Under the GDPR all personal data processing is unlawful by default – you should be able to prove in advance that your data processing is lawful or risk fines, class actions, and / or criminal prosecution
What is an Enterprise Privacy Architecture?
The GDPR requires organisations to maintain a record of all its personal data processing activities. If formalised into an EPA metadata repository you also can evaluate the financial and criminal risks to which each process may expose your enterprise.
Why should you care about an EPA?
Under the GDPR all personal data processing is unlawful by default.
If you cannot prove from information recorded and largely disclosed in advance that your data processing is lawful, then your data processing may attract fines, class actions (or representative claims/GLOs in the UK) and/or criminal prosecution.
Foreign regulators are entitled to investigate UK enterprises (and in most Member States data protection offences attract custodial sentences).
What does the EPA include/assemble (for each process)?
- Description of data flow (and jurisdictions), personal data and processing
- Statutory legal basis or bases used to justify the processing of the personal data (including storage)
- The purpose(s) for which you are processing the data and why each referenced purpose is compatible with the chosen basis or bases
- The period for which you process the data
- The complete list of data sources and recipients, which are disclosable to data subjects (via a combination of data subject rights)
- The technical and organisational (“security”) measures associated with the process
- Special categories of data processed and any data relating to children
- Privacy by design and default
- and many other records, such as risk mitigation and chosen safeguards
The EPA is an online facility which has been 3 years in development by a data protection lawyer and has patents pending.
Importantly, the EPA validation and assessment provides you with a board-ready report quantifying the financial and criminal risks by dataflow.
Typically this report is presented to the Board on a periodic review basis or when your personal data processing changes.
EPA usage and assessment
The Readiness Review provides you with a summary of GDPR as it applies to your organisation (including a view of the proposed UK Data Protection Bill for UK-based companies), a view of your current data and processing based on the interview and a prioritised set of next steps (cross-referenced to GDPR) and a high-level milestone plan. It also provides an indication of the effort and timescales required for each action and how we can support you in achieving these.
- As a central ‘hub’ repository supporting record-keeping requirements, for instance GDPR article 30
- As validated metadata, to guarantee internal data quality and support information architecture and control over business processes
- To support data subject-specific privacy-by-design at transaction level
- In combination with our Legal Architecture artefact, to generate multi-jurisdictional financially quantified risk assessments for public, private, and criminal risk
- In consequence, to support actuarial arguments that cyber-insurance premiums should increase/decrease (depending on whether the enterprise is the insurer or the insured), and to enable audit signoff as to the enterprise’s financial viability
- To facilitate co-ordination of other internal and external work such as notifications, data subject right implementation, IT project planning, etc.