GDPR goes into effect on May 25, 2018. Anyone who captures personal data for EU members will be subject to meeting these compliance guidelines or risk fines of up to 20 Million Euro or 4% of annual worldwide turnover from your previous year.
Recently Sultan Shiffa produced an amazing whitepaper about "Governing GDPR Challenges with Enterprise Data Architecture". As I was reading it I started to put together a list of things to think or questions to ask in regards to each section that he addressed.
Here is my revised version of a diagram (created in ER/Studio Business Architect) that Sultan used in his white paper:
Let's look at each Task individually.
SET UP DATA PROTECTION OFFICER
Each organization needs to set up a Data Protection Officer to address GDPR issues.
- Data Protection Officers have expert knowledge on Data Protection Law
- They are like Compliance Officers but they are experts on:
- IT processes
- Data Security
- Continuity issues regarding holding and processing personal info
- They are responsible for cooperating with the supervising authority
CREATE ORGANIZATIONAL AWARENESS AND PRODUCE GUIDELINES
It's essential that your organization knows how you intend to address GDPR.
- Your organization should be aware of the GDPR regulations and how they impact data
- You should produce guidelines or procedures that identify what to do with personal information across your systems
- Processes and procedures regarding GDPR regulations and personal information should be available throughout the organization
- Engage your employees to help to create your processes if you have not already done so
ANALYZE DATA ACROSS ALL APPLICATIONS, DATA MODELS AND DATABASES
You should review the data across your organization to identify where personal data is stored.
- Which servers and/or databases contain personal data?
- Which columns or rows can be marked as containing personal data?
- Which systems are involved in storing or moving sensitive data?
- Who has access to what elements of data in the database system?
- What elements and features of the database systems can be accessed and potentially exploited to gain access to those systems?
- Where does the data go when it leaves your systems?
REVIEW EXISTING PROCEDURES THAT PERTAIN TO GDPR
You should review what procedures you already have in place in regards to GDPR as well as where those processes need to be updated.
- How can I be more transparent in what activities are taken in regards to personal data?
- How do I create evidence that I am in compliance?
- How do I ensure that all of my processes and procedures are kept up to date?
- How do I ensure that all of my processes and procedures are being followed?
REVIEW DATA PRIVILEGES AND ACCOUNTABILITIES
You should know who has access to what information in your system.
- How can I ensure that the right people are accessing the information?
- What do I need to do to limit who can access the sensitive data?
- Who is accountable for the different aspects of personal information?
- How can I keep track of who has accessed sensitive data?
DOCUMENT AND MANAGE INDIVIDUAL RIGHTS
You should know how you will address any of the items covered as individuals rights.
- Step through the Individuals Rights (Articles 12 – 23) and identify how you plan to address them
- Right to access their personal data
- Right to rectification (correcting inaccurate info)
- Right to erasure (and to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to not be subjected to a decision based solely on automated processing or profiling
- Keep records of what customers have consented to and when they consented to it
DEFINE DATA BREACH PROCESS
Everyone in your organization should know what their role if a data breach occurs.
- Which security controls are in place to protect the data?
- What levels of encryption are in place?
- While in transit between systems
- While at rest in my system
- While in use by my system
- When do I need to make my data available?
- What mechanisms are in place to prevent data loss?
- How do I detect a breach with my data?
- How can I respond to a breach that has occurred?
DEVELOP DATA IMPACT ASSESSMENT
You should know the risks in your organization as well as the impact of those risks.
- What are the impacts of unintended data changes?
- What are the risks associated with unintended data changes?
- Where are data elements used across applications and databases?
- How will you ensure that compliance with these procedures continues?
- What are the risks of falling behind on compliance?
HOW CAN ER/STUDIO BUSINESS ARCHITECT HELP?
GDPR requires that you have all of your processes documented. ER/Studio Business Architect allows you to create Business Process Models and to document those processes complete with External Data Objects.
The act of creating Business Process Models allows all employees across the organization to identify where they are impacting personal data.
Checking these models into the Repository via ER/Studio Enterprise Team Edition and publishing them to Team Server allows you to post these processes for the whole organization to have visibility. Additionally, as these processes are updated they are immediately available for all to see.