications show where (inside and outside of an organization) data are processed and how.
  • Information Flows describe how data are exchanged between applications.
  • Cataloges for business data define categories of data used by applications and business processes.

Such repositories are easily amended with the information specific for GDPR and thus lead to a much more complete view of an organization’s IT processing activities.

EAM tools also provide strong reporting capabilities. Alfabet, for instance and among others, offers the following reports and views:

  • Applications and their interrelation via information flows can be made visible using information flow diagrams.
  • Data processing activities (create, read, update, delete) are listed in so-called CRUD matrices.
eam-03-crud-matrix

Example of a CRUD matrix in Alfabet

 

Methodical Setup of GDPR compliance

We support your organization in realizing GDPR compliance in a three-step approach:

  1. Inform: Get to know the GDPR regulation and its requirements from the legal and IT point of view in a one-day workshop.
  2. Define: Define the measures that need to be taken based on your individual requirements (e.g. how to configure EAM tools to provide information needed for GDPR, how to change processes to incorporate GDPR steps, etc.).
  3. Realize: We help you to implement the measures defined in step 2. Among other things: We set up and enhance your EAM tool for the GDPR use cases from step 2 and import the necessary data. We offer various tools to automate the retrieval of data about the IT landscape, e.g. with our Landscape Analzer for SAP systems and Amazon Web Service (AWS).

 

Would you like to know more…? For further information, please, visit our web page on GDPR. Feel free to contact us: sales(at)cti-consulting.de.