The countdown continues to May 25th, 2018 when the European Union (EU)’s pending General Data Protection Regulation (GDPR) will come into effect. In this, the third post in our GDPR series, we answer some questions about where GDPR applies.
It’s a dynamic world we live in, where people can move around the globe with ease, data can be stored in one place and accessed seamlessly in another, and political and legislative boundaries are in flux. In this context, a big question for many businesses is “do we need to comply with GDPR?”
If your company is storing PII (Personally Identifiable Information) belonging to EU citizens, then the simple answer is: yes, you will need to comply with GDPR. By the way, PII includes a broad spectrum of data including passwords, addresses, and birth dates.
So what does that mean to IT teams?
IT needs to think about where that data is being stored and the security of the data transfer process if it is being transmitted externally. If your business lies within the borders of the EU, then you are obliged to comply regardless. Businesses globally (inside and outside EU) will need to ask the following:
- Will you continue to store EU citizen PII past the first day of GDPR guidelines enforcement on May 25, 2018?
- Will you be moving EU citizen PII outside of the EU?
These are the biggest deciding factors in how a business will need to comply. If your business does not store data of EU citizens, then you do not need to comply to GDPR. However, if you are storing personal information belonging to any EU citizen you will need to consider where that data is stored and how it is moving. Movement of data past the borders of the EU means your company will need to take some extra steps to stay compliant.
EU Citizens have the right to copy and delete data about themselves. Data flows are fundamental to the GDPR, and data is at its most vulnerable when in-transit. Moving and storing data securely and reliably will be critical across borders across Europe and EMEA. Understanding your email record policies is going to be a critical success factor. Opt-in procedures and configuration settings will need to be re-designed in line with the requirement for explicit consent.
Naturally, people will object to the use of personal data for profiling, such as that used in targeted online advertising. Tracking users on different systems requires you to get clear consent and describe every step including where, how and what data is stored. With GDPR, gone are the days of vague or misleading privacy policies hidden deep within websites.
Microsoft has generated a wealth of tools, services, and frameworks for organizations that run Office 365 and Azure. These are great resources for anyone wanting to learn more about preparing for GDPR and how to leverage their existing technology investments. Here are a few of our favorites:
- Microsoft GDPR Assessment Toolkit. A short, free online assessment that will help you understand where your organization is today and what next steps should be.
- Microsoft GDPR Compliance Manager. “Control management, integrated task assignment, evidence collection, and audit-ready reporting tools to streamline your compliance workflow”
- Microsoft Webcast: Thriving in the GDPR era: How to accelerate your journey to compliance. This on-demand webinar gives a great overview of how Microsoft’s cloud technology supports your path to GDPR compliance.