GDPR…Just a Europe thing, right…right…

Written by: Peta Nicholson

GDPR is the latest compliance buzzword in tech today! Everyone is talking about GDPR and that they must make sure that their business is compliant.  But isn’t this only for companies located in the EU?  In short NO!

What is the GDPR?

The regulation is called the General Data Protection Regulation (GDPR), this regulation sets a new bar for privacy rights, security, and compliance.  It provides individuals with more control over their personal data, ensures transparency about the use of data, and requires security and controls to protect data. 

When does GDPR come into effect?

25th of May 2018, GDPR goes into effect with broad reaching implications for all companies around the globe (not just in the EU).

Who does GDPR affect?

The GDPR effect is far more reaching than just the EU. The law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in EU or that collect and analyse data tied to EU residents — irrespective of where the business is in the world. GDPR is applicable to organizations of all sizes and all industries. Depending on your business, your obligations under GDPR may vary. GDPR has different requirements for companies that are Controllers vs. those that are Processors. 

See the GDPR EU.org site to help you determine what category of requirements apply. See this link for further details: http://gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors.

What is personal data?

This begins with understanding what data exists and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very loosely under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in: Customer databases, Feedback forms filled out by customers, Email content, Photos, CCTV footage, Loyalty program records and HR databases.

What happens if I don’t comply?

GDPR compliance is not a one-time activity and carries significant penalties for non-compliance. Fines for non-compliance can be up to 4% of a company’s global revenues or €20 million, whichever is greater.

What do I need to ensure compliance?

This is a business-wide challenge that will take time, tools, and processes, and could require significant changes to a business and to your privacy and data management practices.   Begin with a review of your organization’s privacy and data management practices.   Locate where personal data is kept and who has access to this data currently.  Review how and when access is given and make necessary changes to ensure a safeguard to the data is in place.

How is Microsoft ensuring compliance?

Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights and is the first major cloud services provider to pledge compliance.  Through their Azure and Office 365 platforms your business can meet the GDPR compliance.    For further details see: www.microsoft.com/trust and www.Microsoft.com/GDPR

For more information or help in ensuring your compliance with GDPR or cloud security in general, drop us a line and we can make sure you are compliant.

One thought on “General Data Protection Regulation

  1. Peta Nicholson

    This week Microsoft announced some new resources for helping with compliance to GDPR:
    https://servicetrust.microsoft.com/ – Service Trust Portal, which provides GDPR information resources, but it also can be used to take actions on stored data
    https://technet.microsoft.com/en-us/library/dn933793.aspx – Security and Compliance Center in the Office 365 Admin Center, another portal for taking actions
    https://redmondmag.com/articles/2017/04/04/office-365-threat-intelligence-and-data-governance-services.aspx – Office 365 Advanced Data Governance for classifying data
    https://www.microsoft.com/en-us/cloud-platform/azure-information-protection – Azure Information Protection for tracking and revoking documents
    https://redmondmag.com/articles/2017/11/16/microsoft-previews-compliance-manager-tool.aspx – Compliance Manager for keeping track of regulatory compliance
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tou – Azure Active Directory Terms of Use for obtaining user informed consent

    Microsoft also announced that it released a preview of a new Data Subject Access Request interface in the Security and Compliance Center via a new tab addition, as well as in the Azure Portal.
    https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-Data-Privacy-in-Security-amp-Compliance-Center/ba-p/183648

    https://azure.microsoft.com/en-us/blog/streamlining-gdpr-requests-with-the-azure-portal/

    Microsoft defined A Data Subject Access Request stating that it gets carried out by an organization when a person makes a request, such as to provide the data that’s been stored or to delete or modify the data. The individual can also request that the data be provided in an electronic format that can be “moved another data controller,”. This change allows for searching across 365 for data and will be out of preview by May 25th.

Leave a Reply

Your email address will not be published. Required fields are marked *