General Data Protection Regulations (GDPR)

Copyright 2017 Graham Berrisford.

One of about 300 papers at Last updated 24/06/2017 23:04


In the Initiate phase of Avancier Methods, you should check what security and data protection regulations are relevant.

Then include relevant actions in your plan for the Architecting phase (cf. the Statement of Architecture Work in TOGAF).


From March 2018, your plans may have to include actions arising from General Data Protection Regulations (GDPR).

These regulations may have a significant impact on organisations that process personal data about EU citizens.

These could include, for example:

         employees in HR systems

         patients taking part in drug trials,

         customers of insurance companies and

         all web site users recorded in identity management systems.


This paper is an overview of points in GDPR that enterprise and solution architects should be aware of.

You can find more at

How to demonstrate your organisation complies with GDPR?

Data protection regulations relate to the capture and processing of personal data (data usable to identify an individual).

If your organisation is currently subject to the Data Protection Act (DPA), it is very likely that it will also be subject to the GDPR.

GDPR widens the definition of personal data and extends the responsibilities in law of any organisation processing such data.


GDPR applies to the controllers and processors of personal data, defined much as they are under the DPA.

         The controller says how and why personal data is processed.

         The processor acts on the controllerís behalf.


The organisation must:

         Implement appropriate technical and organisational measures that ensure and demonstrate that you comply.

o   This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

         Maintain records of processing activities.

         Where appropriate, appoint a data protection officer.

         Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:

o   Data minimisation;

o   Pseudonymisation;

o   Transparency;

o   Allowing individuals to monitor processing; and

o   Creating and improving security features on an ongoing basis.

         Use data protection impact assessments where appropriate.


Records of processing activities (documentation)

If your organisation has more than 250 employees, you must maintain internal records of your data processing activities.

If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:

         processing personal data that could result in a risk to the rights and freedoms of individual; or

         processing of special categories of data, or criminal convictions and offences.

Key points architect should be aware of

Global reach of EU regulations

EC is extending data protection regulations (from March 2018) to any company processing information relating to EU citizens.

EU citizens can approach any data protection authority to lodge complaints

Any authority can take action against organisation, anywhere in the world. [Will USA and China resist?]

There is one overarching authority, and fines could be up to Ä20m or 4% of group annual global turnover.

Wider definition of personal data

Data usable to identify an individual as personal data includes, for example IP addresses, genetic, mental, cultural, economic, social information.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

This is wider than the DPAís definition, and could include chronologically ordered sets of manual records containing personal data.

Tighter rules for consent to and use of personal information

Organisations need to use simple language when asking for consent to collect personal data.

Must be clear how they will use the information.

Must provide clear and affirmative consent to process personal data (inaction no longer constitutes consent).

Data Protection Officers (DPOs)

What matters here is the number of data subjects (not the number of employees).

Your organisation must appoint a data protection officer (DPO) if you:

         are a public authority (except for courts acting in their judicial capacity);

         carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

         carry out large scale processing of special categories of data, or data relating to criminal convictions and offences.


The DPOís minimum tasks are defined in Article 39:

         Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.

         Monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments;

         Train staff and conduct internal audits.

         Be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

Privacy Impact Assessments (PIAs)

All projects involving personal information must conduct impact assessments.

Data controllers must conduct impact assessments when using new technologies.

And when processing is likely to result in a high risk to the rights and freedoms of individual, such as:

         systematic and extensive processing activities, including profiling.

         large scale processing of special categories of data, or personal data relation to criminal convictions or offences.

Tighter data breach monitoring and reporting

Organisations must monitor for breaches of personal data.

And notify the local DPA of a data breach within 72 hours of discovering it.

This implies development, promotion and training of internal data security policies.

Privacy by design to ensure data minimisation and the right to be forgotten

Organisations must hold data no longer than absolutely necessary.

Must get fresh consent before changing their use of data collected.

Must delete any data at the request of the data subject.

[Beware that completely erasing data can be very, very difficult, and proving it is impossible.]

Liability extended to all that touch personal data

Liability extends beyond data controllers to all organisations that touch personal data, even service providers.



All free-to-read materials at are paid for out of income from Avancierís training courses and methods licences.

If you find the web site helpful, please spread the word and link to in whichever social media you use..