What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The main purpose of the GDPR is to provide a set of standardized data protection laws to protect the Personally Identifiable Information (PII) of EU citizens.
As data breaches are becoming more common, the European Parliament, the Council of the European Union and the European Commission have proposed this data regulation to strengthen and unify data protection for all individuals residing within the European Union. This set of standardized data protection laws extend unprecedented rights to the data subject, enabling them the right to access and obtain their personal data, the right to be forgotten, and the right to receive a digital copy of the personal data concerning them.
The GDPR also sets specific standards for organizations to uphold. If agencies fail to comply, they face the highest penalties in data protection history. One concept is ‘privacy by design.’ From the enforcement date, May 25th, 2018 organizations are legally required to include data protection from the initial onset of the designing systems, rather than as a late amendment.
What you need to know about GDPRKey Changes Under GDPR:
Arguably the most significant change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
The EU GDPR fines are the highest proposed penalties yet for data protection.
The GDPR strengthens the conditions for consent. Companies will no longer be able to use 25-page terms and conditions documents full of complicated jargon and legalese to obtain consent from their data subjects.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” The GDPR requires that breach notification is sent out within 72 hours of first awareness.
Right to Access
The right for data subjects to question the data controller as to whether or not personal data concerning them are being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine-readable format' and have the right to transmit that data to another controller.
Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than as an afterthought.
Data Protection Officers
Your organization may be required to appoint a Data Protection Officer. Learn more about this role below.
What are the GDPR penalties
The projected penalties for noncompliance are very steep. Here is the penalty breakdown within the regulation:
Fine: 10,000,000 Euros or 2% of your company's Global Turnover, for offenses related to:
- Child consent;
- Data processing, security, storage, breach, breach notification;
- Transfers related to appropriate safeguards and binding corporate rules; and
- Transparency of information and communication.
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
- Data processing;
- Data subject rights;
- Non-compliance with GDPR order; and
- Transfer of data to a third party.
Which penalties apply to my organization?
- If you fail to comply with any of the GDPR regulations, the penalty will be whichever number is greater - the base fine or the percentage of global turnover. The Global turnover applies to all sales of the company, net of taxes. Also, the GDPR authorizes penalties in the event of both material and nonmaterial damages.
What does GDPR mean for the U.S.
Contrary to what the name suggests, the GDPR does not only affect businesses located in continental Europe. The impending regulation is a top concern for US companies too, with some 77% companies willing to spend $1 million or more on GDPR readiness plans or worse - shut down their European operations to protect themselves from expensive penalties.
The EU GDPR directly affects any firm worldwide that collects the data of European citizens - including European e-commerce clients and companies with satellite offices staffed with European employees.
Regardless of an organization’s location, the GDPR enforces organizational changes, stricter application management, and increased transparency for the storing and management of data. Merely understanding where data is stored, how to access it quickly, and modify data based on the needs and concerns of the customer is a simple directive that can be tricky to streamline for a US business that operates globally.
What industry leaders are saying about GDPR
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organizations often process a lot of personal data, and the reputation and liability risks are just as real."
- Elizabeth Denham, UK Information Commissioner at ICO
“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation (GDPR), going into effect in April 2018. The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for US companies that offer goods and services to EU citizens.”
How does GDPR affect you and your organization
A major challenge for businesses is doubtless the implementation of data subjects' rights, that is, the rights of the people whose data they are storing.
There are six major areas that companies will have to consider:
- Data protection through technology (Art. 25 GDPR)
Companies are required to define internal strategies and initiate steps to ensure data protection through technology (by design) and as a standard approach (by default). Possible measures include minimizing and pseudonymizing the processing of personal data. Furthermore, transparency must be established with regard to the functions and the processing of personal data, data subjects must be allowed to monitor the processing of their data, and the persons responsible for processing must be enabled to create and enhance security functions.
What measures have you already been implemented, and what measures are still needed?
- Accountability (Art. 5 GDPR)
Companies are required to ensure and demonstrate adherence to data protection regulations, for example through certification.
Has your company introduced a data protection program, and is your company able to demonstrate that it meets GDPR requirements?
- Notification requirements (Art. 33 GDPR)
Companies are required to report data breaches (e.g. through hacking attacks) immediately, within 72 hours, to the competent supervisory authority and the affected data subjects. Failure to do so may lead to fines of up to 20 million euros or 4% of the company's global annual turnover.
Are corresponding processes implemented in your company to meet this requirement in a timely manner?
- Data protection officer (Art. 37–39 GDPR)
It will become mandatory for all companies in Europe to appoint a data protection officer. According to the GDPR, the data protection officer's responsibilities include informing and advising the data controller or processor and the employees who carry out processing; monitoring compliance with the GDPR and national data protection provisions; awareness raising and training; providing advice as regards the data protection impact assessment and monitoring its performance; and cooperating with the supervisory authority.
Do you know who your company's data protection officer is?
- Data protection impact assessment (DPIA, Art. 35 GDPR)
A DPIA must be performed "[...] where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons [...]". The data protection officer analyzes the risks of the process together with the technology owners and then submits a declaration on the legality of the data processing.
Does your company regularly conduct data protection impact assessments for new technologies?
- Penalties and fines (Art. 83–84 GDPR)
More severe fines and penalties are designed to deter companies from infringing against data protection regulations and to make companies more aware of the fact that offenses also violate the EU Charter of Fundamental Rights. Fines of up to 20 million euros or, for companies, up to 4% of annual turnover in the previous business year may be levied. Other penalties, such as seizure of profits, injunctions to end infringements, and permanent prohibition of data processing may also be imposed.
Have you invested appropriately in your IT landscape in order to avoid such fines?
Does your company need to hire new people to deal with GDPR
There is a bit of confusion as to which companies are required to hire a Data Protection Officer (DPO). Data Protection Officers (Articles 37–39) are to ensure compliance within organizations.
They have to be appointed:
- for all public authorities, except for courts acting in their judicial capacity
- if the core activities of the controller or the processor consist of
- processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
- processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10
Are you and your company ready for GDPRLeanIX has put together a simple yet informative quiz to test your company's compliance level. We will help you gauge your compliance level in 6 simple questions.
What role do Enterprise Architects play in GDPR
Although the data protection officer is the primary person responsible for compliance with and implementation of the GDPR, Enterprise Architects (EAs) are ideally placed to play a pivotal role in this implementation.
EAs offer data protection officers insights into all processes, applications, and data, and provide the necessary information on data objects, data flows, and responsibilities. Enterprise Architects also point out potential risks and compliance breaches. They can help those responsible for a specific technology (e.g., for an application, an interface or a data object) to identify technical risks and prepare preventative measures. This is especially relevant concerning the data protection impact assessment (DPIA), which must be performed before a new technology is deployed.
As an Enterprise Architect, you should ensure that you communicate with the responsible data protection officer and coordinate all necessary steps.
How can Architects help with GDPR compliance
Successfully preparing your business for integrating the GDPR will require a lot of architectural work. A study found that companies consider ensuring data quality (73%) and handling data complexity (67%) to be the most significant obstacle to GDPR compliance. Enterprise Architects provide access to this information. They act as an interface to numerous stakeholders and can answer almost any question that contributes to GDPR compliance. The fundamental prerequisite here is that work on the Enterprise Architecture has been well implemented, architectural best practices are applied, and modern tools are used. Of course, EAs cannot cover all the requirements of the GDPR; close cooperation between the key managers is therefore indispensable. An initial overview of the various data protection criteria and the interfaces to critical managers can be found in the LeanIX GDPR Requirements Catalog. This catalog will also show you where and how an EA tool can help you with GDPR implementation and when it is advisable to consult the data protection officer and the technology owners.
EAs should follow 5 easy steps towards successful GDPR compliance.
1. Contact GDPR stakeholders
Contact other GDPR stakeholders to coordinate your next steps: in many organizations, EAs do not have final responsibility for compliance with legal regulations. This responsibility may lie with your legal department, the chief risk officer, the chief compliance officer, the chief information security officer or the data protection officer. Contact these people to coordinate your actions.
2. Identify personal data
Creating a data inventory is crucial to meeting the requirements of the GDPR documentation. The key to GDPR compliance is having a clear overview of your data - how your company processes it, where it is stored, and how to quickly access it to make key changes. Collecting this information can be a daunting and time-consuming task, and you may not have all of the information that you need.
LeanIX Survey gives you the tools to answer many key GDPR compliance questions, such as: "Who is responsible for the processing of personal data? Which applications use these data? Are they additionally processed and stored outside the EU?" Addressed to the responsible GDPR stakeholders, these can quickly fill out a questionnaire and provide you with the required information through the Survey. Use the "Subscriptions" section in LeanIX to identify the responsibilities of individual stakeholders concerning a specific object.
Subscriptions can also be used in the Filter and the Survey add-on, so you can filter e.g. for all data objects for which a certain user is the data owner. Identify all data that is defined as personal data according to the GDPR. Essentially, any information relating to customer master data and employee data is personal data. Pay particular attention to sensitive data; as the GDPR prohibits their use.
Then assess the data to determine their level of privacy sensitivity, categorizing them as public/unclassified, sensitive, restricted, or confidential. You can use LeanIX tags to add further attributes (e.g. "GDPR restricted") to a data object or application. This will usually already be part of your internal security processes, where you assign attributes such as confidentiality, integrity or availability of data.
3. Detect and assess risks
Around 76% of German businesses state that due to the complexity of modern IT services, they do not always know where their customer data is located. Imagine a consumer wants to make use of her "right to be forgotten". In order to delete her data, you have to know where they are stored. An EA tool like LeanIX is the basis for efficiently implementing these processes. Automated visualizations such as the Data Flow Model show which data objects are used by which applications and which business capabilities, in turn, depend on them.
The data flow is generated automatically and can be expanded by adding details such as the IT components and user groups of particular applications. Labels next to the interfaces display their attributes, such as interface technology, data objects, and frequency.
Then assess your application landscape for risk. The level of risk can be determined through a range of different parameters, in particular however with regard to the business impact, application dependencies, criticality levels, failure scenarios and previous incidents.
Visualizations such as the above-described Heat Map can provide information on business-critical consequences for your company in the event of an application failure or hacking attack .
Risk Dependency Maps and Interface Circle Maps visualize the various dependencies between multiple applications. The more dependencies an application has, the higher the level of risk in the event of a failure (see fig. 8–9). You can additionally use a Survey when querying information on possible failure scenarios and incidents in the past to assess the risk level.
Download our white paper to learn more about Mastering GDPR with Enterprise Architecture.