The General Data Protection Regulation (GDPR) is being enforced on May 25, 2018 – after that, organizations that are non-compliant will face heavy fines.The legislation replaces the Data Protection Directive 95/46/EC and is designed to harmonize data privacy laws across Europe.
I read an article by David Burt (Senior Compliance Manager, Azure Trust and Compliance) where he responds to the most frequently asked questions from a Microsoft series of webinars about GDPR.
Below is what the questions and responses that were published here.
Q: Does the GDPR allow me to send data outside the EU?
A: GDPR applies globally, so no matter where your company stores or processes personal data—even within the EU, it must comply with GDPR guidelines.
Q: Does GDPR apply to internal sites, such as corporate intranets, as well?
A: Yes. Whether you’re storing personal data about consumers or employees you must still abide by GDRP guidelines.
Q: What are the GDPR requirements around classifying data?
A: GDPR doesn’t explicitly require data classification, but given the rights that it grants to EU citizens, and the requirements of any company storing a citizen’s personal data, classifying data is practically non-negotiable. For example, companies must inform individuals about all of the personal data they have on file, and must get their consent before processing it. Companies must also ensure that they are taking appropriate measures to protect that data, and can only store it for the prescribed purpose and period of time for which an individual gave their consent.
So there’s really no feasible way to abide by these requirements and responsibilities without cataloging your data and knowing the location of any personal data that falls under GDPR jurisdiction.
Q: Does GDPR require encryption?
A: Not in a prescriptive matter. Instead, it gives you guidelines and strongly suggests that you encrypt.
Q: Has the EU established any best practices about what it means to be compliant?
A: The EU has published guidelines, but keep in mind that GDPR is just the baseline—each country has the authority to include additional requirements. And GDPR is more about giving you guidance, rather than providing highly prescriptive instructions.
Q: How does Brexit impact this?
A: Unfortunately, the UK is no longer considered to be on the same level as the EU member countries. As such, the UK will no longer be considered adequate in abiding by terms of data protection laws. However, the UK is doing its part to comply with GDPR.
Q: Will there be an official GDPR certification?
A: Eventually, but it won’t be completed for at least a couple of months after GDPR is implemented. In the meantime, you can build on top of ISO 27001, and Microsoft has its own GEP analysis to help companies figure out how to get compliant.
Q: Are any independent groups giving assessments?
A: A coalition of cloud infrastructure service providers, called CISPE, has developed its own code of conduct that’s intended to help companies get started. In December, the Cloud Security Alliance released its code of conduct, which we are evaluating. In the meantime, we are sticking with ISO 27001 and staying in contact with the EU’s Data Protection Authority.
Q: Do data retention requirements override an individual’s right to have their data deleted?
A: Yes, there are a few exceptions where personal data must be kept for tax or legal reasons to run your business. However, the whole notion of companies having carte blanche permission to collect and keep data has been done away with.
Q: Is IP in scope for data subject rights?
A: Yes. In fact, IP is in scope with the EU’s existing DPA regulations, but GDPR significantly broadens the definition of personal data to include any information that can be connected with a known person. Examples include browser history and social media activity.
It also makes special provisions for information related to an individual’s physical and mental health, such as genetic and biometric data.
I hope these questions and answers can help you prepare for GDPR. Remember, the enforcement date is May 25, 2018. It is advised that legal counsel should be consulted for further information. The key articles of the GDPR can be found on the GDPR Portal.