KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Several measures have been undertaken by Organizations at various levels to comply with GDPR, most of which remain reactive, fragmented and largely ad-hoc. These controls are also not continuous in nature and therefore fail to satisfy ongoing compliance requirements. Organizational leaders (CISOs, CIOs, CDPOs or CROs) felt the need for better data controls that should be baked into organizational processes to ensure compliance by design.
Several measures have been undertaken by Organizations at various levels to comply with GDPR, most of which remain reactive, fragmented and largely ad-hoc. These controls are also not continuous in nature and therefore fail to satisfy ongoing compliance requirements. Organizational leaders (CISOs, CIOs, CDPOs or CROs) felt the need for better data controls that should be baked into organizational processes to ensure compliance by design.
Enterprise architecture has been receiving growing attention from organizations, particularly in the era of digital transformation because enterprise architecture has been instrumental in helping organizations transform the risks of failed enterprise architecture can be significant. My name is Ann Sen. I'm the lead, a Analyst Ko Cole, and I'm joined by Mike really from Mac international, he owner for Hopex GDPR. And today we are going to talk about how you should leverage enterprise architecture to achieve GDPR compliance.
Well, before we move forward, I'd like to give you a quick reaction of who we are and what we do. So at keeping a call, we focus on several services and we deliver content and services across RT access management, cybersecurity, as well as artificial intelligence. We also cover a lot of topics around digital transformation. As part of these services we provide, we deliver executive views, leadership campuses, several Analyst, Analyst, briefings, webinars, advisory projects, conferences, some eLearning formats, as well as meetups that we organize on a frequent basis.
All these different formats of services are this that spread across analytics, access management, cybersecurity, as well as artificial intelligence, coming to the various research formats that we have at, we provide leadership campuses, which provide you with an overview of different technical market segments help you to identify who are the primary vendors within each of these market segments. And that helps organizations make informed decisions for evaluating the vendors and obviously procuring and acquisitions.
We also provide executive uses, which are pretty condensed four to five page documents about specific product or service. And we try to describe the products in details, focusing on what their immediate strengths and challenges might be. Then also we have got advisory notes as a key research format where we talk about different type of documents, giving department and operational recommendations as well.
These, these advise notes are more focused on specific topics, particularly some of the emerging subjects that we see in the industry. And finally, we have got leadership briefs, which are again, short documents, providing specific business challenges and how we should address them depending on the need for the time.
And, and what, when technology is, for example, evolving these briefs, also talk about the key shoes that decision makers have to have to understand for them to make right decisions and conclusions. We have got different ES at keeping a call, particularly keeping a call digital business campus that comprises of four different types.
There's obviously the KC strategy compass, which provides assessment requirement, analysis strategy definition, as well as roadmap and timelines, including transition roadmaps, for instance, to help where in which direction they should take this strategy towards, there is something called Casey portfolio compass, which comprises of end to end requirements analysis helps you scoping your ITD portfolio, provide definition and maintenance of your, you know, ID portfolio.
There are other aspects as well that we provide within of the criteria definition involving cost benefit risk, as well as mitigation. Again, as part of the portfolio compass, we offer transitioning roadmaps as well as sales concepts. The other format of the type that we have is KC technology compass, which also provides requirements analysis. It goes deeper into drill down specific use cases, service bundles, and the building blocks also help you to define criteria for your requirements prioritization as well as technology evaluation and service support.
And finally, it also helps you to choose the types of services and tools you may require for specific purposes or solving some of those business challenges. Finally, we have got the KC project compass, which is more targeted towards project management and project guidance. It helps you to provide project guidance and assessments. It also gives you some of the effective stakeholder communication, how you should probably communicate more effectively to the stakeholders, which is again, a very critical element for you to succeed in this transformation and other projects.
It offers you project management for certain period of time. And finally, if need be Analyst one site for helping you understand the challenges better and, and provide solution. These are some of the upcoming cool events that we have. We finished our flagship event, which was the European I didn't even cloud summit conference last year, last, last month. And we have some of these upcoming events of which I'm sure one of would be more relevant to you.
One more, you know, might relevant to you. So yeah, coming to the, some of the housekeeping guidelines here for do all of us are centrally muted and you don't have to really mute or unmute yourself. The slides are the webinar is being recorded.
So, you know, you have to record it and the podcast will be made available to you and the slides are also available for download. And finally, we'll have a question answer at the end of the webinar, but you can use the, the go to webinar control panel time during this session to answer your questions and we'll take them in the end. All right. So coming to the agenda in the first part, I'm gonna talk quickly take you through for the key elements of enterprise architecture and how it relates to the broader digital transformation.
I will also drill down into some of the requirements of digital transformation, which relate to compliance requirements, specifically GDPR, and for rest of the things I leave for Mike to talk about specifics of GDPR and how, how hoax is helping solve customer's problem in, in, in complying to GDP initiatives. And in the end, we'll again, as we talk, we'll take the questions from you. So coming to the, coming to the session on the topic here, why enterprise architecture and how it's becoming more and more important in the, in helping organizations transform digitally.
We have seen several issues from organizations where they're trying to respond to the need transformation and the challenges that they have faced are around it. And particularly it excellence. So how can enterprise architecture help you solve some of these issues? So if you look at that digital business transformation and enterprise architecture, they both go hand in hand. The transformation requirements obviously wants you to create a more seamless and delightful experience for the entire customer journey.
And that is obviously a key differentiator for, for, for an organization to compete in the market. Same time. That is the transformation requires enhanced accessibility, and it wants customers or users to have access anytime anywhere.
Well, this transformation also requires deeper insights into how customers behave across channels through, throughout the channels, the multiple channels that you have for interaction. And obviously this is a transformation wants you to deliver hyper personalized customer experience. All of which is something which enterprise architecture is now increasingly focusing on, and it provides you the tools and technology to support all of these digital transformation requirements.
Enterprise architecture basically drives the digital option and acceptance across the business as Phillip, as the customer base. And I said, a key requirement for distribution transformation is for you to get better insights into the customer's behavior across all the channels and product director can help you to, to design that journey and support the journey across channels in multiple ways. And finally enter product also helps you to provide a rapid fulfillment of the distal operating status while we talk about different business processes and how they operate in an it world.
We also talk about how you can provide a seamless execution of business processes and how you can manage the end-to-end operational official model, which increasingly should be a part of enterprise architecture and track architecture have been focusing a lot on integration of systems and providing seamless execution of processes.
While we talk about how info architecture should also focusing on delivering business transformation goals, and you should include enterprise architecture early in the process of business strategy, why, what are the key benefits of having the right digital enterprise architecture? So obviously we talk about technology enablement, which helps to enable right technology and success successful implementation for operational as well as process management.
So if you have the right digital enterprise architecture, you can provide, or you can enable the right technology platforms for business to support those initiatives, if you have the right digital enterprise architecture, then you can also be a future compatible in terms of how you can help ations move from internally focused structure to a customer centric approach. And that's exactly what more and more organizations are wanting today.
So you have to be future compatible in terms of how you can support future requirements from business and provide the adaptability for, for some of those requirements. This enterprise architecture also helps you to streamline operations and how you can reduce operational complexity by simplifying business processes. So a good enterprise architecture can really help you to, to streamline your business processes and operations and reduce cost as well as help you enhance time to value proposition.
Finally, product architecture can also help you breaking some of those traditional silos that organizations and it has been operating within. It helps you to break down processes, the applications and the data silos that have been created over the time and this sort of create operational backlogs in organization and cause operational ineffectiveness in the longer term, this enterprise architecture also done right, can help you or support you in, in organizational change. It helps you support processes. Organization changes required for successful implementation of a dis business strategy.
And finally, as we talk and, and that's probably the, the key focus of our talk today is it can help you to comply with several regulations in the journey of a dis transformation. We have seen GDPR being rolled out in Europe and several organizations trying to comply with this regulations and how this can become a part of your entire digital transformation journey and what should be the means or the vehicles for you to comply with these regulations is an important aspect.
And enterprise architecture can be the right vehicle or the platform for you to help you comply to these, to these standards. So how you want to derive your digital enterprise architecture goals to objectives from your disability strategy. It is exactly how a disability strategy is defined or can help you to derive some of those important goals or objectives.
We have got business objectives, and you have got business processes as part of your strategy, which help you to also deliver, or sort of define your end-to-end dislike strategy, where you define your dislike objectives, your it function strategy and your it process management from your dislike strategy. Again, you have the need to derive your digital enterprise architecture, which sort of defines you.
What's your digital system design, your operational model and your solution implementation is going to be so it's important that you derive your enterprise architecture design objectives and the model from your dis strategy to make sure that your enterprise architecture aligns with the objectives of your dis strategy. These are some of the key architectural principles that you should take in mind when you define your enterprise architecture.
Obviously it should be adaptable and reusable because that remains the key aspect of why you are trying to move away from traditional enterprise architecture to a digital enterprise architecture. And that's going to, again, the, the key aspect of how you can support the evolving requirements or emerging requirements of additional business strategies, obviously short development cycle for new features is, is a mandatory requirement.
And you should allow the provisions in your enterprise architecture to support any new features which are coming in any new requirements, which might come in short term and you have to support those requirements to provide to business and, and comply some of those, you know, secret requirements as well. This should also be continuously measurable in terms of how you can define the KPIs. And some of these KPIs have really changed from your traditional it KPIs that we talk about.
So for example, your KPIs have imaged from being more available and being more skillable towards how you can provide better conversion rate for users, how you can avoid abandonment rates. So obviously some of these KPIs have emerged and make sure that your internal architecture is, is able to deliver some of those metrics, which are continuously measurable and provide an aligns with your disability strategies.
Also how you can support open standards and specifications should be a part of your to design, make sure that your architecture is able to, is able to provide support for open standards and specifications out there. So that again, you are, you know, forward compatible should also allow for integrate messaging across all the channels. I think we talked about that and finally should also make sure that your enterprise architecture allows for those controls that help you adhere to the necessary compliance standards.
We talk about previously by design, we talk about security by design and enterprise architecture is, is exactly the right way for you to make sure that your applications, your processes, your data are compliant to any of those requirements that you have for security for data previously, and also for risk management strategies finally leveraging the enterprise architecture for data and security analytics is architecture that helps you define your paradigms, your services help you segregate data identity services. And on this document.
So data and identity is something we have to make sure that you understand of where your data resides. You have to understand where the data flows. And once you do that, you understand what risks are being sort of imposed on you or the processes that you have and how you should keep yourself better to handle those risks. You should also in the process, define a services and understand where the services are, how they connect to the entity and how they connect to the data.
And finally, you should also provide as part of your enterprise architecture to understand where these risks are and how you want to protect them, understand the whole fabric of identity, data and services is foundation to the compliance and your data protection. I also want to highlight the role of it management in the digital transformation.
And we have seen that it management has a strong play in how you can define a strategy for digital transformation because it management overall helps you to define the relationships between various entities that are, that are key payers in the digital transformation. We talk about increasingly that this transformation has gone beyond the physical boundaries and consumers, which could be users, the things and the devices, et cetera, taking the direction of IOT, but it management has also evolved over the time to help you provide necessary technology, as well as visibility into the relationships.
I would say profile management for these users, there are paradigms and technologies for, from vendors available that help you to manage entities for things CIM, consumer and access management is another example of how I Texas management increasingly is being able to, to cater to the customers for your customers while providing the right balance of, of security as well as convenience.
And then when you talk about security, it's also about the previously of the users complying to specific standards, as well as providing them the right convenience and reduce the friction when they try to access your services. So overall art access management has important play in your digital transformation journey. And so the, the CIOs and the CDOs, they need to understand that anus management remains a key key element of your digital transformation strategy and of your enterprise architecture strategies too.
Well, with that, I like to hand it over to Mike and he'll talk about various personal data protection and governance technologies, and also give you a quick demonstration of my God's hopes, GDPR solution. So over to you, Mike, Thank you very much San today. I'll try to go into the details of what really means the collaboration implementing a collaboration between enterprise architects and privacy.
Because up to today, let's say that this first 12 months, since the introduction of GDPR were some sort of a phase in which organizations didn't really under understand how to implement what was written in the regulation. So every company was looking out in the market trying to find out the best guidelines, the best principles to adopt. Obviously even the regulator was working heavily on trying to make the different requirements of the GDPR, more understandable for their different organizations.
So it's quite obvious that at the very beginning, this past 12 months, trying to implement a successful collaboration between departments. So taking the GDPR compliance initiative out of the privacy team and make sure that also other stakeholders in the organization were included in the initiative was something difficult to achieve. It. Wasn't exactly something to be done, to be easily implementable from one day to the other. But right now we are starting to see as the maturity of a compliance, GDPR compliance initiatives grows.
We, we are starting to see more and more organizations taking a step further. And basically those are organizations that are clearly that clearly understood that if the compliance initiative remains within is carried out only by a privacy team, which was probably the case before GDPR came into force when national regulations were in place and the only legal team, and probably a privacy champion, a privacy officer was dealing with the entire implementation of regulatory requirements.
Right now we see that a collaboration with other stakeholders coming from the other departments of the organization is not only useful, but it's mandatory. And this is why with enterprise architecture, we see a very basic and a nature, a natural link between what should be done by the privacy team and what is usually the daily, which, which are the daily activities of the enterprise architecture. So before we go into the, the details of the presentation, first of all, I wanna slightly introduce why I'm here.
So why you should be listening to me and why hopefully the next few slides will be of interest for you. So who is mega? What is OPEX and why am I allowed to give you my, my advice?
What's my, my background. So mega is a software vendor, and it has been working in the enterprise architecture field for more than 20 years right now it's, it's a well known leader in the, in the market and provides not only enterprise architecture, functionalities solutions, but also addresses governance, risk and compliance initiatives through dedicated tools. And all of these solutions have something very important in common. They share one single platform which is called hopx.
And the reason why this is very important is that the, the fact that we share one single platform across different products, which may be business process analysis, it portfolio management, information architecture, etcetera, etcetera helps us, gives us a great advantage in trying to let different stakeholders communicate with each other and leverage the initiatives carried out by a colleague by another department by either even another subsidiary of our organization.
So making sure to maximize the effort, carried out both by all our colleagues and achieve, ultimately achieve the business objectives. So basically what we do with hopx is that everything that is done using any of the existing solutions is stored in one single repository. And basically this means that it becomes immediately available to every other user using the platform. So this means one very important thing. If we have an enterprise, an organization carrying out enterprise architecture activities, and most likely this organization have been doing that for the past few years.
And then GDPR becomes a hot topic and we have to launch another initiative. The fact that the GDPR module that we usually refer to as privacy management module sits next to the enterprise architecture module and communicates with it gives you an immediate way to reuse what you have done from an enterprise architecture perspective. So reuse the applications, make sure to understand where data is, how it is processed, etcetera, etcetera. And this is, this is something that is completely different from how privacy management was addressed in the past.
And people might wonder why we are changing the perspective we changing the approach. The answer is quite simple. The impact of GDPR and privacy regulations in general is becoming so much broader that addressing it with the silos approach as it was done before. So completely forgetting about what enterprise architects are doing or the it department, the it department more in general is doing the marketing is doing. The HR is doing is completely impossible.
If we wanna succeed at the end and implement a successful compliance program and ultimately achieve a business competitive advantage, because it's something we are seeing already that companies failing to show to their clients in a transparent way, how the process personal data are heavily impacted on the market and their reputation is heavily compromised. If anything, bad, like a data breach may core. So from my perspective, the reason why I'm here today is talking to you is I'm, I'm the product owner of the solution that mega has designed and developed to address privacy management.
And my main concern is making sure that regulatory requirements are translated into a software solution. I've been a consultant and I've been implementing privacy compliance projects in multinational organizations in the past, even before GDPR came into, into force by them an engineer. So I know what, what it means to translate into technology, what is required by the law. And this is what I would like to share with you today.
Obviously, having a platform like OPEX, which is shared across departments and ensures collabo gives you a single source of truth, which is something to keep in mind very well is an advantage that is not easy, easy to, to get. And it really ensures that at one point you will succeed in collaborating between the different departments and break down those silos. That animal was referring to a few minutes earlier. So what are the key challenges? Let's go more into the details of why are we talking about this subject today?
What, what is, what is your problem? What can we help you solve with the software solution? So I've been repeating this all in, over and over during this first 10 minutes, but collaboration is probably one of the most impacting and difficult issues to solve nowadays for compliance initiatives and having a solution that helps you maximize the way in which stakeholders talk to each other and reuse the initiatives carried out by the different departments is critical. You will never find a way to successfully achieve the business objectives.
If you don't break down the C the silos that you were used to up to a few months ago, probably, or even today still, but most importantly, maybe for those of you who are, let's say not new, because all of us, we have received plenty and plenty of emails about updates to the privacy notices and due to the GDPR.
So we, we all know what GDPR means, and we all have a bit of understanding of what are the, the basic impacts of this regulations, especially for enterprise architects, but privacy by design is, is very fluid concept that very often is used to demonstrate any sort of feature that somehow addresses privacy requirements. And therefore, I found, I, I, I found myself in front of many situations where the, the actual meaning of this term, of this philosophy, let's call it privacy by design. Wasn't really clear to the end users to the, to the stakeholders in the organization.
So for, for enterprise architects, this is quite easy to, to understand, easy to understand, but very hard to implement. Unfortunately, privacy by design means thinking about privacy impact from day one.
If we are about to implement a new project, if we are about to investigate the rollout of a new application of a new system, privacy impacts must be taken care of at the very beginning of our project as a consultant, I've been I've, I'm very used to situations where clients come to you with a ready to be released project, ready to, to go live system, simply asking you let's make sure that privacy requirements are under control. This is exactly the opposite as implementing privacy by design principle.
And if probably up to 12 months ago, before GDPR came into force, this was acceptable as approach because fines were quite small and very often organizations were accepting to face risks of non-compliance. Right now let's, let's recall that one of the most impacting one of the, the key issues that we should address with respect to data protection is a security measures and data breaches. And if our systems, our architectures do not take into account privacy requirements from day one, the data breach is what we, what would make us very fragile and expose us to quite big fines actually.
So we must make sure that this, this principle is addressed. Somehow we will see how we can, we can implement this, this process, this philosophy into your daily operations, and basically make sure that every time you work on a new project, you really ask yourself as one of the first questions, how is privacy impacting this project for me, obviously at the end of the day, no matter what you do, no matter how you do it, no matter with whom you collaborate and no matter what principle you might implement in your activities, you must be able to produce a report on that.
And reporting capabilities are sometimes underestimated. It's very often, especially in large organizations, quite hard to demonstrate what we have done with respect to a given requirement or a given activity in general. And let's not forget that GDPR is quite introduces a quite new concept with respect to the past. Regulators can come knocking at our door without pointing out something that we have done wrong, but simply asking to be shown what we have been doing to address privacy requirements.
So from a, a reporting capability perspective, we really must make sure that we are able to quickly produce this evidence in a consistent manner and leverage everything the company has done to, to address privacy requirements. One of the most common issues is that departments don't know what the other, what the others have been doing with respect to, to address a given topic. And maybe they do know, but they don't know how to access to the last piece of information.
So it's, it's, it's really a challenge to make sure that a solution can help us produce this evidence yeah. Quickly and efficiently. So instantly producing those reports that are typically required by the regulator.
But obviously another thing that is is critical is making sure we have, we, we, we said that one key problem is ensuring collaboration, but collaboration must be, how do you say we must make sure that stakeholders are notified that it's their turn to do something and doing something means respecting business policies that have been designed in order to make sure that everything goes as it was planned and that all employees follow a given procedure and things are validated following predefined steps.
So obviously finding a way to automatically manage this type of notification of stakeholders and employment of company policies and validation. Workflows is something that provides very big challenges last but not least, especially from an enterprise architect, point of view, security measures are big topic. And this is exactly where privacy teams are very weak.
They, they really don't understand a lot unless the privacy team is a, is a, is an a heterogeneous team with it specialists or any, anybody with anybody with an it background. They really, they know the business, the, the regulation requirements, but then when it comes to describe how the company from a technology perspective has implemented security measures, making sure that personal data is safe and is under control, they tend to have very big problems.
They, they, they don't find the information and they face one of the first challenges we described earlier, which is the lack of collaboration with the other departments and enterprise architects, for instance. So we must make sure to find the best possible way to, to document what the organization has done in terms of security measures, both technical and organizational. Most importantly, one very key aspect of, of GDPR is addressing the existing data flows.
And this is basically something that let you understand how information flows across your, your systems and understand whether third parties are involved in the processing of personal data and therefore manage existing risks. How do we address data protection compliance with, of privacy management? How do we help you overcome some of these challenges? First of all, the, the solution itself help helps you to identify regulatory gaps and existing risks. So you basically understand how personal data is processed by your it systems and business processes.
And once you identify existing risks, the application, the software helps you to prioritize them and assign them to given stakeholder in order to take action on them. Obviously, we are talking about a project which is not, doesn't have a start in a mandate. We have to keep the compliance initiative under control and maintain overall compliance. So we must make sure that the collaboration among the departments, the subsidiaries, the stakeholders, is able to mitigate identified risks, eliminate compliance gaps, and keep the compliance under control.
And as we said before, monitoring the compliance means making sure, first of all, the privacy by design is incorrectly implemented because otherwise we can mitigate all existing risks. And as soon as we implement a new system, you software, a new business process, new risks arise, and we forget to address them. And as we mentioned before, obviously the part of automatically generating reports, the solution helps you to define templates that can be reused, and that are able to fetch from the solution itself, all the information, all the updated information regarding your compliance initiative.
So from an enterprise architecture point of view, the way in which this is achieved, the way in which we address privacy by design principle in OPEX, privacy management is shown on this slide.
Basically we have on one side on the left hand side business processes with a set of properties and diagrams describing how the business process is implemented, we have on the right hand side, it applications systems also with a set of properties describing why they're used for what they do with personal data and diagrams describing how they are connected between each other and what type of information flow they produce from a privacy perspective. Once the privacy team launches the compliance initiative, they will be able to access to this information and reuse it.
So obviously when the privacy team documents, privacy processing activity, the data protection processing activity will need to have access to the list of it applications being used by the business, documented by you guys, and will have a clear understanding that if a given it application is used probably personal data that is processed by that it application will be processed to fulfill that given purpose, that given business purpose. So from an enter, what, what an enterprise architect should do using implementing the privacy by design principle is starting from the list of it.
Applications should make sure to document as soon as possible, the scope from privacy perspective, which means whether that application is managing personal data and what type of data is managing, because this information will be vital to the privacy team. And we can already start addressing some concerns that typically are very hard to handle if we are not from an it ward, which means how the given system is able to address new data subjects, right?
For instance, data deletion, are we deploying a system which is able to delete personal data when it is no longer needed, and whether that system is properly managing notice and consent. So for a CRM system, for instance, we must make sure that all consent management requirements are taking into account. And we can document this during our enterprise architecture initiatives so that the privacy team can then reuse this information and take advantage from it.
So just to give you a very quick understanding of the basic core flow, I'm almost done, then I will live the, I leave you space for a question and answers. I wanna show you an example of collaboration that would be possible using an integrated software solution. So basically enterprise architects would design new application assistance, documenting how this systems process personal data, what type of data they process. And then they would, according to the privacy by design principle request a data protection assessment.
This means that the DPO or privacy team more in general would basically receive a notification. This notification would let him create a data protection processing activity in order to be able to document everything which is bare legal in turn, whether there is legal ground to process personal data, whether we have a contractual agreement in place with third party vendors, etcetera, etcetera, and all these will be done, thanks to the collaboration with the business owner.
So, which is somebody in the business, not necessarily coming from the EA world, who knows how this business activity is processed. So he is able to describe the activity and complete his task. Then send it over to the privacy team that will validate the description, provide a full data protection assessment, identifying potential recommendation to mitigate regulatory gaps that would be sent to enterprise architects in order to be translated into actual actions from a technical perspective or organization organizational perspective.
So definitely the possibility to have very powerful reports in the solution. This showing you data flows, where you process personal data, regulatory, ready documents, showing your accountability practices would really help you focus on your daily operations. And just forget about bureaucratic activities that respond to regulation articles, specific articles. So in conclusion, a single repository for enterprise architects and data protection activities is exactly what you need in order to maximize the efforts of the organization activities to address GDPR compliance.
So it, architects can finally jump into the picture and see their work being recognized by privacy experts and legal team. Thanks to the information provided at the very early stage when documenting existing and new it systems, privacy team can reduce everything that is done from the, it can reuse the it applications and really understand what type of data is processed for what reasons. So really go into the details of what's going on with personal data within application and not just simply launch an activity, a compliance activity, which is on paper.
And definitely thanks to this collaboration, you would implement the privacy by design principle. Thank you. Thank you so much, Mike. That was really insightful and yep. We have a couple of questions here, so I'll just read out the first one.
And, and by the way, if, if there is anything, if you have any questions you might want to also put them in the code of webinar control panel that's for that. And these, the first question is what is the most common impacting issue that enterprise architecture can face with respect to the GDPR? Right? So this is, I mean, we, we have addressed this. I don't wanna, I don't wanna repeat myself, but let's, let's provide a bit more details on it.
So definitely the most impactful issue you guys have is addressing privacy by design, which means, first of all, you have to understand what privacy requirements you are about to face. You must have a little understanding. Then obviously privacy experts and legal team will help you translate them into actual operational actions, but you must have a first understanding. You must be aware. And definitely one of the first activities that organizations carry out to make sure that the collaboration among stakeholders like enterprise architectures and the legal team is effective is training.
This is no, no news, but what you have to do as a first step, since you will definitely have already your, or at least you are in the process to con to complete the architecture of your enterprise, the way your systems are connected to each other. And hopefully what type the security measures you have implemented, you must make sure to use same vocabulary that the privacy team is using to describe how the company processes personal data, so that you basically flag your applications with this information.
So sometimes this means creating a mapping between the type of data dictionary that you usually use, and the one used by the legal team, so that you speak the same language. The information is already there, very likely, but you must make sure that you speak the same language. This sometimes requires some the, the biggest effort, but once you have done this, you will be able to leverage everything you did in your daily operations and the privacy team will be thankful for that.
Great, thank you, Mike. And I, I think, I think that's, that's a very good point that, you know, we make sure that increasing the it and, and business speak the same language so that they can, they can synchronize the, the initiatives and activities. And in fact, exactly that, that's probably a really related question here. Is there a common vocabulary to be used when describing personal data process by?
Yeah, so there is no single source of truth. Honestly, if this question is asked by a legal department, I would say that there are tons of guidelines out there providing dictionaries to be used to document personal data, being processed by the organization. These dictionaries change one from the other, with respect to the granularity, the business is seeking to put in place, which means you can stay on a very high level. And the simply distinguish between the sensitivity of personal data being processed.
So you distinguish between highly sensitive, personal data, medium sensitive, low sensitive etcetera, and so further. Or you can go very much in detail and distinguish between first name, last name, age, address, health data. And so further. Obviously each approach has its pros and cons. The more you dive, the harder it is to keep the information up to date.
So the, the, the tasks to, to manage this, this information become heavier. However, the benefits you get in terms of exploiting the compliance initiatives for any sort of other operation, I mean, just let's think of having to deal with the data breach. If you have to deal with the data breach and you understand what systems were affected, it's very likely that having a detailed description of what personal data was processed by those systems will be very handy to complete successfully your risk assessment and identify remediation actions. Great. Thank you.
Other quick questions we have here is what type of risks should be first addressed by architects with respect to GDPR compliance? I might, we have only got three minutes left, so Yeah, I'll be, I'll be short. So in terms of risks, obviously one big part, 1, 1, 1 aspect that you must address as soon as possible is security risks. It security risks. And if we wanna take a step further, we mentioned data subjects requests.
This means being ensured that your systems are able to respond to requests coming from the outside, which are of the type access to personal data, being processed, delete that personal data, not being able to address those requests. So a system which is not ready to address that request, which is very often the case exposes the business to a risk. And this type of risk must be identified by enterprise architect as soon as possible. Great. Another question, is there any standard or certification that can be used as proof of compliance? So this is an open topic. Great question.
So certifications are out there and they were out there before GDPR came into force. I talk about ISO standards like the 27,001, which provide basically evidence of the security policies and mechanisms implemented by the organization. And therefore are even mentioned by the GDPR regulation itself saying that these type of certifications are, have an impact on the amount of the sanction. If the organization was found to be non-compliant, however, a specific GDPR certification is not yet out there.
And this is for organizational problems because the supervisor authority of, of a country, like for instance in Germany, must give the authorization to the German certification authority that will define the scheme that certification bodies will use to certify organizations. So you see there are different steps involved, and this requires some, some time there has been some big, some many activities from lobbyists around this market because it is a market and therefore it's not yet out there, but I'm, I'm sure it will. It'll arrive. Perfect.
Thank you, Mike. And I think with that, we come to an end of this webinar and like to thank everybody for joining this webinar. I wish you a good day ahead. Thank you. Thank you very much.
