Versions Compared

Old Version 3

changes.mady.by.user ify.onyenokweorhiunu

Saved on

compared with

New Version Current

changes.mady.by.user ify.onyenokweorhiunu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Draft overview

...

The Ask

•Validate the proposed solution for GDPR retention 

•To test, learn and determine the methodological strategies and architectural patterns that can be adopted for applying deletion and archiving of data

•Assess and categorize deletion and archiving application capabilities for both on Premises and managed service applications

•Establish Vendor tool and services compliance

•Producing an Archiving & Retention roadmap for HEE applications

Business Drivers

•Principle 5 of the current Data Protection Act (DPA) states that ‘Personal data, processed for any purpose or purposes, shall not be kept for longer than is necessary for that purpose or those purposes’

•Principle (s) of the new European Legislation entitled the ‘General Data Protection Regulation’ (GDPR), which is due to come into force on the 25th May 2018 states the following:

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”

•Article 5 (e) of the GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it being used... be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records

•Many of the systems within the HEE applications estate do not have archiving and deletion capabilities 

•There is therefore a need to establish a set of archiving and retention solutions for the different data use cases in our estate and roll these out across our application landscape to ensure compliance, not only to the impending GDPR, but to the existing DPA

Risks & Rewards

Risks associated with lack of a proper archiving and retention policy;

•Loss of data 

•Cyber attacks 

•EU GDPR fines

Benefits of proper archiving data;

•Reduced cost 

•Better back up and restore performance

•Prevention of data loss

•Increased security

•Regulatory compliance

The Pilot

•This is a regulatory project which delivers functionality that is required to ensure compliance to the GDPR

•The proposed solution utilizes existing approved technologies that are either being introduced or already in place within HEE …. So the architectural landscape will not be impacted

•However, the ability to delete and extract for archive, within structured applications, is not proven and different appropriate methodological strategies and design patterns will be needed depending on the deletion and archiving capabilities provided by the applications

•A pilot is therefore required to:

•Validate the proposed solution for GDPR archiving and retention policy management

•Test, learn and determine the methodological strategies and architectural patterns that can be adopted for applying deletion and archiving in archiving applications

•Assess and categorize archiving and deletion capabilities of applications residing in on-premises and managed service platforms - includes establishing vendor compliance

•Identify and prioritize Change Plan projects for the delivery of archiving and deletion within applications

Requirements Overview

...

Solution Scope Boundaries

Boundaries

•Use a single Organisation/Functional Area for the Pilot e.g. HR

•Select 3 applications that are owned by the Pilot Organisation/Functional Area upon which to carry out the test and learn activities

Deliverables

•Validated solution for GDPR archiving and retention policy management

•Leverage on existing DPA

•Data Processing Vendor questionnaire and responses providing an assessment of applications provided by managed services in terms of deletion and archiving capabilities 

•Methodological strategies and architectural patterns that can be adopted for applying deletion and archiving in archiving applications

•All applications categorised by archiving and deletion capabilities

•Prioritised Change Plan projects for the delivery of archiving and deletion within applications

Proposed timelines

...