GDPR – F-Secure Learnings and Best Practices

On our webinar, Privacy Officer Hannes Saarinen shares the best practices F-Secure has learned during our GDPR journey:

Checklist of the basics

Even though you are already far in the project, we recommend you run through this quick checklist:

1. Have an executive buy-in
   Getting the commitment of stakeholders also beyond the deadline is easier if you have a decision from the CEO, executive team or the board. This will help everyone understand the priorities. GDPR cannot be done next year, the time is now.
2. Budget enough manhours
   Time spent on the project is difficult to estimate and there can be unforeseen costs in the project. In our case, at least 150 out of 1100 employees are required in the GDPR work. Budget enough time even after the deadline.
3. Have dedicated project coordinators
   In our experience, project coordinators are more critical than any individual privacy person. No-one can spread the information and hold the strings alone. Have a dedicated project management.
4. Draw data maps
   Unless you do your data mapping, it’s impossible to write policies. Data maps help everyone in the project see where the data in your company is located and how is it structured. Even after the deadline.

If you are running out of time, here’s what you should do

1. Prioritize ruthlessly
   It might not be feasible to comply on all levels, especially if you are a data-intensive company. To keep the quality of your work high, pick you battles. GDPR work will continue for years and you are going to have to live with your solutions on all fronts, so focus on quality.
2. Build a good governance model now
   Note that the sense of urgency will be gone after 25^th May. You will need people’s commitment to finish all the low priority work. GDPR is not a “fire and forget” exercise, so make sure you think about what happens after the deadline.
3. Make all your documentation meet a business purpose
   GDPR requires companies to create a huge amount of documentation. There is a risk of creating hundreds of pages of documents, in which no-one has a business interest to keep up-to-date. Think about the business purpose and a process to have your documentation updated automatically in the future.
4. Consider what data subject rights really mean
   As an example, when do you have to implement the right to be forgotten? All of us have systems which are non-GDPR updateable, but we are unable to get rid of immediately. Which systems can operate as they do now?

How does F-Secure implement GDPR?

All the F-Secure products have gone through a privacy impact assessment. Below our checklist and tips on what to prioritize.

1. Are you a controller or a processor? Processors must fulfill fewer obligations, so check this to avoid extra work.
2. GDPR gives you legal grounds on which to process your data. Choose which ones you apply for the purpose that you know, which data subject rights you must implement to your systems.
3. Have a rule for retention times. When you collect data, make a plan and include the business purpose, why you collect data and how long you will keep it.
4. Think about the data transfers and disclosures, what to write on your contracts and with whom.
5. Limit access & bolster security. Statistics show that data breach has been the single highest cause of fines for companies in the realm of privacy. If you simply take GDPR as a risk mitigation exercise, ensure that the likelihood of personal data breaches remains low. Have a proper access control and a solid security framework. Have capabilities to detect breaches and notify data protection authority, before they read it in the news.
6. Update your privacy policy – it will give you more benefit than any individual activity you do under GDPR or any other data protection regulation. Be transparent to your customers and have a solid privacy story. But if you haven’t done the previous actions in the GDPR process, you won’t know what to write to the policy.
7. Enable applicable data subject rights and agree on the process. Not everyone has a nice portal, but everyone should do an exercise on how to handle this properly.
8. DPIA (Data Protection Impact Assessments) are required for high-risk processing.

To sum it up, if you don’t have time to do anything else, at least update your privacy policy and make sure you have good security solutions in place which are also able to detect breaches.

Read how cyber security solutions can help you achieve compliance