How will the GDPR affect my company?
The GDPR contains many requirements about how you collect, store, and use personal information. This means not only how you identify and secure the personal data in your systems but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.
Given how much is involved, you should not wait until the regulation takes effect to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.
What rights must companies enable under the GDPR?
The GDPR provides EU residents with control over their personal data through a set of “data subject rights.” This includes the right to:
- Access readily-available information in plain language about how personal data is used
- Access personal data
- Have incorrect personal data deleted or corrected
- Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”)
- Restrict or object to processing of personal data
- Receive a copy of personal data
- Object to processing of data for specific uses, such as marketing or profiling
How much can companies be fined for noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain requirements of the GDPR. Additional individual remedies could increase your risk if you fail to adhere to the GDPR requirements.
What is personal data?
Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:
- Email address
- Social media posts
- Physical, physiological, or genetic information
- Medical information
- Bank details
- IP address
- Cultural identity
Does the GDPR apply to both data processors and data controllers?
Yes, the GDPR applies to both data controllers and processors. A data controller is in charge of the data; a data processor processes the data for the controller. Controllers must only use processors that take measures to meet the requirements of the GDPR. A controller determines why and how to process personal data while the processor performs operations on personal data on behalf of the controller.
Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller. Compliant processor duties include:
- Processing data only as instructed
- Using appropriate technical and organisational measures to process personal data
- Deleting or returning data to the controller
- Securing permission to engage other processors
Does my business need to appoint a Data Protection Officer (DPO)?
It depends on several factors identified within the regulation. If your company must appoint a Data Protection Officer (DPO), the DPO is responsible for informing employees of their compliance obligations as well as conducting the monitoring, training, and audits required by the GDPR.
How does the GDPR change an organisation’s response to personal data breaches?
The GDPR will change data protection requirements and employ stricter obligations for data processors and data controllers regarding notice of personal data breaches that result in a risk to individual rights and freedoms. Under the new regulation, the data processor must notify the data controller of any such personal data breach after having become aware of it without undue delay. Once aware of a breach, the data controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay.
Does the GDPR deal with encryption?
Encryption is identified in the GDPR as a protective measure that renders personal data unintelligible when it is affected by a breach. Therefore, whether or not encryption is used may impact requirements for notification of a personal data breach. The GDPR also points to encryption as an appropriate technical or organisational measure in some cases, depending on the risk. Encryption is also a requirement through the Payment Card Industry Data Security Standard and part of the strict compliance guidelines specific to the financial services industry.
How much will it cost to meet compliance with the GDPR?
Meeting compliance with the GDPR will cost time and money for most organisations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
Where can I learn more about the GDPR?
To learn more about the GDPR, please visit EU GDPR page.
To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see How their products help you meet GDPR requirements.