7 Things Every Enterprise Architect Needs to Know About the GDPR

Dec 20, 2016
Written by
Marc Lankhorst
Marc Lankhorst

7 Things Every Enterprise Architect Needs to Know About the GDPR

The General Data Protection Regulation (GDPR) is a stringent EU Regulation on privacy protection, which will go into effect in May 2018. Enterprise architects can play an important role in helping their organization be GDPR-compliant. Are you aware of the impact of the GDPR on your organization?

Here are 7 things you should know about the GDPR right now:

1. GDPR applies for all companies that process data on EU residents

Even if your company is not located in an EU country, the GDPR may apply to you. As the Regulation states (Article 3), it “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union”. This implies that any US and other foreign companies that process data on EU residents are also liable under the GDPR.

2. GDPR is about demonstrating compliance

Besides being compliant, you also have to demonstrate compliance. As Article 5 states: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” Enterprise architects are uniquely positioned to help their organization to demonstrate that they comply. Leveraging their architecture models for security and privacy analyses, architects can provide cross-cutting analyses on the use and protection of data across the enterprise, its processes, people and IT systems.


Find out if your organization is well prepared for the General Data Protection Regulation.

Test it yourself and learn what actions to take.


3. GDPR expects you to record the purpose of collecting personal data

You have to record what you do with personal data and for which purpose (Article 30). This includes things like: at which locations personal data is stored, which applications use it, who has access to these applications, third parties with which it is exchanged, where these are located, etc. Existing compliance procedures often try to capture this using spreadsheets and other Office documents, but this quickly becomes unmanageable. Architects are instrumental in this, since their architecture models often comprise much of what is needed to get this integrated overview of data usage.

4. GDPR demands an integrated approach to security-by-design

You have to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” which includes a process for “regularly testing, assessing and evaluating the effectiveness” of these measures (Article 32). Simply bolting on a few security measures won’t cut it. This requires an integrated approach to security-by-design, not just focusing on the IT part but encompassing all aspects of your organization. Enterprise architects are best places to deal with this, since they have the overview and insight needed.

5. GDPR requires Data Protection Impact Assessments

You have to carry out a Data Protection Impact Assessment each time you implement a system that processes personal data, which includes a systematic description of the processing, an assessment of the risks, the measures to address these risks, and how you will demonstrate compliance. Such an analysis of large and complicated business and IT landscapes requires smart software solutions. The Enterprise Risk and Security Management functionality of Enterprise Studio is ideally suited for this type of security and privacy analysis and design. Leveraging your existing architecture models gives you a flying start!

6. GDPR forces you to report data breaches within 72 hours

You have to a report a data breach to the authorities and the ‘data subjects’ concerned (Articles 33 and 34), within 72 hours. This may lead to serious reputation risk, as previous incidents have shown. Trying to hide a breach is no longer an option.

7. Non-compliance to GDPR results in big penalties

Penalties for non-compliance include “fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover” (Article 83), next to the personal damage that may be claimed by data subjects (also in class-action suits), and the personal liability of directors and senior managers. What would it be worth to your organization to avoid these risks?

It’s time to demonstrate the importance of architecture

Cyber security and the associated reputation risk have become a top strategic concern for the C-suite, and the GDPR puts even more pressure on this issue. As an enterprise architect, you can play a pivotal role in this domain. Uncover the hidden value of your architecture knowledge, models and analyses. Help your organization improve its cyber resilience, ensure regulatory compliance, and reduce operational, reputational, and financial risks. Demonstrate the importance of architecture in the boardroom!