Confessions of a GDPR architectAlan
I set out below a list of current/forthcoming “how-to” posts on practical enterprise-specific GDPR compliance using public domain objects, with optional technology anyone can build. Links will be added as and when the items are posted. The list is sequenced logically rather than chronologically. Where material, the posts include downloadable sample “before” and “after” scenarios and DPIAs, etc. This is an evolving workshop centered around a single dataflow for employee cell data records (“CDR”) of that household name telecom multinational, Sprechen-Sprechen™ GmbH (a MonoPulley™ brand) headquartered in Nordrhein-Westfalen, Germany.
- Conceptual Article 30 compliance – Combined Legal** and IT approach in plain English (geek-speak removed!)
- Practical Article 30 compliance – a Corporate Artefact* maintained jointly by IT, Legal, and Lines of Business (“LoB”)
- GDPR-specific “Information Architecture Lite” artefacts* – Accelerating Articles 30/35 compliance
- Enterprise Privacy Architecture (“EPA”) – dynamic, reusable enterprise-specific multi-jurisdictional common-language Article 30 artefacts*
- Use Case (“UC”) 1: Sprechen-Sprechen’s employee cell data record dataflow
- UC1 – Sprechen-Sprechen’s EPA Artefact* Explained
- DPIAs for Dummies 1: UC1 – five identified Data Protection Impact Assessment (“DPIA”) Risks, within DE,FR,US,CA-ON, from single pre-GDPR dataflow
- DPIAs for Dummies 2: UC1 – Interpreting the DPIA cross-jurisdictional financially quantified risk graphics
- DPIAs for Dummies 3: UC1/1a’s Enterprise DPIA Risk Register (i.e. includes risks generated by all DPIAs)
- Risk Remediation 1: UC2 Acceptance – Following legal advice from Ontarian Counsel, Board/Legal accepts Jedi Knight Tort Risk
- Risk Remediation 2: UC3 Custom Rules – The Board end-runs the US Federal risk by phoning a friend
- Risk Remediation 3: UC4 Legal Remediation – Despite Board’s bigly solution, Legal fears political risk and suggests new cloud jurisdiction
- Risk Remediation 4: UC5 Legal/IT Remediation – Legal/IT together eliminate French public and 5-year criminal risks
- Risk Remediation 5: UC6 Legal/IT Remediation – Legal/IT together eliminate both German data retention risks
- What-If Scenario Modelling: UC7 – What happens to our financial/criminal risk register after May 25, 2018?
- Recital 15 (“R15”) Technology-Neutrality: the EPA Taxonomies
- R15 Technology-Neutrality: UC8 – EPA data quality safeguards
- R15 Technology-Neutrality: Manual versus Automated DPIA Construction?
- R15 Technology-Neutrality: One size fits all. Really?
- UC11: Consent Abuse – Add consent legal basis, watch as four exciting new and different types of risk emerge…
- UC10: Paradise Papers and the GDPR – Implementing Counsel’s advice on the public international law tests
- UC13 Integrating Legal Advice – Customizing the Legal Architecture to generate/suppress DPIA risk. Because we should?
- Gaming workshop: UC9 – automated anti-abuse audit trail for Audit, Supervisors, Underwriters, litigants
- Child Consent Race to Somewhere: UC15 – Is the GDPR age of consent three-dimensional?
- Misfiling: UC16 – have we filed in every material jurisdiction?
- The Schleswig-Holstein Question: UC18 – Is Bismarck’s solution to competing Supervisory Authorities “compelling”?
- “Brexit EU27” scenario: UC21 – Modelling for effects of April 1, 2019 upon EU27->UK DPIAs
- “Brexit UK” scenario: UC20 – Modelling for effects of April 1, 2019 upon UK-internal DPIAs
- Busy Supervisor Processing 1: 30-second “Fine-and-Forget” process scripts (no tedious investigations or looking at EPAs, DPIAs, etc)
This is a work in progress. Numbers/sequence/content may change without notice but links will (ought) not. Initially the priority deliverables are marked in bold.
* Note: this is not a spelling variant or affectation. For current purposes I define the word “artifact” as an historical or archaeological physical object created by artificers, and define “artefact” as an object encapsulating a methodological abstraction derived from first principles and evolving by trial-and-error (further or alternatively, the author is trilingual in English spelling but for current purposes doesn’t care).
** For current purposes “Legal” is inclusive of any other departments that may be material such as Risk, Compliance and Audit; plus of course the DPO who constructively is mandated by law to retain oversight of all GDPR compliance activity.