How should companies prepare for EU GDPR compliance?
Companies that don't meet GDPR compliance standards by May 2018 will be fined. Expert Matthew Pascucci looks at how Microsoft is preparing, and what other companies should do to comply with GDPR.
Microsoft recently vowed to comply with the European Union's (EU) General Data Protection Regulation (GDPR) in all cloud services when its enforcement begins in May 2018. However, companies still must take action to avoid fines. What is Microsoft doing for GDPR compliance, and how should enterprises prepare on their own for GDPR compliance?
Beginning in May 2018, all businesses housing data from European residents will have to abide by the EU GDPR. If companies don't abide by the rules defined by GDPR, they'll be fined 20 million Euros or 4% of their annual turnover.
With this regulation, Microsoft has taken steps to protect the data it holds in the cloud before the GDPR goes into effect. Microsoft is one of the largest cloud service providers in the world, and will need to comply with the more stringent regulations being imposed by the EU data directive to continue doing business under GDPR.
Under the EU GDPR, the EU can validate how companies collect, process or store data on any European resident, and enterprises must comply with their directive on securing EU user privacy. This law pushes companies outside the EU to comply with their rules if they want to continue business with their citizens. This may be a challenge for global e-commerce retailers that weren't following these directives completely in the past.
The EU GDPR regulation calls for Europeans to be told upfront how long their personal data will be stored, and for them to have the right to have it deleted when they disagree or request its removal. This means that any American company selling to a European resident would also be held liable under GDPR compliance.
When GDPR compliance is enforced next May, companies will have to start validating and implementing their infrastructure in order to continue business as usual, and to not to be fined for delinquency on the standard.
A few things the standard calls for, which companies should start reviewing now, include a complete risk assessment on the systems that house this data, assigning a data protection officer who is responsible for the program and the safety of data, and being completely transparent with data breaches with proper disclosures and potential fines for noncompliance.
How to comply with the GDPR
Preparing for GDPR compliance also means, if you're reviewing an application or cloud service, and you're hosting European residents' personal information, it should be certified under these new laws. With many applications being hosted in the cloud, it's important to know your cloud supply chain and which providers are involved. It also means that each company touching the personal information of European citizens needs to understand the complete data flow, like how it's being processed, transmitted and stored -- including backup tapes.
If you're dealing with this type of data as a provider, you have to follow the data and get a firm understanding of each system it touches, as well as how and where it's interacting with European residents. Following the guidance on logging and the removal of logs is extremely important, as compliance could be difficult for companies that don't understand their data flow.
Lastly, speak with legal counsel before dealing directly with this process, and get legal advice from practitioners who deal with the EU GDPR to validate that you're working appropriately to secure your business and your European customers' data.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)