Christmas Calendar, Day 9: GDPR Projects Should Involve These 9 Functions

The EU General Data Protection Regulation – in short, the GDPR - will be applied from May 2018. The directive marks the biggest change in EU data privacy laws in more than 20 years, and it will have a transformative effect on the way companies manage and secure personal data. Which functions should be involved in GDPR preparation?

Author: Taija
Date: 09.12.2017
Read Time: 3 Minutes

cyber security christmas calendar day 9

GDPR preparation is not just an IT project, and neither is it an initiative solely impacting the work of Privacy or Security Officers – quite on the contrary. Collaboration will be vital in driving compliance.

Companies that hold and work closely with EU citizens’ personal data should be involving most, if not all, of their departments in the process.

GDPR, functions

1. Executive team


The entire C-suite will need to take responsibility for implementing and delivering GDPR. There needs to be an organization-wide change in mindset.


2. Legal


Legal team will need to know the GDPR by heart, and be prepared to advise the rest of the company throughout the preparation process.


3. IT and software development


IT teams are in charge of, for example, the access controls to personal data and ensuring the “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”.

The GDPR also impacts the software development life cycle (SDLC) for any systems that would process EU residents’ personal data.


4. Enterprise architecture


To ensure your organization’s compliance, you need a broad overview of the way personal data is used and why it was collected, how it is processed, who has access, where it is stored, which third parties are involved, what internal and external threats there are, and so on. Thus, you need enterprise architects.


5. Product management


Product owners are similar to IT system owners, but for software development companies. They must balance feature development with other requirements, like security and privacy.


6. Service / UX design


There are some specific requirements laid out by the GDPR that need to be taken into account in the customer journey through a service, related to the informing of customers and getting their consent.


7. Data analytics


The GDPR’s data lifecycle requirements, particularly those of anonymization and data removal, put up serious challenges for big data and analytics technology on a practical implementation level.

Much more will need to be done by way of anonymizing data before it can be analyzed. The GDPR means that any unique identifier, whether a name or a pseudonym, is covered by law, and therefore subject to the same levels of protection.


8. Marketing


Website privacy policies need to be reviewed and updated, consent management must be in shape and marketing automation and CRM providers need to be compliant with the GDPR. You may face challenges if your marketing data has been shared with agencies in formats such as manual Excel sheets.


9. Information security


The CISO and the whole Information Security team should be heavily involved in formulating GDPR plans, as they are central to some of the regulatory changes around data breaches and data privacy.


Want to know more? Download our eBook which discusses the basic principles and concepts included in the GDPR and the key factors needed for proper GDPR preparation.


Or check this video with F-Secure’s Principal Security Consultant Antti Vähä-Sipilä discussing the measures companies need to undertake to achieve long-term GDPR compliance.


Post Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s