This document discusses how Leanix can help organizations ensure compliance with the General Data Protection Regulation (GDPR). It provides an overview of Leanix's capabilities for modeling and capturing GDPR-related data at the application level, including new sections on applications fact sheets to document processing reasons and legal basis. It also describes how Leanix allows linking applications to related data objects, IT components, interfaces and documents. Surveys and views allow gathering additional details and providing reports to answer audit requests. The key benefits are an easily adaptable data model, engaging new stakeholders, and ad-hoc views and reports.
3. 3
The General Data Protection Regulation, or GDPR
(EU 2016/679) is a regulation of the European Union introduced to
improve and unify personal data protection of individuals within the
European Union.
It entered into application in May 2018.
4. We help to understand and optimize IT Architectures:
Application Rationalization
4
Stay compliant and help preventing
penalty fees
GDPR in LeanIX
“GDPR drives maintenance of our LeanIX inventory. LeanIX provides GDPR a harmonized inventory as basis for
documentation”
- Andreas Bosch, Enterprise Architect, McKesson
Use GDPR as a driver for maintenance
of your LeanIX inventory
Safe operative costs (and nerves)
preparing a Data Protection Impact
Assessment (DPIA)
5. Only basic Fact Sheet Types are needed to start Application
Rationalization with LeanIX.
LeanIX Scope for handling
GDPR.
5
1.GDPR-Related Data maintained at
the Application Fact Sheet mainly
2.Relationships to Data Objects,
Interfaces, and IT Components need
to be established
3.Basic Configuration is recommended
to meet GDPR requirements
Provider
IT
Component
Project
User
Group
Data
Object
Technology
Architecture
Information System
Architecture
Business
Architecture
Tech.
Stack
Business
Capability
Process
Major Fact Sheet Types and relations for App Rationalization
Configuration recommended
Interface
Application*
*
6. Application as the central Fact Sheet to model GDPR in
LeanIX.
Fact Sheet Configuration
6
1.New Section on the Application Fact
Sheets
2.Capture information directly based
on GDPR-Regulation
Reason for processing
Legal Basis for processing
General relevance of Application for
GDPR
Hint: Additional information like „Cross-Boarder
Transfer“ or „Category of external recipient“ might
be added to cover additional details.
7. We configure an additional Fact Sheet section upon your
request.
7
8. Related Data Objects (PII) and IT Components (e.g. Hosting
Services incl. location)
Relations you need for
your GDPR use case.
8
1.Relate the Data Objects to the
Applications, esp. Personal
Identifyable Information (PII) and tag
them accordingly
2.Relate Applications to the necessary
IT Components and maintain their
location (e.g. Hosting Service,
location: US)
3.Maintain Interfaces that are provided
by an Application and relate them to
the receiving Applications (e.g. using
SAP PO Integration)
9. Start with basic information and gather more details
iteratively.
9
10. Subscriptions will give you insights about responsibilities
from a technical and legal perspective.
Adding subscriptions
10
1.Make sure responsibility. For every
Application is clear
2.Differentiate responsibilities
introducing „Application Owner“
(Data Processor) or „Data Protection
Officer“
3.Subscriptions help you to have a
primary contact, if you need them
(e.g. as part of an official GDPR
“Procedure Index”)
11. Start with basic information and gather more details
iteratively.
11
12. Link all your relevant documents on the Fact Sheet to easily
hand them out them upon request.
Adding Documents
12
1.Link Document from your Content
Management System in LeanIX
2.Access all relevant data as you need
more detailed information (e.g. on
SLA, NDA, Security)
3.Hand out all relevant links as
regulatory bodies (IT Security,
Auditors, Revision, …) require to do
so
14. The survey helps you gathering additional GDPR related
data or access your experts to fill out your Fact Sheets.
Surveys-Power Features
14
1.Gather information that goes beyond
the attributes on the Fact Sheet
2.Enable experts to maintain Fact
Sheet Data in the survey – Low entry
barrier!
3.Send out „Standard Surveys“ on a
regular basis to apply with regulatory
requirements
Hint: We publish survey templates on an ongoing
basis in our product documentation and our public
github repository.
15. Entering data in reports massively lowers the entry barrier to
LeanIX for new stakeholders.
15*Survey available onhttps://github.com/leanix-public/surveys
16. The Application Landscape gives you the chance to plan the
compliance of your Applications in a business context.
Viewpoint: Enterprise /
Solution Architects
16
1.Where are Applications in use, that
are highly GDPR relevant?
2.Are the Applications still supported
by up-to-date technology?
1.What is the Data Flow of Personal
Identifyable Information?
2.Is my project handling Personal
Identifyable Data?
17. LeanIX provides you with an ad-hoc and easy to filter
Produdure Index.
Viewpoint: Data Privacy
Officer
17
1.Have all GDPR relevant Applications
available without any hassle for your
Data Protection Officers – They will
love it!
2.Hand out tables to auditors, revision,
and other stakeholders based on a
single-source inventory
3.Actively include your Data Privacy
Officer in your daily work
18. Create lists to hand out to your main GDPR stakeholders
without any hassle.
18
19. 19
Key Take Aways
Data model easily
adaptable to capture GDPR
relevant information
Opens door to new strong
stakeholder and use case
Views and Reports that
answer audit-requests on
an ad-hoc basis