After May 25th, 2018, you must have well-documented specifications of the personal data handled or stored by your organization, documentation of how and why this data is processed by systems and people, as well as how, where and for how long it is stored.
In the previous GDPR article, you were introduced to the seven principles of the GDPR, the new roles it presents and the new governing institution you will answer to. In this article you will learn how your organization can integrate complying with the GDPR into its architecture so it becomes a natural part of your organization.
Becoming GDPR Compliant by Adjusting your Architecture
All organizations have an architecture. The architecture consists of the structural elements of an organization such as:
- The organization’s plan for attaining its purpose
- The processes performed in the organization
- The technology and applications used to support or perform the processes
- The data flowing between the systems and processes
- The governance structure that controls all the above
Essentially, the architecture of your organization is the frame for how it realizes its purpose. The architecture may be a result of circumstances or built and maintained with purpose to support the organization’s strategy.
The GDPR affects the architecture of your organization by restricting what data-resources are available, how they can be processed and how it must be governed. As such, complying with the GDPR may affect all aspects of an organization’s architecture.
When it comes to changing an organization’s architecture there is no ‘one size fits all’ solution. You need a plan that fits into the culture and operating model of your organization.
Who to Involve
Because the needed changes may affect the way your organization operates, it is important to involve people from across the organization, who together have the needed knowledge to pinpoint the needed changes, recognize the effects the changes will have across the organization, and implement them.
You could for example assemble a GDPR team consisting of Business and IT Architects and key managers led by the Data Protection Officer (if your organization has one). Instead of a Data Protection Officer, the GDPR efforts could be led by, for example, a Quality and Risk Manager – perhaps with the assistance of external specialists. If you don’t have a team of architects, you could involve other employees with a cross departmental view and competencies that covers both process and IT, such as a Quality Manager and a IT Manager. This is to enable a consistent and coherent documentation.
It is also essential to involve process owners. Both when describing processes and implementing changes – they are the link to the employees who must change their routines. Process owners and departmental managers should also be consulted when determining who else to involve in the documentation and the change process.
GDPR Basic Activities
There are several new tasks that your organization must perform to become and remain GDPR compliant. Some activities are ongoing, some cyclical while others may occur sporadically. You need to integrate these new tasks into your organization’s manual and digital processes.
In GDPR - Learning the essentials, I identified six basic activities that your organization could master for GDPR compliance:
- Document and continuously update business rules, data processing agreements and affected processes to ensure compliance
- Continuously evaluate risk and take appropriate measures to ensure integrity and confidentiality of the data and that the organization remains compliant with the principles of the GDPR.
- Prove compliance through audits
- Handle and document consent
- React to (possible) data breaches (within 72 hours)
- Respond to inquiries
These activities will in this section be described in further detail:
1: Document and continuously update business rules, data processing agreements and affected processes to ensure compliance
This activity is the most extensive of the six and covers several tasks. Only once your organization’s architecture is documented are you able to perform the other activities. However, you don’t have to document your entire organization’s processes before you start to take measures to comply with the GDPR.
You can choose to do this in iterations going through one part of the organization at a time – ideally based on a GDPR impact assessment starting with the most critical departments or areas. Before you can do so you must have defined how your organization plans to comply with the regulation. This can for example be done by creating ‘GDPR business rules’.
Updating Business Rules
As before mentioned, there is no ‘one size fits all’ solution to obtaining GDPR compliance. One of the reasons for this is that the regulation should be interpreted into business rules specific for your organization – what are the rules that enable your GDPR compliance?
The new ‘GDPR business rules’ should ensure:
- Data is not used beyond its intended purpose
- Appropriate organizational measures to lower risks.
- Efficient and effective handling of data breaches
The new business rules should clearly define how your organization plans to comply with the GDPR.
Documenting and updating Processes and Categorization of Data
A core part of the GDPR is that you must account for how personal data is treated. To do this you must document your processes. You need to document how the employees in your organization perform their tasks that involves the use of personal data.
To do this you must first pinpoint what of your organization’s data can be categorized as personal and which processes use it. Once the processes status quo is documented, you can do a gap analysis for GDPR compliance and prioritize changes based on risk analysis. This gap analysis can, if you have clearly defined the desired state, be made on the go while documenting the processes.
Data must be determined as being either personal, sensitive or neither. Additionally, the data should be classified – is the access to the data for example classified, restricted, internal or open. Impact analysis of unauthorized and unlawful processing, accidental loss, destruction or damage of the data should also be accounted for.
For processes that use personal data, you must document:
- From where the data is received
- Where the data is sent
- Process descriptions (both manual and digital) containing information about applications used. Where relevant, a Data Protection Impact Assessment should be performed (see GDPR article 35).
- If there are processes for the personal data’s accuracy, deletion and consent for processing.
- The purpose of the data processing
- Data minimization efforts made
- Time restrictions and retention time for the data
- And security measures taken
The process of documenting processes and categorizing data may happen simultaneously or as an iterative process
Documenting Data Processing Agreements
The Data Processing Agreement describes the involved parties in the data processing including the controller, the processor and the recipient. It details the contact points of the controller and processor, the purpose of processing, what agreements of time limitations there has been made, if the data is sent to other countries, and a description of security measures.
This agreement should be updated continuously as changes happen. If the processing scope evolves, the possible consequences must be specified along with the selected appropriate safeguards.
Your organization must document where it acts as a controller and where it acts as a processor, as the rules for GDPR compliance may differ if an external controller has defined it differently from your organization as part of your processing contract.
2: Continuously evaluate risk and take appropriate measures to ensure the integrity and confidentiality of the data and that the organization remains compliant with the principles of the GDPR
By evaluating the risks for each process and comparing them with the documentation of the processes data’s classification and privacy level, you can create impact analysis which are useful for evaluating the urgency with which you should regard the process. The risk assessment should cover data’s journey in the process including its storage.
When handling the risks relating to the processing of personal data, you should document the mitigative actions taken and evaluate any residual risk regarding likelihood and impact of a breach.
The risk assessments reviewing how the organization will comply with its GDPR business rules – including its data minimization efforts, impact assessments, risks of data breach, and the security of technical solutions that process personal data.
The risk assessments and related mitigative actions should once documented become evidence for planned compliance which then can be audited.
3: Prove compliance – for example through audits
You must be able to prove that appropriate measures for compliance have been made whether your organization acts as a controller or a processor. The controlling organization must also document that the processing organization have provided sufficient guarantee for GDPR compliance.
This can for example be done through internal audits. The Data Protection Officer (if your organization has one employed) must be involved in all issues relating to the protection of personal data and must have autonomy when doing so. If your organization has a Data Protection Officer it would make sense that he or she is involved in regular internal auditing. External audits may be performed by a regulative authority.
There are two aspects of your organizations GDPR compliance that should be audited:
1) Whether the business rules your organization has created for GDPR compliance are sufficient – both regarding the regulation and regarding local rules and codes of conduct
2) Whether (and to what degree) your organization follows its GDPR business rules
4: Handle and document consent
Where relevant, you must obtain consent from the individual whose data you use, or specify why consent is not necessary in accordance with the GDPR. This information must then be documented.
If you have a Data Protection Officer, he or she should counsel the organization on when consent is needed. Alternatively, you could seek legal counsel to evaluate the necessity for acquiring consent.
The consent for processing could for example be included in the data processing agreement.
The consent handling process is an ongoing activity that correlates with your flow of personal data and should be documented. The process can in some instances be automated. For processors, the contract with the data controller represents consent.
5: React to (possible) data breaches (within 72 hours)
If a data breach happens, you must:
Notify the right authorities within 72 hours of finding out, unless the data breach is unlikely to result in a risk to any individuals.
- If you are not able to notify the right authorities within that timeframe, you should accompany the notification with reasons for the delay.
- Document that you have notified the supervisory authorities without undue delay.
- As soon as reasonably feasible, you must communicate to affected individuals the nature of the data breach and recommended actions for them to take so they can minimize the risk. This should be done in corporation with the supervisory authorities.
- Document whether all appropriate technological and organizational measures have been implemented to immediately discover a data breach.
To enable this, you should have a procedure in place for handling a possible data breach. You should also evaluate your organization’s ability to gather the needed information – this should be included in your organizations risk assessment for the ‘data breach handling process’.
6: Respond to inquiries
You must be able to respond to inquiries from individuals about whether you are, or have been, processing any of their personal data. You must be able to accommodate the rights of the individual to:
- Rectify personal data,
- Erase personal data
- Enable the personal data to be ‘forgotten’
- Restrict the processing of personal data
- Receive a copy of the personal data
Furthermore, you must be able to respond to inquiries from supervisory authorities and, if you are a processor, the data controller.
This task may happen sporadically but to comply with it, your organization must create processes for answering requests and document how the personal and sensitive data is obtained, processed and flows between data controller, data processors and third parties. Your organization must also make the necessary technical changes that allows data portability, and implement processes for deletion and rectification of data. Just with the process for handling a possible data breach, these additional processes should be included in your organizations risk assessments.
Integrating the Basic GDPR Activities into your Architecture
Below, is a summary containing the tasks your organization must handle to comply with the GDPR. They are distributed according to six architectural aspects; Strategy, Legal, Process, Information, Security and Technology. While the fundamental groups in Enterprise Architecture are Business, Technology and Strategy, these six aspects are derived from the Danish public sectors architectural framework. The groupings would be different depending on which architectural framework is used.
- Specify purpose of processing specific data
- If required or wanted, hire a Data Protection Officer (DPO)
- Follow local rules, codes of conduct and certification mechanisms
- Create and implement policies for data protection
- Ensure the processor lives up to GDPR requirements
- Ensure the processor provide sufficient guarantee for GDPR compliance
- Ensure the DPO is involved in all issues relating to the protection of personal data
- Ensure personal data is not used for any other purpose than the one defined
- Ensure only necessary data for the specific purpose is collected
- Define where the organization acts as processor and controller
Create processes for:
- Managing data processing agreements
- Handling data breach
- Handling and documenting consent
- Responding to inquiries
- Rectifying personal data
- Deleting personal data
- Ensure personal data is portable
- Enable personal data to be forgotten
- Categorize data
- Establish for how long persons must be identifiable to process data according to its purpose
- Enable restrictions on how personal data is processed
- Document where (by which processes) the personal data is handled
- Document that sufficient organizational and technological measures have been taken to immediately discover a data breach
- Continuously evaluate risks, including impact assessment for data loss or damaged processing and risk of data breach.
- Evaluate the security of your technical solutions that process personal data
- Establish appropriate security measures
- Perform audits to document compliance
- Identify which applications process the personal data
- Identify where personal data is stored
Once integrated in your organization’s architecture, complying with the GDPR becomes a common-sense way of how your organization functions. While this article gives a general perspective on how an organization can become GDPR compliant, you should always consider seeking legal guidance from your Data Protection Officer or equivalent to interpret the regulation for your specific situation.
QualiWare has integrated elements for GDPR requirements in our 6.6 release. This enables you to easily document the required information along with your business- and IT-architecture. We also support the creation and management of audit programs and risk analysis. QualiWare supplies you with rich and easily understandable overviews of the progress your organization make in your GDPR compliance.