What is GDPR

GDPR stands for “General Data Protection Regulation”, it’s a new regulation from the European Union, designed to replace the old Data Protection Directive and harmonise data protection laws across Europe. In many ways it is the most important change in data privacy regulations for more than 2 decades- and it comes into effect on the 25th of May 2018- currently less than 80 days away.

The new laws apply to the personal data of any EU citizen, regardless of whether that data is being processed within the EU or not. If an organisation is offering goods and services to, or monitoring the data of an EU data subject, then the regulations apply to them. In practice this means that the GDPR is now the de facto global data protection regulation.

What’s new?

There are a number of new aspects of GDPR which are important to understand, from changes to the overall scope of the regulations, to new definitions and rights. Outlined below is a brief overview of the new entities in the regulations:

Changes in scope

This is a European regulation with a global impact. Any entity which processes the personal data of an EU citizen will have to abide by the regulation or face stiff fines. For the top tier of offences these fines can be up to 4% of annual global turnover or 20 million euros- whichever is the greater.

Hand in hand with these new stricter penalties, is stricter enforcement; this new document is a regulation not a directive. This means that rather than defining a set of goals which can be achieved any way a member state sees fit; the regulation must be implemented in its entirety across all member states.

Along with this stricter enforcement, the regulation updates the definition of what is being enforced- consent. The deliberately long and confusing terms and conditions many of us are used to seeing, but rarely reading will become a thing of the past. From now on, any request for consent must be intelligible, easily accessible and in plain language. The consent needs to be clear, separate from other matters, and must also be as easy to remove as it is to give.

New definitions:

In order to make sense of the new regulations we need to understand some of the key terms referenced within the documentation:

  1. Data Subject- A data subject is any “natural person” rather than a brand or company.
  2. Personal Data- Is any data linked to a data subject which could be used to identify them, for example a name, an email address or a credit card number.
  3. Data Controller- From the regulation, a data controller is: ”the entity that determines the purposes, conditions and means of the processing of personal data”
  4. Data Processor- From the regulation, a data processor is: “an entity which processes personal data on behalf of the controller”
  5. Data Protection Officers: Responsible for internal record keeping requirements as outlined in the regulation, in order to avoid the bureaucratic nightmare experienced by multinational companies currently.

New rights for Data Subjects:

The regulation creates a number of new rights for the individual data subject as outlined below:

  • Breach Notification- If there is any breach which will “Result in a risk for the rights and freedoms of individuals”, then data processors will be required to notify their customers within 72 hours of the breach
  • Right to Access- Data subjects will have the right to know whether a data controller is processing their personal data, and for what purpose. They will also have the right to request, free of charge a copy of their personal data.
  • Right to be Forgotten- A Data subject has the right to ask a data controller to erase his or her personal data
  • Data Portability- Data subjects have the right to be provided any of their personal data in a “commonly used and machine readable format” and to transfer it to another data controller if desired
  • Privacy by Design-Although the concept has been around for years, GDPR has enshrined in law the requirement that any system needs to have data privacy at its core right from the design stage. The specific requirement is “The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects

What does it mean for me?

What all this boils down to is that any entity which is working with the personal information of any EU citizen needs to take measures to ensure they don’t fall foul of the latest regulations- or face the consequences.

Microsoft has been at the forefront of systems compliance, and have committed to making all of their systems GDPR compliant by the 25th of May deadline. As well as making this global commitment, Microsoft have also released a raft of resources intended to help businesses on their compliance journey.

As part of this, Microsoft have offered a free online assessment tool to judge your company’s GDPR compliance status, which can be accessed here. There is also a suite of new functionality across all of Microsoft’s product families in order to help businesses stay compliant. Some of the key new features are outlined below, for a full list follow the link here:

Azure:

  • Azure Active Directory- Controls who has access to your data systems
  • Azure Information Protection- ensures that data is identifiable and secure

Dynamics 365:

  • Encryption- Data transferred between devices and data centres is encrypted as standard
  • Security Development in LCS- Builds security development into every stage of the process.

Office 365:

  • Data Loss Prevention-can identify almost 100 different sensitive data types and define actions to take with specific types of data
  • Advanced Data Governance- Uses in built machine analysis to find, classify and manage your data.

SQL Azure Databases:

  • SQL Database Firewall- determines who can and cannot access individual databases within your server.
  • SQL Server Authentication: Uses credentials to manage who has access to your database server.

Service Trust Portal

  • Service Trust Portal- A one stop shop for all your compliance, auditing and data protection needs.
  • Compliance Manager- Provides a holistic view of your data protection and compliance status

How can InteliSense IT help

At InteliSense IT we work closely with Microsoft on all of their product offerings and would be happy to offer advice or assistance to you on your journey to GDPR compliance. If you would like to find out more about how we can help then get in touch using our contact page.


Loading Conversation