Privacy & Security by Design at Sanoma

Sanoma Group, Finland’s largest media group and a European education publisher, innovates in media and learning across 12 European countries.  

Advisense was appointed to conduct an internal audit aimed at privacy by design and the related security requirements and processes within the group of companies. Sanoma sought to gain an overview of the current state of compliance, identify potential risks and development needs, and enable informed decision-making, ensuring the capability to efficiently address any gaps.  

The Challenge

Privacy and security by design are the key processes in ensuring that requirements are being considered already when designing systems, processes and products that involve data. Privacy by design and by default is a GDPR requirement, requiring organisations to effectively implement data protection principles in all operations involving processing of personal data, including designing, developing, maintaining and using services and products.  

The scope of the audit requires deep subject matter expertise in privacy and cyber security compliance. The challenge was to gather an overview of the compliance status in policy, process, and application levels, in a global multinational setting.

The Solution

The solution was to assess the state of compliance with privacy by design and the related security requirements within Sanoma, including identification of risks with prioritised mitigation actions and recommended controls. This was conducted by material review and interviews across governance level, process leads and development teams, including assessment of targeted applications which were selected in the scope of the audit.  

The project incorporated the expertise of consultants from Internal Audit and Cyber & Digital Risk teams covering a diverse skillset in privacy, security and internal audit. The collaborative and interdisciplinary team played a key role in conducting a successful audit covering privacy and security by design, from regulation and best practices to processes and implementation, leading to the project’s success. The approach also ensured a high level of understanding of the required compliance requirements and best practices, along with expertise in auditing requirements and methodologies. 

The Result

The deliverable of the project was an audit report describing findings regarding privacy and security by design within the organisation. The report included identified risks, recommended actions, and controls for risk mitigation. The findings and recommendations of the audit were anchored in discussions with the business before the final report was submitted and in close cooperation throughout the project.  

Advisense provided the client hands-on and practical insights into privacy and security by design policies, processes, and implementation. By identifying strengths and weaknesses and thoroughly analysing the current status, our audit recommendations enabled Sanoma to improve its operations, ensure robust policy implementation for privacy and security by design, and elevate overall process quality in its business.