GDPR is almost here. And it’s huge. Will you be ready?
The General Data Protection Regulation (GDPR) is almost here. Will you be ready when the world’s strictest data privacy law comes into effect on May 25, 2018?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive (Directive”), which has been in effect since 1995.
While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data. The GDPR also gives national regulators new powers to impose significant fines on organizations that breach the law. (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL)
The GDPR takes effect on May 25, 2018. The GDPR actually became law in April 2016, but given the significant changes some organizations will need to make to align with the regulation, a two-year transition period was included.
Organizations should not expect any grace period from regulators beyond May 25, 2018.
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
• Transparency, fairnesss, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data.
• Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
• Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
• Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
• Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
• Ensuring security, integrity, and confidentiality of personal data. Your organization must take steps to keep personal data secure through technical and organizational security measures.
The GDPR requires you to take measures to keep personal data secure. This includes “organizational measures,” such as limiting the number of people inside your organization who can access personal data, and “technical measures,” such as encryption.
The GDPR doesn’t mandate the exact security measures organizations must take, however. Instead, it requires organizations to determine security measures themselves, depending on factors like the nature of the personal data, its sensitivity, and the risks involved in the processing.
There are many types of security risks to consider, from physical intrusion to rogue employees, to accidental loss, and to online hackers. Building risk management plans and taking risk mitigation steps, such as password protection, audit logs, and encryption, can help ensure compliance.
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organizations of all sizes and all industries.
Specifically, the GDPR applies to:
• processing of anyone’s personal data, if the processing is done in the context of the activities of an organization established in the EU (regardless of where the processing takes place);
• processing of personal data of individuals who reside in the EU by an organization established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behavior.
The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.
Yes. Microsoft stands ready to help organizations meet the GDPR compliance deadline of May 25, 2018. The Microsoft Cloud can help you achieve compliance.
Microsoft Partner AGC will help you for GDPR compliance.