Confessions of a GDPR architect

29Nov

Confessions of a GDPR architect

By Brexit, DPIA, EPA, GDPR, ICO, Supervisors 0 Comments

I set out below a list of current/forthcoming “how-to” posts on practical enterprise-specific GDPR compliance using public domain objects, with optional technology anyone can build. Links will be added as and when the items are posted. The list is sequenced logically rather than chronologically. Where material, the posts include downloadable sample “before” and “after” scenarios and DPIAs, etc. This is an evolving workshop centered around a single dataflow for employee cell data records (“CDR”) of that household name telecom multinational, Sprechen-Sprechen™ GmbH (a MonoPulley™ brand) headquartered in Nordrhein-Westfalen, Germany.

  1. Conceptual Article 30 compliance – Combined Legal** and IT approach in plain English (geek-speak removed!)
  2. Practical Article 30 compliance – a Corporate Artefact* maintained jointly by IT, Legal, and Lines of Business (“LoB”)
  3. GDPR-specific “Information Architecture Lite” artefacts* – Accelerating Articles 30/35 compliance
  4. Enterprise Privacy Architecture (“EPA”) – dynamic, reusable enterprise-specific multi-jurisdictional common-language Article 30 artefacts*
  5. Use Case (“UC”) 1: Sprechen-Sprechen’s employee cell data record dataflow
  6. UC1 – Sprechen-Sprechen’s EPA Artefact* Explained
  7. DPIAs for Dummies 1: UC1 – five identified Data Protection Impact Assessment (“DPIA”) Risks, within DE,FR,US,CA-ON, from single pre-GDPR dataflow
  8. DPIAs for Dummies 2: UC1 – Interpreting the DPIA cross-jurisdictional financially quantified risk graphics
  9. DPIAs for Dummies 3: UC1/1a’s Enterprise DPIA Risk Register (i.e. includes risks generated by all DPIAs)
  10. Risk Remediation 1: UC2 Acceptance – Following legal advice from Ontarian Counsel, Board/Legal accepts Jedi Knight Tort Risk
  11. Risk Remediation 2: UC3 Custom Rules – The Board end-runs the US Federal risk by phoning a friend
  12. Risk Remediation 3: UC4 Legal Remediation – Despite Board’s bigly solution, Legal fears political risk and suggests new cloud jurisdiction
  13. Risk Remediation 4: UC5 Legal/IT Remediation – Legal/IT together eliminate French public and 5-year criminal risks
  14. Risk Remediation 5: UC6 Legal/IT Remediation – Legal/IT together eliminate both German data retention risks
  15. What-If Scenario Modelling: UC7 – What happens to our financial/criminal risk register after May 25, 2018?
  16. Recital 15 (“R15”) Technology-Neutrality: the EPA Taxonomies
  17. R15 Technology-Neutrality: UC8 – EPA data quality safeguards
  18. R15 Technology-Neutrality: Manual versus Automated DPIA Construction?
  19. R15 Technology-Neutrality: One size fits all. Really?
  20. UC11: Consent Abuse – Add consent legal basis, watch as four exciting new and different types of risk emerge…
  21. UC10: Paradise Papers and the GDPR – Implementing Counsel’s advice on the public international law tests
  22. UC13 Integrating Legal Advice – Customizing the Legal Architecture to generate/suppress DPIA risk. Because we should?
  23. Gaming workshop: UC9 – automated anti-abuse audit trail for Audit, Supervisors, Underwriters, litigants
  24. Child Consent Race to Somewhere: UC15 – Is the GDPR age of consent three-dimensional?
  25. Misfiling: UC16 – have we filed in every material jurisdiction?
  26. The Schleswig-Holstein Question: UC18 – Is Bismarck’s solution to competing Supervisory Authorities “compelling”?
  27. “Brexit EU27” scenario: UC21 – Modelling for effects of April 1, 2019 upon EU27->UK DPIAs
  28. “Brexit UK” scenario: UC20 – Modelling for effects of April 1, 2019 upon UK-internal DPIAs
  29. Busy Supervisor Processing 1: 30-second “Fine-and-Forget” process scripts (no tedious investigations or looking at EPAs, DPIAs, etc)

This is a work in progress. Numbers/sequence/content may change without notice but links will (ought) not. Initially the priority deliverables are marked in bold.

* Note: this is not a spelling variant or affectation. For current purposes I define the word “artifact” as an historical or archaeological physical object created by artificers, and define “artefact” as an object encapsulating a methodological abstraction derived from first principles and evolving by trial-and-error (further or alternatively, the author is trilingual in English spelling but for current purposes doesn’t care).

** For current purposes “Legal” is inclusive of any other departments that may be material such as Risk, Compliance and Audit; plus of course the DPO who constructively is mandated by law to retain oversight of all GDPR compliance activity.

Share this post

Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

09Mar

Brexit: the gift that keeps on giving… And they thought it was all over!

The Three Knights are riding to the rescue! Or... is it.. the Three Stooges, or perhaps Sanchos, tilting at the windmills... read more

20Nov

GDPR: what are the lawful bases under which data can be processed?

ABSTRACT: Each of the Article 6(1) bases interacts with other Articles and other laws in different ways, and have different... read more

26Oct

“Data Breaches… Armageddon…” – as announced by the Three Horsemen

"Data breaches... Armageddon..." - Morrisons v Various Claimants, [2018] EWCA Civ 2339 at para 78. Caveat: I confess at the outset... read more

12Nov

GDPR: can it impact financial regulation of foreign takeovers?

ABSTRACT: Supervisors are interested in GDPR risks. Financial regulators are interested in financial risks. Often the latter may be derivative... read more

01Dec

GDPR: must controllers declare legal bases to processors?

ABSTRACT: must Controllers inform processors of the legal bases of processing? Prima facie no: but from a legal and business-strategic... read more

03Apr

GDPR, IP addresses, and classification – theory and practice

IP addresses can determine jurisdiction - as classically exploited by private and public surveillance agencies, BigTech, other data brokers,  and... read more

03Nov

GDPR engagement of 30+ additional jurisdictions – automated pleadings

Abstract: (1) The GDPR arguably, either directly or indirectly, could engage in a relatively straightforward fashion circa 30 jurisdictions apart from... read more

15Mar

GDPR: Can children prevent schools from disclosing grades to parents?

"Can I sue my school for telling my grades to my parents via a website, with the European GDPR law?" This... read more

24Feb

GDPR Right to Portability – submission to Article 29 Working Party

  For legal reasons (no not defamation or litigation!), and with apologies, I temporarily have withdrawn publication of this submission. read more

01Nov

Brexit-proofing software – without programming for specific dates, jurisdictions, etc

Abstract: Simple methods to inoculate data protection (or any other) multi-jurisdictional software from Brexit and similar events, before their possibility... read more