GDPR preparation is not just an IT project, and neither is it an initiative solely impacting the work of Privacy or Security Officers – quite on the contrary. Collaboration will be vital in driving compliance.
Companies that hold and work closely with EU citizens’ personal data should be involving most, if not all, of their departments in the process.
1. Executive team
The entire C-suite will need to take responsibility for implementing and delivering GDPR. There needs to be an organization-wide change in mindset.
Legal team will need to know the GDPR by heart, and be prepared to advise the rest of the company throughout the preparation process.
3. IT and software development
IT teams are in charge of, for example, the access controls to personal data and ensuring the “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”.
The GDPR also impacts the software development life cycle (SDLC) for any systems that would process EU residents’ personal data.
4. Enterprise architecture
To ensure your organization’s compliance, you need a broad overview of the way personal data is used and why it was collected, how it is processed, who has access, where it is stored, which third parties are involved, what internal and external threats there are, and so on. Thus, you need enterprise architects.
5. Product management
Product owners are similar to IT system owners, but for software development companies. They must balance feature development with other requirements, like security and privacy.
6. Service / UX design
There are some specific requirements laid out by the GDPR that need to be taken into account in the customer journey through a service, related to the informing of customers and getting their consent.
7. Data analytics
The GDPR’s data lifecycle requirements, particularly those of anonymization and data removal, put up serious challenges for big data and analytics technology on a practical implementation level.
Much more will need to be done by way of anonymizing data before it can be analyzed. The GDPR means that any unique identifier, whether a name or a pseudonym, is covered by law, and therefore subject to the same levels of protection.
Website privacy policies need to be reviewed and updated, consent management must be in shape and marketing automation and CRM providers need to be compliant with the GDPR. You may face challenges if your marketing data has been shared with agencies in formats such as manual Excel sheets.
9. Information security
The CISO and the whole Information Security team should be heavily involved in formulating GDPR plans, as they are central to some of the regulatory changes around data breaches and data privacy.
Want to know more? Check this video with F-Secure’s Principal Security Consultant Antti Vähä-Sipilä discussing the measures companies need to undertake to achieve long-term GDPR compliance.