GDPR - General Data Protection Regulation - How ready are you?
Written by: Matthew Parton
Are you ready for the general data protection regulation due to come into effect on May 2018. If not your business could be at risk of expensive fines than could have a serious impact on your business. There are many things about GDPR that you may not be aware of. In this article we discuss the overarching issues that businesses need to understand and how Microsoft technology is resolving those issues and preparing businesses.
GDPR What is it?
The General Data Protection Regulation (GDPR) represents a paradigm shift in global privacy requirements governing how organisations manage and protect personal data while respecting individual choice—no matter where the data is sent, processed, or stored. It introduces new requirements on privacy, security and compliance for organisations that offer goods and services to European Union (EU) residents.
Are you a controller or processor?
Depending on your business and the solutions you provide, your obligations under GDPR may vary. GDPR has different requirements for companies that are Controllers vs. those that are Processors. You can read more details about the regulation relating to controllers and processors here.
Whats should I look out for?
There are many areas of a business regarding I.T. that you must be aware of and how your obligations, as a owner are affected. You cannot ignore these things as even processes that your employees control will ultimately leave you the owner responsible in the event of a data breach.
These are some key areas to watch out for that you must be aware of:
- Do you store customer information - Do you store customer data in databases in excel spreadsheets, databases, paper files or any other form of data. If so you must make sure this data is both secured and not available to just anybody both internal or external to access.
- Do you employ staff in your business - You will be obligated to ensure that the data you manage is protected by authorised access, so making sure all your staff can only access information that they are allowed to.
- Unencrypted drives - although your backup may be working, if that local drive is stolen would you be giving someone access to sensitive information. You would be liable if you have not taken sufficient protection to your data.
- Secured Networks - Simplified networks may not be sufficient for your business to protect important data. Having a server for your business which enforces login control and limits access to specific areas will be important as you are obligated to control access to data under GDPR.
It will be even more important as a business that you are providing sufficient protected to your internal systems from cyber-crime. You will have a stronger case in court should you ever get to that position, if data was stole from your business and you have put in place all the possible preventative security where needed.
Cyber security isn't just about automated systems either. Education is key when it comes to training you staff. Many vulnerabilities in data and system security are a result of human errors, installing virus software, clicking dummy web links and many more weaknesses are easily prevented with security training and understanding.
Get GDPR compliant with Cloud
Microsoft are heavily committed to compliance of GDPR at its core. Microsoft's Brendon Lynch - Chief Privacy Officer states microsoft are committed to our principles of cloud trust – across security, privacy, transparency and compliance. We have a broad portfolio of cloud services that address the rigorous security and privacy demands of our customers, who comprise over 90 percent of Fortune 500 companies. As the GDPR enforcement begins, here is what else you can expect from us:
- Technology that meets your needs – You can leverage our broad portfolio of enterprise cloud services to meet your GDPR obligations for areas including deletion, rectification, transfer of, access to and objection to processing of personal data. Furthermore, you can count on our extensive global partner ecosystem for expert support as you use Microsoft technologies.
- Contractual commitments – We are standing behind you through contractual commitments for our cloud services, including timely security support and notifications in accordance with the new GDPR requirements. In March 2017, our customer licensing agreements for Microsoft cloud services will include commitments to be GDPR compliant when enforcement begins.
- Sharing our experience – We will share Microsoft’s GDPR compliance journey so you can adapt what we have learned to help you craft the best path forward for your organization.
Things you must do now
- Identify what personal data exists and where it resides.
- Govern how personal data is used and accessed within an organization.
- Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
- Keep required documentation, manage data requests, and provide breach notifications.
Although GDPR is not around until May 2018 there is only a small amount of time for your businesses to ensure its compliant, so you need to start putting those changes into place now. There may be many other processes and procedures that you need to change before you meet the obligation so do not leave it until the last minute.