In a world of mobile and cloud, it is no surprise new data protection legislation would create a significant shift to data requirements across all industries. So how should a company adapt? Legacy systems must align to legislation but are complex to change. Can IT systems do all the work, or do the business processes need to change too?
This blog will look to highlight the key changes, impact and controls all businesses should be aware of with GDPR coming into force on the 25th of April 2018.
What is the true reach of the GDPR changes?
The General Data Protection Regulation (GDPR) surprises many in its territorial reach, it is common knowledge that all companies based within the European Union have to abide to GRPR, but within this legislation there are key notes which means this is the furthest reaching data protection directive. Any company who offers goods or services (free or Paid) within the EU or monitor the behaviours of EU residents are legally bound to abide to GDPR meaning most global firms are held to account.
Some examples for deciding whether there is sufficient evidence that a firm is within the GDPR’s scope:
- May be insufficient evidence
- The firm’s website is accessible to EU residents
- The firm’s email or other contact details is accessible to EU residents
- The firm is located in a non-EU state that speaks the same language as an EU state
- May be sufficient evidence
- The firm markets its’ goods and services in the same language as generally used in an EU member state
- The firm lists prices in EU member state currencies
- The firm cites EU customers or users
For countries outside of the EU there is also growing pressure to implement core concepts outlined in GDPR into their data protection legislation, a key example of this is known as the “Microsoft Warrant Case”. Microsoft have taken 4 separate privacy lawsuits to the US government since 2013 to update the law and protect their customers. With the adaption of the cloud and growing uncertainty over legislation for data authority, storage and ownership it is key that universal legislation exists to protect user data, wherever it is stored.
More information on this specific example can be found here:
What are the differences between GDPR and the Data Protection Act?
Most people have heard of some changes about GDPR, most commonly the right to be ‘Forgotten’ but there are many more significant changes all businesses need to be aware of:
- Data Processing Consent, Withdrawal and Deletion
GDPR explicitly states a company must request consent to store or process personal sensitive or identifiable data, this must be clearly distinguishable using plain language. At any point in time consent to process data can be (easily) withdrawn and where requested deletion of consumer data must be completed but limited to data which is not required to be retained to meet other legislator requirements, for example 7 years of financial transaction data.
- Data Protection Ownership
Organisations of 250 employee’s or more are required to have a dedicated Data Protection Officer who should report directly to either the highest management level of the ‘Processor’ or ‘controller’ to manage regulatory requirements, data management processes and issues relating to the companies GDPR compliance.
- Data Breach Notification
Within 72 hours of realisation of a data breach companies are required to notify the supervisory authority, where personal data breach results in high risk to rights and freedoms of individuals they are also required to be notified without delay.
- Regulatory Powers for Enforcement
With new regulation comes substantial new regulatory power to enforce and conduct a full on-site audit of any business where there is a suspicion of a breach around GDPR compliance. At this point the Data Protection Officer is required to provide any information relating to the companies data processing tasks.
- Non-Compliance Penalties
With proof of failure to comply to GDPR there is now an increased penalty of up to 4% of a company’s annual worldwide turnover or €20 Million whichever is greater.
How to utilise the Microsoft product stack
With more companies undergoing a technical transformation across their businesses it is a critical time to ensure system security. Although services hosted in the cloud are more accessible, scalable and integrated without ensuring these solutions’ underlying security, data can be left exposed.
How business users log onto systems is critical, this is the first point of security for any system but especially those accessible via the internet. With tools like Azure Active Directory users can secure their identity and data with anything from mobile tokens to facial recognition. As a standard for external systems multi-factor authentication should always be in place.
With any cloud hosted infrastructure there is a key focus on ensuring only those can connect to any server are approved to do so but also still appropriately monitored and regulated. This adds increased significance to any integrations between systems and service account requirements. Operations Management Suite can provide real time reporting on both the security and performance of any infrastructure allowing proof of compliance and proactive infrastructure support. Tools like Azure Key Vault, Logic Apps and ExpressRoute allow for securely stored service accounts and consolidation of any publically exposed infrastructure significantly minimising the risk of possible attacks.
Within any businesses central data processing units e.g. Finance, HR or Sales, legislation means that not only must the data collected be meaningful and not overreaching, but also ensure it is secured and only processed for specific purposes. Enterprise solutions such as Microsoft Dynamics 365 have standard embedded Role Based Access Controls, Segregation of Duties and inbuilt audit compliance based on best practice processes to help align a business seamlessly to regulatory requirements with full audit capabilities. Whether Looking for financial and operational solutions of customer management there is a suit of standard solutions to align against business requirements.
A company’s compliance will be a key, and the first thing on any Data Protection Officers to-do list. Microsoft have been willing to help with this complex requirement by providing the ability to run checks against not only cloud based infrastructure but also any appropriately configured physical servers. As an added bonus compliance to many other regulations, for example ISO27001, are available.
Ultimately GDPR is now knocking at the front door and the level of change and impact to any business should not be underestimated. The risks and penalties for not complying with these changes are significant and the overhead of managing new data protection regulations can be substantial where efficient processes and solutions are not applied. If you would like to discuss any of the topics mentioned in this blog please feel free to contact us.