This week’s post is the last in our GDPR series. In it, we are going to look at how enterprise architecture can help you ace the race to compliance but also stay on the right side of the regulation once it comes into force. That’s because EA professionals, as you will hopefully come to see, are distinctly well-positioned to play a core role in any regulatory program. In fact, they represent an opportunity that no security officer/team worth their salt should let untapped. Interested? Then without further ado, here is how to leverage your EA team to successfully achieve GDPR compliance.
To begin with, ask your architects to pinpoint all the private data handled by your company. Since many of the new specifications basically boil down to knowing what, where, when and why you collect personal data, it is imperative you have access to a clear, enterprise-wide data landscape. The EA team are the best people to do this, and depending on how mature your practice is, there may already be valuable architectural resources available for them to improve on. Once this is completed, you should demand that relevant attributes be attached to this data, such as degree of sensitivity, purpose, and whether you have consent to use it. Categorization will prove key in abiding the privacy by design provision and also while prioritizing later on.
The next step is to have your EA team create comprehensive architectural models reflecting the entire data lifecycle. In other words, they should supply the compliance team with an outline of the data flow both inside and outside the organization – think third party processors, for instance. Knowing what data your organization deals with is good, but seeing exactly how it moves is even better. When you have a clear image of the data routes, leverage the classification from earlier. This will produce a valuable map of where the greatest risk to your customers’ private data (and your operations) is.
At this point, you should consider prioritizing. It’s highly unlikely that you will be able to address every single problem, which is why you should select the most high-risk areas identified by the EA team and make them your first order of business. Architects can be put to great use here, too. Following mainstream security standards and frameworks, e.g. COBIT 5, they should be able to establish controls and identify mitigation tactics for the most vulnerable sections. Having these in place will demonstrate to regulators that you are exercising due diligence.
Now, once they’re done setting those in place, what do you do? Well, it’s time to think budgets and, perhaps even more importantly, to find the optimal way of accommodating future investments with your current situation on the ground. As such, ask the architects to adjust your organizational roadmap so it reflects your newly discovered priorities. You may not have to ask them as they may be busy at it anyhow, but ensure they do so in any case! The effect of this in real life will be things like clamping down on future investments in a technology that is deemed highly risky for poor return; stopping the renewal of a license for an application about to be phased out because of significant security concerns; or even challenging a business development initiative that presents many privacy challenges under the GDPR.
The bottom line is your compliance team is going to get a hold of some really useful reports from the EA department, which can then be used to create a highly targeted action list, i.e. a list of the measures that will provide the largest positive security impact for the least amount of money. And that’s exactly what you want, especially if you are an organization that is struggling behind the curve to solve your data privacy issues before the regulation kicks in. By the way, the outputs that architects regularly create are ideal for the new mandatory privacy risk impact assessments. You should be able to easily tick the box on this requirement by working in partnership with the EA department to define a set of reports and dashboards that should be regularly supplied to the team in charge of data privacy.
OK, say you more or less followed these steps and you find yourself in the position to carry out the necessary changes. You might think – job done, thank you very much! Well, that’s not exactly right. There’s one last area where enterprise architecture will give you a helping hand, and that’s with demonstrating compliance, a key GDPR requirement that often gets left out in many companies. Yes, as it stands, the regulation mandates that you not only bake your cake but also take a photo of it and share it with all your friends, so to speak.
Well, in this case EA is very valuable yet again because it specializes in providing graphical evidence that depicts the structure of complex systems. It cuts through complexity. Consequently, when the time comes and the auditor asks you for a risk score of your application landscape, you can bring forward a clear, professional-looking report that answers all the questions immediately and makes you and your organization look on top of the data security game.
This brings us to the end. I hope it’s clear now why EA should sit at the core of your GDPR compliance program. If this made sense, there’s a chance you might benefit from seeing a mature EA solution in action, but you can decide for yourself. Until next week, take care!