Welcome!

Blog Feed Post

Enterprise Architects: Critical Resource for GDPR Compliance

The primary goal of digital transformation is to improve an enterprise’s focus on its customers. Given the complexity of today’s digital enterprises, however, there are often additional priorities that are every bit as important, if not as strategic as customer focus.

In particular, the primary business driver of digital transformation is frequently regulatory change. Regulatory compliance is essentially a risk mitigation business driver. Furthermore, compliance with new or changed regulations typically comes with a firm deadline.

In the case of the General Data Protection Regulation (GDPR), regulatory change is driving cross-organizational transformation at companies in Europe and around the globe.

At the same time, such efforts also improve those firms’ focus on their customers as well, as the GDPR mandates how companies deal with information about any EU citizen – in particular, their customers. GDPR compliance is thus adding additional urgency to transformation efforts that are already strategic to the enterprise.

About the GDPR

GDPR Compliance on Atoll SAMU (Source: Atoll Technologies)

GDPR Compliance on Atoll SAMU (Source: Atoll Technologies)

The GDPR is the European Union’s legal framework for the privacy and protection of the personal data of all EU citizens. Once the May 2018 deadline for implementing the regulation passes, it will apply not just to European companies, but to any company anywhere in the world that has information about EU citizens.

The GDPR thus establishes ground rules for any company that holds or processes personal data of such citizens. It requires companies to maintain records of data processing activities, appoint Data Protection Officers (DPOs), conduct privacy impact assessments, implement enhanced transparency in the form of privacy notices and consent forms, as well as the rights of EU citizens to be forgotten and to move their data from one company to another.

The penalties for non-compliance can be draconian – up to €20 million or 4% of a company’s annual worldwide turnover. The regulation supersedes all relevant national laws within EU countries, and extends the scope of the current EU data protection law to all foreign companies processing EU citizens’ data.

There are many facets to the GDPR, but the minimum mandatory requirements include maintaining accurate records of all sensitive personal data storage and processing, implementing processes that account for personal data privacy, and the ability to demonstrate to regulators that the company has put forth a ‘best effort’ to comply with the GDPR.

Enterprise Architects’ Essential Role

Although the DPO is primarily responsible for compliance with and implementation of the GDPR, this individual will need a team of specialists to be successful. The Enterprise Architect (EA) plays a critical role on this GDPR compliance team.

In particular, EAs can help answer important questions based upon an updated EA repository, such as the one that Atoll SAMU offers.

Some of these questions apply directly to personal data:

  • How is the organization collecting personal data?
  • Where do personal data reside in the organization?
  • Where does the organization intend to store personal data?

Other questions focus more on business processes involving personal data, for example:

  • How is the organization implementing personal consent mechanisms like opting out?
  • How do personal data move through the organization? Where do they go?
  • How and where does the organization process personal data?
  • How is the organization dealing with the confidentiality of personal data? For example, does it have a means to pseudonymize such information?

A third set of questions focus more on individuals and their roles:

  • Who is the DPO and how will they execute their role?
  • Who within the organization owns the processes involving personal data?

Given the diversity of such questions, EAs are particularly well-suited to support the DPO’s efforts because they have broad visibility into the business, the technology, and the data within the organization.

EAs can support the DPOs they work with by providing insights into all processes, applications, and data that are relevant to GDPR compliance. Furthermore, they can offer information on data objects, data flows, and associated responsibilities.

EAs are also well-situated to draw attention to risks and potential compliance breaches. Outside of the GDPR compliance team, EAs can also help technology owners identify technology risks and prepare preventative measures within the scope of their responsibility.

In fact, this risk identification role for EAs is especially important for the data protection impact assessment (DPIA), which organizations must perform before they deploy a new technology.

Additionally, EAs can be instrumental in defining application development guidelines that conform to the principles of data protection. Such guidelines will naturally apply to developers, but they also apply to system architects, database architects, security analysts, and other personnel who must be up to speed on how GDPR affects their roles.

Finally, EAs are well-situated to ensure continuous compliance with GDPR, and therefore they serve a critical day-to-day role within the processes that the regulation impacts.

The Intellyx Take

As with all compliance mandates, it is insufficient simply to be compliant with GDPR. Every organization must also be able to prove that they are complaint.

In other words, in addition to the rules about collecting, using, and managing data on EU citizens, the GDPR also establishes corresponding rules for information on how each company is complying with the regulation, for example, compliance auditing processes and requirements.

In addition, compliance is never static. Today’s world is extraordinarily dynamic, and the rate of change is only increasing. Such change complicates the GDPR compliance challenge.

Adequate compliance today may not mean adequate compliance tomorrow. In such turbulent environments, Enterprise Architecture is instrumental to facilitating continuous governance and compliance within a context of flexible control.

Furthermore, an Enterprise Architecture collaboration tool and repository like SAMU is an essential tool in the toolbelt of EAs as they support the DPO and the rest of the organization. Such a tool also provides essential visibility to auditors who must determine the level of compliance within an organization.

In the final analysis, GDPR compliance touches many different people across a wide range of processes and supporting technologies within any company. EAs are well-positioned to coordinate the necessary communication and collaboration in order to avoid the organizational and technological silos that are so common in large organizations, and yet anathema to successful implementation of a GDPR compliance effort.

Without an effective EA role, the GDPR compliance effort will face unnecessary risks – which might lead to a costly mistake.

Copyright © Intellyx LLC. Atoll is an Intellyx client. At the time of writing, none of the other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this paper.

Read the original blog entry...

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

Latest Stories
SYS-CON Events announced today that Daiya Industry will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Daiya Industry specializes in orthotic support systems and assistive devices with pneumatic artificial muscles in order to contribute to an extended healthy life expectancy. For more information, please visit https://www.daiyak...
SYS-CON Events announced today that Nihon Micron will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nihon Micron Co., Ltd. strives for technological innovation to establish high-density, high-precision processing technology for providing printed circuit board and metal mount RFID tags used for communication devices. For more inf...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Suzuki Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Suzuki Inc. is a semiconductor-related business, including sales of consuming parts, parts repair, and maintenance for semiconductor manufacturing machines, etc. It is also a health care business providing experimental research for...
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
Cloud-based disaster recovery is critical to any production environment and is a high priority for many enterprise organizations today. Nearly 40% of organizations have had to execute their BCDR plan due to a service disruption in the past two years. Zerto on IBM Cloud offer VMware and Microsoft customers simple, automated recovery of on-premise VMware and Microsoft workloads to IBM Cloud data centers.
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness.
Elon Musk is among the notable industry figures who worries about the power of AI to destroy rather than help society. Mark Zuckerberg, on the other hand, embraces all that is going on. AI is most powerful when deployed across the vast networks being built for Internets of Things in the manufacturing, transportation and logistics, retail, healthcare, government and other sectors. Is AI transforming IoT for the good or the bad? Do we need to worry about its potential destructive power? Or will we...
The last two years has seen discussions about cloud computing evolve from the public / private / hybrid split to the reality that most enterprises will be creating a complex, multi-cloud strategy. Companies are wary of committing all of their resources to a single cloud, and instead are choosing to spread the risk – and the benefits – of cloud computing across multiple providers and internal infrastructures, as they follow their business needs. Will this approach be successful? How large is the ...