On May 25, 2018, a European privacy law, the General Data Protection Regulation (GPDR), is due to take effect. The GPDR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.
Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations. The GPDR is an important step forward for clarifying and enabling individual privacy rights, for this reason from Microsoft and KCP Dynamics want to help you focus on your core business while efficiently preparing for the GPDR.
Below we detail the most relevant information about GPDR
Key changes under GDPR
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts
Get started with GDPR
Prepare your organization for the new regulation
The General Data Protection Regulation (GDPR) contains many requirements about collecting, storing, and using personal information, including how you:
- Identify and secure the personal data in your systems
- Accommodate new transparency requirements
- Detect and report personal data breaches
- Train privacy personnel and other employees
There’s a lot to do to get ready; we suggest that you begin reviewing your privacy and data management practices now so that you can take steps to comply before the regulation takes effect next month. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.
Key changes under GDPR
The first step towards GPDR compliance is to assess whether the GPDR applies to your organization, and, if so, to what extent. This analysis starts with understanding which data you have and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GPDR as any data that relates to an identified or identifiable natural person.
If your organization has such data or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR.
To understand whether the GDPR applies to your organization and—if it does, which obligations it imposes—it’s important to inventory your organization’s data. This will help you understand which data is personal, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.
The GDPR provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Effectively managing your data involves both data governance and data classification.
Data governance. To satisfy your obligations to data subjects, you need to understand which types of personal data your organization processes, how your organization processes such data, and for what purposes. The data inventory discussed previously is a first step towards achieving this understanding. Once the inventory is complete, it’s also important to develop and implement a data governance plan. A data governance plan can help you define policies, roles, and responsibilities for the access, management, and use of personal data, and can help you ensure that your data handling practices comply with the GDPR.
Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your organization can be particularly helpful for responding to data subject requests, because it enables you to identify more readily and process personal data requests.
Organizations increasingly understand the importance of information security—but the GDPR raises the bar. It requires that organizations take appropriate technical and organizational measures to protect personal data from loss or unauthorized access or disclosure.
The Microsoft cloud is specifically built to help you understand risks and to defend against them, and is more secure than on-premises computing environments in many ways.
The GDPR sets new standards in transparency, accountability, and record-keeping. You will need to be more transparent about not only how you handle personal data, but also how you maintain documentation that defines your processes and use of personal data. Organizations that process personal data need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data, and the legal basis of such transfers; organizational and technical security measures; and data retention times that apply to various datasets. One way to achieve this is by using auditing tools, which can help ensure that any processing of data—whether it be collection, use, sharing, or otherwise—is tracked and recorded.
GPDR and Microsoft Dynamics Solutions
As commented previously, Microsoft is committed to GPDR compliance.
Dynamics 365 solutions, in Microsoft cloud, as well as the Dynamics solutions hosted in partners or customer environments, have tools to assit you on metting the GPDR requirements.
Discover these tools with our help, KCP Dynamics can assist you on deploying them and ensuring GPDR compliance.
Contact us on firstname.lastname@example.org