The term General Data Protection Regulation (GDPR) is not the same ‘data protection’ rules that, as IT professionals, we’ve had to pay respects to for a generation. The new GDPR framework that comes into force in May 2018 brings new requirements and challenges to businesses, and particularly those in the IT domain.
I can’t profess to be an expert on the subject, but as I’ve read and learned more, I wanted to share a few basic tenets of the new requirements, and also point you at some good resources for further reading. If it’s not on your radar yet, don’t delay.
Is it relevant to you?
It’s an EU driven regulation, but if you think BREXIT might exclude us from compliance, think again. The directive comes into play in May 2018. Even post BREXIT, the scope of the directive means that if you collect or process data of EU citizens, regardless of whether or not your organisation sits in the EU, you need to be compliant.
How is the rule broader than our familiar data protection requirements?
That is a long answer, but to try and summarise, the wider scope requires more control around data that was not previously regarded as personal. Any data which can identify an individual or be associated with an individual may come under control. Consider a business e-mail address, which most likely contains a name, and can therefore identify someone. That piece of data would now fall under control where previously it did not.
Generally, there is a shift to empower the individual to know more about their data and to control how it is used. Organisations will need to provide easier access to personal data, with clear rules on how it is used and stored.
- Individuals have a right to be forgotten. Within timeline boundaries, citizens have the right for all data related to them to be erased.
- The right to make corrections to data. The mechanism’s for doing so need to be provided.
- Tighter consent. Informing and consulting individuals on how their data is used. Take the earlier business e-mail address as an example: it will be necessary to gain consent of that individual before B2B marketers can start marketing to them, providing a ‘double opt-in’ scenario.
GDPR breaches will incur fines of up to €20m or 4% of global turnover. Serious stuff.
Call to action:
If this is the first introduction to GDPR, then awareness and internal education is the first place to start. Larger organisation may need to appoint dedicated data protection officers. But all organisations will need to make technical and organisational changes that demonstrate compliance with GDPR core principals.
How is Microsoft helping?
With the emergence of Cloud computing, and Microsoft’s premium ERP offering now pushed firmly in that direction, Microsoft are clearly investing huge sums to ensure the absolute confidence of their customers regarding data, storage, compliance and governance. Microsoft are working towards compliance by the May 2018 deadline and supporting customers in meeting their deadlines.
Specifically, Microsoft say:
“The goals of the GDPR are consistent with Microsoft’s long-standing commitment to security, privacy, and transparency.
We are working to bring our products and services into compliance with the GDPR by May 2018. We are updating the features and functionality in all of our services to meet the GDPR requirements, and we are updating our documentation and our customer agreements to reflect the GDPR requirements.
Microsoft offers the most comprehensive set of compliance capabilities of any cloud service provider. And, we lead the industry in engaging with customers, regulatory bodies, and standards boards to advance compliance and serve customers’ needs. We will remain closely engaged with you as we prepare together for the GDPR to go into effect.”
Microsoft data centre compliance certification
There’s no shortage out there via your favourite search engine, but this is not a bad place to start from the Information Commissioner’s Office:
For Microsoft information, visit their Trust Centre which has huge content on all things data, privacy, GDPR, Cloud and compliance.
The Trust Centre has a number of blogs, white papers and videos-on-demand. I’ve been through several of these and would pull out the following as a good starting point:
Trust, Privacy and GDPR Webcast (register and view on demand)
The video is aimed at the larger customer, but has some insightful strategic advice from some knowledgeable industry players (just as long as you can squeeze past the Microsoft subliminal marketing messages).
Both documents give a great basis for planning and to begin tangible actions, rather that just the theory.