Confessions of a GDPR architect

Stuart Ritchie


I set out below a list of current/forthcoming "how-to" posts on practical enterprise-specific GDPR compliance using public domain objects, with optional technology anyone can build. Links will be added as and when the items are posted. The list is sequenced logically rather than chronologically. Where material, the posts include downloadable sample "before" and "after" scenarios and DPIAs, etc. This is an evolving workshop centered around a single dataflow for employee cell data records ("CDR") of that household name telecom multinational, Sprechen-Sprechen™ GmbH (a MonoPulley™ brand) headquartered in Nordrhein-Westfalen, Germany.

    1. Conceptual Article 30 compliance – Combined Legal** and IT approach in plain English (geek-speak removed!)
    2. Practical Article 30 compliance – a Corporate Artefact* maintained jointly by IT, Legal, and Lines of Business ("LoB")
    3. GDPR-specific "Information Architecture Lite" artefacts* – Accelerating Articles 30/35 compliance
    4. Enterprise Privacy Architecture ("EPA") – dynamic, reusable enterprise-specific multi-jurisdictional common-language Article 30 artefacts*
    5. Use Case ("UC") 1: Sprechen-Sprechen’s employee cell data record dataflow
    6. UC1 – Sprechen-Sprechen’s EPA Artefact* Explained
    7. DPIAs for Dummies 1: UC1 – five identified Data Protection Impact Assessment ("DPIA") Risks, within DE,FR,US,CA-ON, from single pre-GDPR dataflow
    8. DPIAs for Dummies 2: UC1 – Interpreting the DPIA cross-jurisdictional financially quantified risk graphics
    9. DPIAs for Dummies 3: UC1/1a’s Enterprise DPIA Risk Register (i.e. includes risks generated by all DPIAs)
    10. Risk Remediation 1: UC2 Acceptance – Following legal advice from Ontarian Counsel, Board/Legal accepts Jedi Knight Tort Risk
    11. Risk Remediation 2: UC3 Custom Rules – The Board end-runs the US Federal risk by phoning a friend
    12. Risk Remediation 3: UC4 Legal Remediation – Despite Board’s bigly solution, Legal fears political risk and suggests new cloud jurisdiction
    13. Risk Remediation 4: UC5 Legal/IT Remediation – Legal/IT together eliminate French public and 5-year criminal risks
    14. Risk Remediation 5: UC6 Legal/IT Remediation – Legal/IT together eliminate both German data retention risks
    15. What-If Scenario Modelling: UC7 – What happens to our financial/criminal risk register after May 25, 2018?
    16. Recital 15 ("R15") Technology-Neutrality: the EPA Taxonomies
    17. R15 Technology-Neutrality: UC8 – EPA data quality safeguards
    18. R15 Technology-Neutrality: Manual versus Automated DPIA Construction?
    19. R15 Technology-Neutrality: One size fits all. Really?
    20. UC11: Consent Abuse – Add consent legal basis, watch as four exciting new and different types of risk emerge…
    21. UC10: Paradise Papers and the GDPR – Implementing Counsel’s advice on the public international law tests
    22. UC13 Integrating Legal Advice – Customizing the Legal Architecture to generate/suppress DPIA risk. Because we should?
    23. Gaming workshop: UC9 – automated anti-abuse audit trail for Audit, Supervisors, Underwriters, litigants
    24. Child Consent Race to Somewhere: UC15 – Is the GDPR age of consent three-dimensional?
    25. Misfiling: UC16 – have we filed in every material jurisdiction?
    26. The Schleswig-Holstein Question: UC18 – Is Bismarck’s solution to competing Supervisory Authorities "compelling"?
    27. "Brexit EU27" scenario: UC21 – Modelling for effects of April 1, 2019 upon EU27->UK DPIAs
    28. "Brexit UK" scenario: UC20 – Modelling for effects of April 1, 2019 upon UK-internal DPIAs
    29. Busy Supervisor Processing 1: 30-second "Fine-and-Forget" process scripts (no tedious investigations or looking at EPAs, DPIAs, etc)

This is a work in progress. Numbers/sequence/content may change without notice but links will (ought) not. Initially the priority deliverables are marked in bold.

* Note: this is not a spelling variant or affectation. For current purposes I define the word "artifact" as an historical or archaeological physical object created by artificers, and define "artefact" as an object encapsulating a methodological abstraction derived from first principles and evolving by trial-and-error (further or alternatively, the author is trilingual in English spelling but for current purposes doesn’t care).

** For current purposes "Legal" is inclusive of any other departments that may be material such as Risk, Compliance and Audit; plus of course the DPO who constructively is mandated by law to retain oversight of all GDPR compliance activity.

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.