erwin Expert Blog

Digital Trust: Enterprise Architecture and the Farm Analogy

With the General Data Protection Regulation (GDPR) taking effect soon, organizations can use it as a catalyst in developing digital trust.

Data breaches are increasing in scope and frequency, creating PR nightmares for the organizations affected. The more data breaches, the more news coverage that stays on consumers’ minds.

The Equifax breach and subsequent stock price fall was well documented and should serve as a warning to businesses and how they manage their data. Large or small,  organizations have lessons to learn when it comes to building and maintaining digital trust, especially with GDPR looming ever closer.

Previously, we discussed the importance of fostering a relationship of trust between business and consumer.  Here, we focus more specifically on data keepers and the public.

Digital Tust: Data Farm

Digital Trust and The Farm Analogy

Any approach to mitigating the risks associated with data management needs to consider the ‘three Vs’: variety, velocity and volume.

In describing best practices for handling data, let’s imagine data as an asset on a farm. The typical farm’s wide span makes constant surveillance impossible, similar in principle to data security.

With a farm, you can’t just put a fence around the perimeter and then leave it alone. The same is true of data because you need a security approach that makes dealing with volume and variety easier.

On a farm, that means separating crops and different types of animals. For data, segregation serves to stop those without permissions from accessing sensitive information.

And as with a farm and its seeds, livestock and other assets, data doesn’t just come in to the farm. You also must manage what goes out.

A farm has several gates allowing people, animals and equipment to pass through, pending approval. With data, gates need to make sure only the intended information filters out and that it is secure when doing so. Failure to correctly manage data transfer will leave your business in breach of GDPR and liable for a hefty fine.

Furthermore, when looking at the gates in which data enters and streams out of an organization, we must also consider the third ‘V’ – velocity, the amount of data an organization’s systems can process at any given time.

Of course, the velocity of data an organization can handle is most often tied to how efficiently a business operates. Effectively dealing with high velocities of data requires faster analysis and times to market.

However, it’s arguably a matter of security too. Although not a breach, DDOS attacks are one such vulnerability associated with data velocity.

DDOS attacks are designed to put the aforementioned data gates under pressure, ramping up the amount of data that passes through them at any one time. Organizations with the infrastructure to deal with such an attack, especially one capable of scaling to demand, will suffer less preventable down time.

Enterprise Architecture and Harvesting the Farm

Making sure you can access, understand and use your data for strategic benefit – including fostering digital trust – comes down to effective data management and governance. And enterprise architecture is a great starting point because it provides a holistic view of an organization’s capabilities, applications and systems including how they all connect.

Enterprise architecture at the core of any data-driven business will serve to identify what parts of the farm need extra protections – those fences and gates mentioned earlier.

It also makes GDPR compliance and overall data governance easier, as the first step for both is knowing where all your data is.

For more data management best practices, click here. And you can subscribe to our blog posts here.

erwin blog

erwin Expert Blog

Enterprise Architecture for GDPR Compliance

With the May 2018 deadline for the General Data Protection Regulation (GDPR) fast approaching, enterprise architecture (EA), should be high on the priority list for organizations that handle the personal data of citizens in any European Union state.

GDPR compliance requires an overview of why and how personal data is collected, stored, processed and accessed. It also extends to third-party access and determining – within reason – what internal or external threats exist.

Because of EA’s holistic view of an organization and its systems, enterprise architects are primed to take the lead.

Enterprise Architecture for GDPR

Enterprise architecture for GDPR: Data privacy by design

The fragmented nature of data regulation and the discrepancies in standards from country to country made GDPR inevitable. Those same discrepancies in standards make it very likely that come May 2018, your organization will be uncompliant if changes aren’t made now.

So, organizations have two issues to tackle: 1) the finding problem and 2) the filing problem.

First, organizations must understand where all the private, personal and sensitive data is within all their systems . This also includes all the systems within their respective value chains. Hence, the finding problem.

Second, organizations must address the filing problem, which pertains to how they process data. As well as being a prerequisite for GDPR compliance, tackling the filing problem is essentially a fix to ensure the original finding problem is never as much of a headache again.

Starting with business requirements (A) and working through to product application (B), organizations have to create an environment whereby data goes from A to B via integral checkpoints to maintain data privacy.

This ensures that through every instance of the application development lifecycle – analysis, design, development, implementation and evaluation – the organization has taken all the necessary steps to ensure GDPR standards are met.

Enterprise architecture provides the framework of data privacy by design. By understanding how your organization’s systems fit together, you’ll see where data is as it moves along the application development lifecycle.

Enterprise architecture for GDPR: The benefits of collaboration

Of course, one of the requirements of GDPR is that compliance and all the steps to it can be demonstrated. Dedicated EA tools have the capacity to model the relevant information.

A dedicated and collaborative enterprise architecture tool takes things to the next level by  simplifying the export and sharing of completed models.

But there’s more. Truly collaborative EA tools allow relevant stakeholders (department heads, line managers) directly involved in handling the data of interest to be involved in the modeling process itself. This leads to more accurate reporting, more reliable data, and faster turnaround, all of which have a positive effect on business efficiency and the bottom line.

Approaching GDPR compliance with enterprise architecture does more than complete a chore or tick a box.  It becomes an opportunity for constant business improvement.

In other words, organizations can use enterprise architecture for GDPR as a catalyst for deeper, proactive digital transformation.

erwin partner Sandhill Consultants has produced a three-part webinar series on Navigating the GDPR Waters.

The first webinar covers the identification and classification of personally identifiable information and sensitive information and technologies, such as enterprise architecture, that can assist in identifying and classifying this sort of data.

Click here to access this webinar.

erwin blog

erwin Expert Blog

Digital Trust: Earning It and Keeping It with Data Governance

Digital trust can make or break a brand.

Amazon understood this concept early on. When the company first launched as an online bookseller in 1994, consumer confidence in online shopping was low, to say the least.

Exclusively competing with local bookstores, Amazon and many e-tailers throughout the 90s and early 2000s had to work to create trust in online shopping. Their efforts paid off, ushering in a new era and transforming the way we all shop today.

Amazon is a good example of digital trust making a brand. But data breaches are a telling metric of how lack of digital trust can break a brand.

Frequency of Data Breaches and Its Impact on Consumer Trust

Since Privacy Rights Clearinghouse began tracking data breaches in 2005, 7,731 have been reported, with an estimated 1 billion individual records breached. And that estimate is conservative. While a data breach may have been reported, the number of individual records involved isn’t always known.

The Ponemon Institute’s 2017 Cost of Data Breach Study suggests the odds of suffering a data breach within the year are as high as one in four. As if the growing number of data breaches isn’t enough to contend with, considerable evidence suggests their impact is increasing too.

Although the Ponemon Institute study found the financial cost of a data breach fell by 10 percent between 2016 and 2017, the “financial cost” doesn’t account for the various intangible effects of a data breach that can, and do, add up.

For example, the reputational cost more than likely outweighs the clean-up costs of a high-profile data breach like the one Equifax suffered recently. That incident is believed to have reduced Equifax’s market value by $3 billion, as share prices tumbled by as much as 17 percent.

In fact, any company disclosing a data breach saw its average stock price fall by 5 percent, according to Ponemon. And 21 percent of consumers included in its study reported ending their relationships with a company that had been breached. Why? They lost trust in those businesses.

Perhaps the most relevant finding here is that “organizations with a poor security posture experienced an increase of up to 7 percent customer churn, which can amount to millions in lost revenue.” Clearly this shows the correlation between digital trust and customer retention. It also demonstrates that the consumer is aware of such matters.

That’s why digital trust poses an opportunity. Yes, consumer trust is declining. Yes, high-profile breaches are increasing. But these are alarm bells, not death knells.

Businesses can use the issue of digital trust to their advantage. By making it a unique value proposition reinforced by a solid data governance (DG) program, you can set yourself apart from the competition – not to mention avoid GDPR penalties.

Building digital trust

Building Digital Trust Through Data Governance

In today’s digital economy, the consumer holds the power with more avenues of research and reviews to inform purchase decisions. Even in the B2B world, studies indicate that 47 percent of buyers view three to five pieces of content before engaging with a sales rep.

In other words, the consumer is clued in. But if a data breach occurs, it doesn’t have to lead to customer losses. It could actually reinforce customer loyalty and produce an uptick in new customers – if you are proactive in your response and transparent about your procedures for data governance.

Of course, consumer trust isn’t built overnight. It’s a process, influenced by sound data governance practices and routine demonstrations of said practices so trust becomes part of your brand.

While considering the long-term payoff, it’s also worth noting the advantages a data governance program has in the short-term. For better or worse, short-term positive outcomes are what business leaders and decision- makers want to see.

When it comes to both digital trust and business outcomes, DG’s biggest advantage is ensuring an organization can first trust its own data.

In addition to helping an organization discover, understand and then socialize its mission-critical information for greater visibility, it also improves the enterprise’s ability to govern and control data. You literally get a handle on how you handle your data – and not just to help prevent breaches.

Greater certainty around the quality of data leads to faster and more productive decision-making. It reduces the risk of misleading models, analysis and prediction, meaning less time, money and other resources are wasted.

Additionally, the very data used in such models and analysis benefits from improved clarity. Meaning what’s relevant is more readily discoverable, speeding up the entire strategic planning and decision-making process.

So, proactive and proficient data governance doesn’t just mitigate risk, it fundamentally improves operational performance and accelerates growth.

For more data best practices click here, and you can stay up to date with our latest posts here.

erwin blog

erwin Expert Blog

Using Enterprise Architecture to Improve Security

The personal data of more than 143 million people – half the United States’ entire population – may have been compromised in the recent Equifax data breach. With every major data breach comes post-mortems and lessons learned, but one area we haven’t seen discussed is how enterprise architecture might aid in the prevention of data breaches.

For Equifax, the reputational hit, loss of profits/market value, and potential lawsuits is really bad news. For other organizations that have yet to suffer a breach, be warned. The clock is ticking for the General Data Protection Regulation (GDPR) to take effect in May 2018. GDPR changes everything, and it’s just around the corner.

Organizations of all sizes must take greater steps to protect consumer data or pay significant penalties. Negligent data governance and data management could cost up to 4 percent of an organization’s global annual worldwide turnover or up to 20 million Euros, whichever is greater.

With this in mind, the Equifax data breach – and subsequent lessons – is a discussion potentially worth millions.

Enterprise architecture for security

Proactive Data Protection and Cybersecurity

Given that data security has long been considered paramount, it’s surprising that enterprise architecture is one approach to improving data protection that has been overlooked.

It’s a surprise because when you consider enterprise architecture use cases and just how much of an organization it permeates (which is really all of it), EA should be commonplace in data security planning.

So, the Equifax breach provides a great opportunity to explore how enterprise architecture could be used for improving cybersecurity.

Security should be proactive, not reactive, which is why EA should be a huge part of security planning. And while we hope the Equifax incident isn’t the catalyst for an initial security assessment and improvements, it certainly should prompt a re-evaluation of data security policies, procedures and technologies.

By using well-built enterprise architecture for the foundation of data security, organizations can help mitigate risk. EA’s comprehensive view of the organization means security can be involved in the planning stages, reducing risks involved in new implementations. When it comes to security, EA should get a seat at the table.

Enterprise architecture also goes a long way in nullifying threats born of shadow IT, out-dated applications, and other IT faux pas. Well-documented, well-maintained EA gives an organization the best possible view of current tech assets.

This is especially relevant in Equifax’s case as the breach has been attributed to the company’s failure to update a web application although it had sufficient warning to do so.

By leveraging EA, organizations can shore up data security by ensuring updates and patches are implemented proactively.

Enterprise Architecture, Security and Risk Management

But what about existing security flaws? Implementing enterprise architecture in security planning now won’t solve them.

An organization can never eliminate security risks completely. The constantly evolving IT landscape would require businesses to spend an infinite amount of time, resources and money to achieve zero risk. Instead, businesses must opt to mitigate and manage risk to the best of their abilities.

Therefore, EA has a role in risk management too.

In fact, EA’s risk management applications are more widely appreciated than its role in security. But effective EA for risk management is a fundamental part of how EA for implementing security works.

Enterprise architecture’s comprehensive accounting of business assets (both technological and human) means it’s best placed to align security and risk management with business goals and objectives. This can give an organization insight into where time and money can best be spent in improving security, as well as the resources available to do so.

This is because of the objective view enterprise architecture analysis provides for an organization.

To use somewhat of a crude but applicable analogy, consider the risks of travel. A fear of flying is more common than fear of driving in a car. In a business sense, this could unwarrantedly encourage more spending on mitigating the risks of flying. However, an objective enterprise architecture analysis would reveal, that despite fear, the risk of travelling by car is much greater.

Applying the same logic to security spending, enterprise architecture analysis would give an organization an indication of how to prioritize security improvements.

erwin Expert Blog

Every Company Requires Data Governance and Here’s Why

With GDPR regulations imminent, businesses need to ensure they have a handle on data governance.

erwin Expert Blog

Data Education Month: Data-Focused Organizations Continue Their March

In the modern world, data education is immensely important.

Data has become a fundamental part of how businesses operate. It’s also essential to consumers in going about their day-to-day lives.

And while organizations and consumers alike go about their business, data constantly ticks in the background, enabling the systems and processes that keep the world functioning.

Considering this, and with March marking Data Education Month, now seems the perfect time to highlight the importance of understanding data’s potential, its drawbacks and the most efficient ways to ensure its effective management.

Data education month

In 2013, the total amount of data in the world was believed to have reached 4.4 zettabytes. For context, 1 zettabyte is equivalent to around 44 trillion gigabytes, or about 152 million years of UHD 8K video format.

By 2020, analysts predict the world’s data will reach 44 zettabytes. The sudden acceleration is truly staggering, and it’s businesses driving it.

Start-ups that find new ways to exploit data can revolutionize markets almost overnight. And as the frequency in which this happens increases, more and more pre-established businesses are also putting resources behind digital innovation.

By now, businesses should be more than aware of just how important a good data management strategy is. If you’ve yet to make a data strategy a central focus of the way your business operates, then chances are, you’re being left behind – and the gap is widening quickly.

So in honor of data education month, we’ve collated some of our top educational data posts, and a few others around the Web.

Read, comment, share and celebrate #DataEducationMonth with us.

Data Education: Data Management

Managing Any Data, Anywhere with Any²

The acceleration in the amount of data is staggering, and can be overwhelming for businesses. You should apply the Any² approach to cope.

GDPR Guide: Preparing for the Changes

Businesses need to prepare for changes to General Data Protection Regulation (GDPR) legislation, and our GDPR guide is a great place to start.

Using EA, BP and DM to Build the Data Foundation Platform

Instead of utilizing built for purpose data management tools, businesses in the early stages of a data strategy often leverage pre-existing, make-shift software. However, the rate in which modern businesses create and store data, means these methods can be quickly outgrown.

Data Education: Data Modeling

The Data Vault Method for Modeling the Data Warehouse

How the data vault method benefits businesses by improving implementation times, and enabling data warehouse automation.

Data Modeling – What the Experts Think

Three data modeling experts share their advice, opinions and best practices for data modeling and data management strategies.

Data Education: Enterprise Architecture

Data-Driven Enterprise Architecture for Better Business Outcomes

A business outcome approach to enterprise architecture can reduce times to market, improve agility, and make the value of EA more apparent.

What’s Behind a Successful Enterprise Architecture Strategy?

Best practices to adopt to increase the likelihood of enterprise architecture’s success

Data Education: Business Process

Basics of Business Process Modeling

Business process modeling helps to standardize your processes and the ways in which people communicate, as well as to improve knowledge sharing.

Where Do I Start with Business Process Modeling?

FAQ blog providing insight from top consultants into key issues impacting the business process and enterprise architecture industries.

erwin on the road

erwin Expert Blog

GDPR guide: The role of the Data Protection Officer

Over the past few weeks we’ve been exploring aspects related to the new EU data protection law (GDPR) which will come into effect in 2018.

erwin Expert Blog

GDPR guide: Preparing for the new changes

By now many businesses would have already heard about the new General Data Protection Regulation legislation. But knowing is only half the battle. That’s why we’ve put together this GDPR guide. 

erwin Expert Blog

GDPR guide: Do you know about the change?

The countdown has begun to one of the biggest changes in data protection, but how much do you know about GDPR? In a series of articles throughout February we will explain the essential information you need to know and what you need to be doing now.

What is GDPR?

It stands for General Data Protection Regulation and it’s an EU legal framework which will apply to UK businesses from 25 May 2018. It’s a new set of legal requirements regarding data protection which adds new levels of accountability for companies, new requirements for documenting decisions and a new range of penalties if you don’t comply.

It’s designed to enable individuals to have better control of their own personal data.

While the law was ratified in 2016, countries have had a two-year implementation period which means businesses must be compliant by 2018.

Key points of GDPR

The changes to data protection will be substantial as will be the penalties for failure to comply. It introduces concepts such as the right to be forgotten and formalises data breach notifications.

GDPR will ensure a regularity across all EU countries which means that individuals can expect to be treated the same in every country across Europe.

How to comply

EU GDPR padlockFor processing personal data to be legal under GDPR businesses need to show that there is a legal basis as to why they require personal data and they need to document this reasoning.

GDPR states that personal data is any information that can be used to identify an individual. This means that, for the first time, it includes information such as genetic, mental, cultural, economic or social information.

To ensure valid consent is being given, businesses need to ensure simple language is used when asking for consent to collect personal data. Individuals must also have a clear understanding as to how the data will be used.

Furthermore, it is mandatory under the GDPR for businesses to employ a Data Protection Officer. This applies to public authorities and other companies where their core activities require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.

Data Protection Officers will also be required to complete Privacy Impact Assessment and give notification of a data breach within 72 hours.

The impact of Brexit

At this stage it is unknown how the UK exiting the European Union will affect GDPR. However, with Article 50 yet to be triggered – the exit from the European Union is still over two years away and as such the UK will still be part of the EU in 2018. This means that businesses must comply with GDPR when it comes into force.

Penalties for non-compliance

Penalties for failing to meet the requirements of GDPR could lead to fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher. This high level of financial penalty could mean could have a serious impact on the future of a business.

Over the coming month, we will continue this series looking at how to get started preparing for GDPR now, why you need a Data Protection Officer and how GDPR will affect your international business.

Download the White Paper The Business Value of Data Modeling for Data Governance