Skip to content

Trending tags

Christmas Calendar, Day 9: GDPR Projects Should Involve These 9 Functions

Noora Hyvärinen

09.12.17 2 min. read

Cyber security christmas calendar day 9

GDPR preparation is not just an IT project, and neither is it an initiative solely impacting the work of Privacy or Security Officers – quite on the contrary. Collaboration will be vital in driving compliance.

Companies that hold and work closely with EU citizens’ personal data should be involving most, if not all, of their departments in the process.

GDPR, functions

1. Executive team

The entire C-suite will need to take responsibility for implementing and delivering GDPR. There needs to be an organization-wide change in mindset.

2. Legal

Legal team will need to know the GDPR by heart, and be prepared to advise the rest of the company throughout the preparation process.

3. IT and software development

IT teams are in charge of, for example, the access controls to personal data and ensuring the “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”.

The GDPR also impacts the software development life cycle (SDLC) for any systems that would process EU residents’ personal data.

4. Enterprise architecture

To ensure your organization’s compliance, you need a broad overview of the way personal data is used and why it was collected, how it is processed, who has access, where it is stored, which third parties are involved, what internal and external threats there are, and so on. Thus, you need enterprise architects.

5. Product management

Product owners are similar to IT system owners, but for software development companies. They must balance feature development with other requirements, like security and privacy.

6. Service / UX design

There are some specific requirements laid out by the GDPR that need to be taken into account in the customer journey through a service, related to the informing of customers and getting their consent.

7. Data analytics

The GDPR’s data lifecycle requirements, particularly those of anonymization and data removal, put up serious challenges for big data and analytics technology on a practical implementation level.

Much more will need to be done by way of anonymizing data before it can be analyzed. The GDPR means that any unique identifier, whether a name or a pseudonym, is covered by law, and therefore subject to the same levels of protection.

8. Marketing

Website privacy policies need to be reviewed and updated, consent management must be in shape and marketing automation and CRM providers need to be compliant with the GDPR. You may face challenges if your marketing data has been shared with agencies in formats such as manual Excel sheets.

9. Information security

The CISO and the whole Information Security team should be heavily involved in formulating GDPR plans, as they are central to some of the regulatory changes around data breaches and data privacy.

Want to know more? Check this video with F-Secure’s Principal Security Consultant Antti Vähä-Sipilä discussing the measures companies need to undertake to achieve long-term GDPR compliance.

Noora Hyvärinen

09.12.17 2 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.