During the last few months, I’ve spoken with a lot of Azure customers, both in person and online, about how to prepare for the May 25, 2018 deadline for compliance with the EU’s General Data Protection Regulation (GDPR). The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located. The GDPR will dramatically shift the landscape for data collection and analysis, since under the GDPR, many practices that were commonplace will be forbidden, and companies must take care in assessing their exposure and how to comply.
I recently participated in a Microsoft series of webinars about the GDPR and its implications for IT teams and cloud computing. We got a lot of questions from the audience in these webinars, so I thought I would respond to some of the most frequently asked ones that we thought you might find helpful, along with links to the on-demand webinars.
Q: Does the GDPR allow me to send data outside the EU?
A: GDPR applies globally, so no matter where your company stores or processes personal data—even within the EU, it must comply with GDPR guidelines.
Q: Does GDPR apply to internal sites, such as corporate intranets, as well?
A: Yes. Whether you’re storing personal data about consumers or employees you must still abide by GDRP guidelines.
Q: What are the GDPR requirements around classifying data?
A: GDPR doesn’t explicitly require data classification, but given the rights that it grants to EU citizens, and the requirements of any company storing a citizen’s personal data, classifying data is practically non-negotiable. For example, companies must inform individuals about all of the personal data they have on file, and must get their consent before processing it. Companies must also ensure that they are taking appropriate measures to protect that data, and can only store it for the prescribed purpose and period of time for which an individual gave their consent.
So there’s really no feasible way to abide by these requirements and responsibilities without cataloging your data and knowing the location of any personal data that falls under GDPR jurisdiction.
Q: Does GDPR require encryption?
A: Not in a prescriptive matter. Instead, it gives you guidelines and strongly suggests that you encrypt.
Q: Has the EU established any best practices about what it means to be compliant?
A: The EU has published guidelines, but keep in mind that GDPR is just the baseline—each country has the authority to include additional requirements. And GDPR is more about giving you guidance, rather than providing highly prescriptive instructions.
Q: How does Brexit impact this?
A: Unfortunately, the UK is no longer considered to be on the same level as the EU member countries. As such, the UK will no longer be considered adequate in abiding by terms of data protection laws. However, the UK is doing its part to comply with GDPR.
Q: Will there be an official GDPR certification?
A: Eventually, but it won’t be completed for at least a couple of months after GDPR is implemented. In the meantime, you can build on top of ISO 27001, and Microsoft has its own GEP analysis to help companies figure out how to get compliant.
Q: Are any independent groups giving assessments?
A: A coalition of cloud infrastructure service providers, called CISPE, has developed its own code of conduct that’s intended to help companies get started. In December, the Cloud Security Alliance released its code of conduct, which we are evaluating. In the meantime, we are sticking with ISO 27001 and staying in contact with the EU’s Data Protection Authority.
Q: Do data retention requirements override an individual’s right to have their data deleted?
A: Yes, there are a few exceptions where personal data must be kept for tax or legal reasons to run your business. However, the whole notion of companies having carte blanche permission to collect and keep data has been done away with.
Q: Is IP in scope for data subject rights?
A: Yes. In fact, IP is in scope with the EU’s existing DPA regulations, but GDPR significantly broadens the definition of personal data to include any information that can be connected with a known person. Examples include browser history and social media activity.
It also makes special provisions for information related to an individual’s physical and mental health, such as genetic and biometric data.
I hope these questions get you thinking about what you can do to prepare for GDPR. We have a lot more GDPR information available on our main GDPR site, including an Azure GDPR page, our white paper, How Microsoft Azure Can Help Organizations Become Compliant with the EU GDPR, and our Get Started: Support for GDPR Accountability set of resources.
Of course none of the above should be considered legal advice, and we encourage you to bring any concerns you have to your company's legal counsel.