Overview of the General Data Protection Regulation
By Michael Panciroli, Partner Technical Architect – Modern Workspace
In May 2018, a new European Union (EU) privacy regulation called the General Data Protection Regulation (GDPR) goes into effect and sets a new bar for privacy rights, security, and compliance. GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data. Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in:
- Customer databases
- Feedback forms filled out by customers
- Email content
- Closed-circuit television (CCTV) footage
- Loyalty program records
Organizations must ensure data usage transparency and use security and controls to protect it. The GDPR also gives national regulators new powers to impose significant fines on organizations (up to 4% of a company’s global revenues or €20 million, whichever is greater) that breach the law.
Implications for US partners
The GDPR applies more broadly than many people think. It’s important to understand obligations related to GDPR regardless of where an organization resides. The law imposes new rules on companies, government agencies, non-profit organizations, and other entities that offer goods and services to people in EU or that collect and analyze data tied to EU residents – no matter where they are located. GDPR is applicable to organizations of all sizes and industries. Partners will need to build the new requirements into their own businesses as well as play a key role in helping their clients handle all the complexities introduced by GDPR. It is a business-wide challenge that will take time, tools, processes, and expertise to adjust to. It could require significant changes to a partner’s business and to customers’ privacy and data management practices.
Microsoft technologies that can help
With the most comprehensive set of compliance offerings of any cloud service provider, the Microsoft Cloud can help support your compliance initiatives. When your clients entrust their data to Microsoft Office 365, they remain the sole owner: they retain the rights, title, and interest in the data. Company officers can use the collaboration and analysis tools of Office 365 to maintain their policies, automate workflows and track responsibilities related to GDPR and other business requirements. Office 365 E5 can help safeguard an organization and keep it in compliance with capabilities, including:
- Advanced Threat Protection (malware and viruses) Safe Links/Safe URLs
- Advanced Security Management (ASM) – visibility and control into user activity (anomaly detection); Productivity App Discovery
- Advanced Data Governance – discover and keep what’s important but eliminate trivial, obsolete and redundant information
- Customer Lockbox
- Auditing and Management Activity API
Not only does GDPR present an opportunity for partners to provide services to their clients but also an opportunity to build and maintain their trust. IDC predicts the General Data Protection Regulation will create a $3.5B market opportunity for security and storage vendors. GDPR policies require “privacy-by-design” and “privacy-by-default”. Given the expected shortfall in privacy professionals, partners can become privacy consultants or implementers to support their clients’ GDPR journey. Some example services that partners can provide include performing security and risk assessments where they help locate relevant personal data and develop a plan to achieve and maintain compliance. Office 365 search and discovery and Advanced Data Governance capabilities are tools that can help with data discovery and consolidation by eliminating unnecessary, redundant, or obsolete data to simplify compliance. Ongoing services can help partners design, configure, and monitor policies and controls appropriate for clients’ data and applications. New tools in Office 365 allow partners to monitor, analyze, and act on threat intelligence and user behavior information to help effectively advice and address vulnerabilities and breaches. Additionally, partners can offer administrative services to help meet their clients’ documentation requirements and notification obligations and respond expediently to data requests with complete packages prepared for regulators.
Next steps and resources
As a best practice, we recommend that you identify an overall set of controls and capabilities to meet GDPR requirements. A platform approach based on Microsoft Enterprise Mobility + Security, Microsoft Windows, Microsoft SQL Server, Microsoft SharePoint, Microsoft Exchange Server, Microsoft Office 365, Microsoft Azure, and Microsoft Dynamics 365 is an ideal starting point. We offer a white paper “Beginning your General Data Protection Regulation (GDPR) Journey” that details the specific capabilities in these solutions that can help address the requirements of each of the steps and actions that can be taken. You can download the white paper, product-specific materials, and other resources at the GDRP partner resources webpage. You can also sign up to receive the Security News for Partners newsletter.
Sign up for the September 7 partner call
We will discuss General Data Protection Regulation compliance and why partners should utilize Microsoft solutions. You will hear from one of our security architects about the new rules that will be imposed on organizations and the opportunities that it creates for partners.