The General Data Protection Regulation (GDPR) is the European Union's new data protection law. It replaces the Data Protection Directive, which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organisations that collect, handle or analyse personal data. The GDPR also gives national regulators new powers to impose significant fines on organisations that breach the law.
The GDPR takes effect on 25th May 2018. The GDPR actually became law in April 2016, but given the significant changes some organisations will need to make to align with the regulation, a two-year transition period was included. Organisations should not expect any grace period from regulators beyond 25th May 2018. Some EU member state regulators have already gone on record to say there will be no enforcement holiday for organisations that fail to comply.
What are the main requirements of GDPR?
The GDPR imposes a wide range of requirements on organisations that collect or process personal data, including a requirement to comply with six key principles:
- Transparency, fairnesss and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a "lawful basis" to process that data.
- Limiting the processing of personal data to specified, explicit and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not "compatible" with the purpose for which the data was originally collected.
- Minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
- Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
- Ensuring security, integrity, and confidentiality of personal data. Your organisation must take steps to keep personal data secure through technical and organisational security measures.
Does the GDPR apply to my organisation?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organisations of all sizes and all industries. Specifically, the GDPR applies to:
- processing of anyone's personal data, if the processing is done in the context of the activities of an organisation established in the EU (regardless of where the processing takes place);
- processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behaviour.
- The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.
- The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organisations of all sizes and all industries.
The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.
What risks does my organisation face if it does not comply?
For the last several decades, European privacy laws have generally not included significant fines for breaches. That will change dramatically under the GDPR. The maximum fine for serious infringements will be the greater of €20 million or four percent of an organisation's annual global revenue. In addition, the GDPR empowers consumers (and organisations acting on their behalf) to bring civil litigation against organisations that breach the GDPR.
How partnering with ISVs can help you prepare for GDPR
As your partner, Microsoft is here to help you prepare for GDPR in the lead-up to May 2018. But your colleagues in the Microsoft Partner Network (MPN) can support you too.
Here are two independent software vendors (ISVs) that you can partner with to ensure you're GDPR compliant:
Unstructured data makes up the bulk of an organisation's database, according to research published in the International Journal of Information Management. This raw information (which typically includes text files, images, audio files and social media data) lives on your file servers, legacy ECM platforms and hard drives. It exposes your business to significant risk if it's not stored securely.
Automated Intelligence helps organisations take control of their unstructured data by safely destroying, archiving or repurposing it. Its SaaS offerings and GDPR work packages can help your company prepare for the GDPR and:
- Assess your current GDPR readiness;
- Meet operational compliance levels;
- Improve customer service, accountability and capability within your organisation; and
- Put your unstructured data to better use.
It's probable that your unstructured data contains personal information tied to EU citizens. Not securing this data means risking non-compliance.
Watch Simon Cole, Chief Technology Officer at Automated Intelligence, explain how his organisation can help yours prepare for the GDPR.
One of the best ways to start preparing for the GDPR is to implement a holistic data protection and information management strategy. This ensures the security and protection of all your data (including data in the cloud).
This is where Commvault can help. Their end-to-end data management services allow you to protect, access and use your data in an easy and compliant manner. They built their suite of technologies on the same codebase with a single user interface to make easy for you to manage your organisation's data using a single index and content store.
Watch Edward Hyde, Channel and Alliances Director for UK & Ireland at Commvault, explain how Commvault's services can help your organization get in shape for the GDPR.
Partnering for success
The GDPR marks the dawn of a new era in data protection regulation. We need to work together to make sure our businesses are ready for the change, all the while ensuring the protection of our customer's privacy at all times.
Partnering is the most effective way to ensure that your business is ready for GDPR in May 2018. With the help of an ISV partner, you can improve your overall security posture and privacy controls while also avoiding fines for non-compliance. It's a good move for your business and, more importantly, your customers.
Next steps: Download our latest Security Practice Development playbook for more information on how you can build out a secure cloud practice, in light of the GDPR regulations.