Data Protection and Software Development - Greetings from IAPP Europe Data Protection Conference 2017

Matti Suominen

November 15, 2017 at 14:00

IAPP Europe Data Protection Conference 2017, held in Brussels during 8-9th of November, is the most important venue for data protection professionals to get together and share lessons learned with others from around the world. Kira Ahveninen-Kuha, Head of Data Protection Practice at Nixu and Matti Suominen, Lead Consultant at Nixu held a session on the challenges the data protection professionals face when communicating requirements to software development experts. (View the presentation material here)

Compliance with GDPR is in significant parts a challenge of implementing the necessary controls and features into IT systems and the enterprise architecture. Challenges arise when the data protection experts who understand the requirements cannot effectively communicate them to the software development teams. Previously, these two groups of professionals have only rarely come into contact with each other. Lack of common language and understanding of the working practices means that requirements don’t translate well into actionable tasks or software features.

Privacy WS

Common mistake made by data protection professionals is to try to keep data protection and privacy as a separate track, which is then added on top of what the software developers are already doing. Given that data protection is only a small part of what goes into development and design, such additional processes rarely find their place in the day-to-day work of software developers.

The solution to the problem is to get the both sides to the same table and find common ground by opening up the problem in terms that are understood by both. The presentation was an attempt to open up this dialogue on the data protection side and to explain why the intent of the message is easily lost or misunderstood. Given the amount of feedback, discussions and questions that followed, it’s clear that this is a key issue for many companies working towards GDPR compliance.

Key takeaways for data protection professionals:

  • Join the existing process that is already there for software developers – treating data protection as a separate track is almost guaranteed to not get a buy-in from the other side
  • Know your business and the environment – your efforts will be appreciated when you can give relevant advice that takes into account the business realities of the world around you
  • Get involved, don’t be just the name in e-mails and requirement forms – you have valuable knowledge that the development team would love to learn
  • It’s not always easy so don’t get discouraged – try and try again

As a follow-up to the session, two separate blog entries were written to address questions from audience in more detail. They address threat modeling of advanced data protection threats and implementing GDPR requirements such as data retention in enterprise architecture.

If you are interested and want to know more, you are invited to connect with Nixu experts; Kira Ahveninen-Kuha and Matti Suominen to continue the discussion.


Related blogs