Confessions of a GDPR architect
Stuart Ritchie
29.11.2017
I set out below a list of current/forthcoming "how-to" posts on practical enterprise-specific GDPR compliance using public domain objects, with optional technology anyone can build. Links will be added as and when the items are posted. The list is sequenced logically rather than chronologically. Where material, the posts include downloadable sample "before" and "after" scenarios and DPIAs, etc. This is an evolving workshop centered around a single dataflow for employee cell data records ("CDR") of that household name telecom multinational, Sprechen-Sprechen™ GmbH (a MonoPulley™ brand) headquartered in Nordrhein-Westfalen, Germany.
- 1. Conceptual Article 30 compliance – Combined Legal** and IT approach in
plain
English (geek-speak removed!)
- 2. Practical Article 30 compliance – a Corporate Artefact* maintained
jointly
by IT, Legal, and Lines of Business ("LoB")
- 3. GDPR-specific "Information Architecture Lite" artefacts* – Accelerating
Articles 30/35 compliance
- 4. Enterprise Privacy Architecture ("EPA") – dynamic, reusable
enterprise-specific multi-jurisdictional common-language Article 30
artefacts*
- 5. Use Case ("UC") 1: Sprechen-Sprechen’s employee cell data record
dataflow
- 6. UC1 – Sprechen-Sprechen’s EPA Artefact* Explained
- 7. DPIAs for Dummies 1: UC1 – five identified Data Protection Impact
Assessment
("DPIA") Risks, within DE,FR,US,CA-ON, from single pre-GDPR
dataflow
- 8. DPIAs for Dummies 2: UC1 – Interpreting the DPIA
cross-jurisdictional
financially quantified risk graphics
- 9. DPIAs for Dummies 3: UC1/1a’s Enterprise DPIA Risk Register (i.e.
includes
risks generated by all DPIAs)
- 10. Risk Remediation 1: UC2 Acceptance – Following legal advice from
Ontarian
Counsel, Board/Legal accepts Jedi Knight Tort Risk
- 11. Risk Remediation 2: UC3 Custom Rules – The Board end-runs the US
Federal
risk by phoning a friend
- 12. Risk Remediation 3: UC4 Legal Remediation – Despite Board’s
bigly solution,
Legal fears political risk and suggests new cloud jurisdiction
- 13. Risk Remediation 4: UC5 Legal/IT Remediation – Legal/IT together
eliminate
French public and 5-year criminal risks
- 14. Risk Remediation 5: UC6 Legal/IT Remediation – Legal/IT together
eliminate
both German data retention risks
- 15. What-If Scenario Modelling: UC7 – What happens to our
financial/criminal
risk register after May 25, 2018?
- 16. Recital 15 ("R15") Technology-Neutrality: the EPA
Taxonomies
- 17. R15 Technology-Neutrality: UC8 – EPA data quality safeguards
- 18. R15 Technology-Neutrality: Manual versus Automated DPIA Construction?
- 19. R15 Technology-Neutrality: One size fits all. Really?
- 20. UC11: Consent Abuse – Add consent legal basis, watch as four exciting
new
and different types of risk emerge…
- 21. UC10: Paradise Papers and the GDPR – Implementing Counsel’s advice on
the
public international law tests
- 22. UC13 Integrating Legal Advice – Customizing the Legal Architecture to
generate/suppress DPIA risk. Because we should?
- 23. Gaming workshop: UC9 – automated anti-abuse audit trail for Audit,
Supervisors, Underwriters, litigants
- 24. Child Consent Race to Somewhere: UC15 – Is the GDPR age of consent
three-dimensional?
- 25. Misfiling: UC16 – have we filed in every material jurisdiction?
- 26. The Schleswig-Holstein Question: UC18 – Is Bismarck’s solution to
competing
Supervisory Authorities "compelling"?
- 27. "Brexit EU27" scenario: UC21 – Modelling for effects of April 1, 2019
upon
EU27->UK DPIAs
- 28. "Brexit UK" scenario: UC20 – Modelling for effects of April 1, 2019 upon
UK-internal DPIAs
- 29. Busy Supervisor Processing 1: 30-second "Fine-and-Forget" process
scripts
(no tedious investigations or looking at EPAs, DPIAs, etc)
This is a work in progress. Numbers/sequence/content may change without notice but links will (ought) not. Initially the priority deliverables are marked in bold.
* Note: this is not a spelling variant or affectation. For current purposes I define the word "artifact" as an historical or archaeological physical object created by artificers, and define "artefact" as an object encapsulating a methodological abstraction derived from first principles and evolving by trial-and-error (further or alternatively, the author is trilingual in English spelling but for current purposes doesn’t care).
** For current purposes "Legal" is inclusive of any other departments that may be material such as Risk, Compliance and Audit; plus of course the DPO who constructively is mandated by law to retain oversight of all GDPR compliance activity.
- All facts and opinions set out above, including but not limited to
spoken content and attachments/links, are provided for informational
purposes
only as a non-legal service to the public, and do not constitute legal
advice
or a substitute for legal counsel, and do not create any lawyer-client
relationship, nor do they constitute advertising or provision of a legal
service, nor are they the opinion of this web site or of its owner. The
author is a co-founder of GDPR360 but does not speak in that capacity or
in the capacity of a lawyer.