The first step towards GDPR compliance is to assess whether the GDPR applies to your organization, and, if so, to what extent. This analysis starts with understanding which data you have and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
If your organization has such data—in customer databases, feedback forms filled out by your customers, email content, photos, CCTV footage, loyalty program records, human resources databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR.
To understand whether the GDPR applies to your organization and—if it does, which obligations it imposes—it’s important to inventory your organization’s data. This will help you understand which data is personal, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
Recommended products and services
Microsoft cloud services make it easier to locate and identify the personal data you collect, so you can more easily find and evaluate the data across your organization. Microsoft recommends the following products and services to help your organization meet the GDPR requirements in the Discover phase.