Blog post by Stephen Sherry, Principal Consultant, Data Management, Version 1 

In the previous blog post in this series on GDPR, we provided an overview of the principal changes in data protection regulation introduced by the new EU General Data Protection Regulation (GDPR) legislation. In this article we will look at the GDPR key impacts for enterprise and solution architects and the likely changes to current and future state architectures that will need to be delivered by suitable technology roadmaps and Solution Building Blocks (SBBs)

The two-year countdown to the new EU GDPR legislation has already begun and all affected organisations will need to be fully compliant with the rules by 25 May 2018. All organisations which capture, store and manage data about European Union citizens need to conform to and abide by a range of data protection regulations and governance procedures and evidence to a required level of traceability, that this compliance has been achieved.

The General Data Protection Regulation (GDPR) in a nutshell

The new legislation is significantly different to previous data protection legislation in this area and is much more diverse in terms of scope and coverage and comes with Extraterritorial effect: Under the GDPR even companies outside the EU will be affected. Entities located outside the EU that offer goods or services to residents in the EU or that monitor EU residents’ behaviour (as far as that behaviour takes place within the EU) will be subject to the regulation. Relevant systems are required to be suitably amended and adjusted by May 25th 2018 and this has a direct impact and relevance to the timings and scope of the data architecture and related solutions in future technology roadmaps.

Key impacts of GDPR

From the perspective of its influence on technology roadmap and future state architecture, impacts need to be factored into the design of new systems or the evolution of existing systems.

Sanctions for Non-Compliance – Article 83

“Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation…. shall in each individual case be effective, proportionate and dissuasive.” Sanctions for non-compliance are intentionally tough. Sanctions can be imposed for non-compliance and these can be punitive: Depending on the specific context of the organisation or the undertaking, a fine up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher can be imposed.

Given the severity of potential sanctions and associated severe damage to reputational risk for public sector organisations, compliance to the GDPR and the ability to evidence and audit such compliance are seen as priority influences for the future state architecture and technology roadmap.

So, lots for architects to consider and begin implementing. The clock is already ticking…

In the next blog post in this series we will consider the data protection implications for UK organisations of the recent UK Brexit vote and the impending future departure of the UK from EU data protection oversight.