General Data Protection Regulation (GDPR) Compliance
Q&A – What It Means To You
With the onset of hacking and data breaches more common than not, a new regulation has been implemented that requires organizations to change how they gather, use, and govern data.
This month’s blog post focuses on a Q&A format that allows many not familiar with the new GDPR compliance to understand what it is and how it affects them.
What is GDPR?
The GDPR mandates a baseline set of standards for companies that handle the data for citizens of the European Union (EU) to better safeguard the processing and movement of the citizens’ personal data. The GDPR brings harmonization by applying the same set of Data Protection rules across the EU.
- The GDPR defines two important roles – that of “controller” and “processor” – and your organization may fall under either one or both definitions. A “controller” alone or jointly with others, determines the purpose and means of the processing of personal data whether on- premise or while using a third-party cloud provider’s IT technology, whereas a “processor” processes personal data on behalf of a controller.
- Compliance is a shared responsibility of controllers and processors.
- The controller is responsible for, and should be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data.
- The processor is responsible to provide controllers the assurance that their security process are complaint, and provide technical measures needed to keep the data safe.
When was this rolled out and who governs this regulation?
- The General Data Protection Regulation (GDPR) was agreed upon by the European Parliament and Council in April 2016. It will replace the Data Protection Directive 95/46/ec in May, 2018 as the primary law regulating how companies protect the personal data of EU citizens.
Is there a deadline?
- The Regulation will apply to all EU Member States and is expected to come into force in May 2018.
- All organizations, regardless of size, must be aware of all GDPR requirements and be prepared to comply by May 2018.
Where is this new regulation mandated?
- Any organization (regardless of their operating locations) offering goods and services to consumers in the EU or that collect and analyze data tied to EU residents will need to comply.
What does this mean for companies based in the United States that serve customers in the EU?
- About two-thirds of US companies could be affected and will need to rethink their strategy for the EU.
What if we do nothing?
- For companies that fail to comply with certain GDPR requirements, fines can be carried out. Non-compliant organizations can see fines up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.
- Fines are determined based on the circumstances of each case and the Supervisory Authority may choose whether to impose their corrective powers with or without fines.
What are the capabilities of Microsoft 365 Enterprise that can help us?
Organizations can leverage the updated solution called Microsoft 365 that combines Office 365, Windows 10, and Enterprise Mobility with Security into a seamless, single solution that can handle the complexity of compliance and current standards. Instead of piece mailing a solution, Microsoft 365 Enterprise is always up to date. Some detailed points are below:
- Microsoft 365 is the processor of the datasets. Microsoft ensures that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR
- Microsoft provides capabilities that can help you identify what personal data you have and where it resides; govern how personal data is used and accessed; establish security controls to prevent, detect, and respond to vulnerabilities and data breaches
- In addition, Microsoft 365 is a security-hardened service providing operational security at physical, logical and data layers using proven defense-in-depth approach
- Microsoft 365 capabilities that can be leveraged by Customers to discover, manage, protect and monitor data: (ref and more – https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/solutions)
Microsoft also offers an online solution/framework for its customers to conduct and record necessary assessments required to be compliant with GDPR and other compliance assessments such as ISO 27001:2013 – https://servicetrust.microsoft.com
What can we do as a next step?
If you your organization is affected, contact Microexcel at firstname.lastname@example.org regarding solutions to help you become compliant.