In May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect. We in the United States may think that it doesn’t apply to us. But, if you sell to customers in the European Union (think about Internet sales) it does. And, after venting your frustration over new and complicated regulations, you need to take steps to be ready for GDPR.
The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.
Key Changes Under GDPR
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Controls and Notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
IT and Training
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts
Microsoft GDPR Readiness Assessment
Microsoft provides a useful survey to find out if your organization meets personal data protection requirements. Review these 10 questions to assess your readiness to comply with the GDPR today.
- Does your organization have sufficient technical measures and processes in place to secure personal and sensitive data?
- Are your data collection, data processing, and supporting technologies built to include privacy and protection principles?
- How much of your personal and sensitive data is currently encrypted both at rest and in transit?
- I would describe my organization’s process for classifying and labeling end user sensitive data as: 100% automated, partially automated, Manual, Don’t know/not sure
- Which of the following protection policies do you use to classify and label sensitive data?
- Rights restrictions
- Visual markings (e.g., watermarks)
- Restricted access
- End-user notifications
If you are not sure about how your organization stacks up in these areas, you are not alone. The good news is that there are plenty of additional resources to broaden your understanding of GDPR compliance, help you get ready for GDPR, identify issues you may not have considered and learn how Microsoft solutions can help accelerate your compliance journey.
Microsoft is Ready
Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-U.S. Privacy Shield and EU Model Clauses. The company believes that the GDPR is an important step forward for clarifying and enabling individual privacy rights.
Microsoft is committed to GDPR compliance across its cloud services when enforcement begins May 25, 2018 and provides GDPR related assurances in its contractual commitments.
Enhance GDPR compliance with Microsoft 365 and the Microsoft Cloud
Microsoft 365 can strengthen data security and streamline your path to GDPR compliance. It provides real-time assessments with actionable insights and protects customer data across devices. Built-in, audit-ready tools in Microsoft 365 simplify compliance.
The Microsoft Cloud’s sophisticated built-in controls can help you comply with complex GDPR privacy requirements—such as how you collect, store, and use personal information and at times mandating a 72-hour notification for personal data breaches.
Businesses Affected by GDPR
Regardless of our attitudes about new regulations and perhaps some wishful thinking, the GDPR rules intended to strengthen data protection and privacy within the European Union (EU) will affect all but the smallest companies in the U.S. Those most impacted are organizations that provide products or services to individual customers, including retailers, financial services, insurance and legal services and others.
Also on the list are companies that process personal data on behalf of other businesses such as cloud and platform-based services, analytics, event management and marketing companies. Manufacturers that collect personal data on people who buy their products are also affected.
eMazzanti Technologies wants to help our customers efficiently prepare for GDPR while focusing on what matters most, your core business. We can help you start the process and connect you with resources to complete the journey to full compliance.
Adapted from the Microsoft website: Preparing for a new era in privacy regulation