What is the GDPR?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive (Directive”), which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data. The GDPR also gives national regulators new powers to impose significant fines on organizations that breach the law.
When does the GDPR take effect?
The GDPR takes effect on May 25, 2018. The GDPR actually became law in April 2016, but given the significant changes some organisations will need to make to align with the regulation, a two-year transition period was included. Organisations should not expect any grace period from regulators beyond May 25, 2018. Some EU member state regulators have already gone on record to say there will be no enforcement holiday for organisations that fail to comply.
What are the main requirements of the GDPR?
The GDPR imposes a wide range of requirements on organisations that collect or process personal data, including a requirement to comply with six key principles:
1. Transparency, fairnesss, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data.
2. Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
3. Minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
4. Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
5. Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
6. Ensuring security, integrity, and confidentiality of personal data. Your organisation must take steps to keep personal data secure through technical and organisational security measures.
Does the GDPR apply to my organization?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organizations of all sizes and all industries. Specifically, the GDPR applies to:
A) processing of anyone’s personal data, if the processing is done in the context of the activities of an organization established in the EU (regardless of where the processing takes place);
B) processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behaviour. The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.
How do I know if the data that my organization is processing is covered by the GDPR?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. “Personal data” includes any data that relates to an identified or identifiable individual. This can include data such as online identifiers (e.g., IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health and financial information and much more. Indeed, the term is so broad that it can even include information that does not appear to be personal – such as a photo of a landscape without people – where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.
My organisation is only processing data on behalf of others. Does it still need to comply with the GDPR?
Yes. Although the rules differ somewhat, the GDPR applies to organisations that collect and process data for their own purposes (“controllers”) as well as to organisations that process data on behalf of others (“processors.”) This is a shift from the existing Directive, which applies primarily to controllers.
Microsoft cloud services such as Azure help organisations identify and catalogue personal data in systems, build more secure environments, and simplify management of GDPR compliance.
Microsoft's Azure cloud has products and services available that can help you in your preparation for meeting GDPR requirements. Elastacloud has have developed a four-step process that we recommend you follow on your journey to GDPR compliance. The four steps are:
1. Discover: Identify what personal data you have and where it resides.
2. Manage: Govern how personal data is used and accessed.
3. Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
4. Report: Keep required documentation, manage data requests, and provide breach notifications.
Step 1. Discover: Azure Data Catalogue is an essential tool in this step. This service helps with the management of data (the metadata, not the data itself) and can provide your organisation with a strategic platform functionality to become and stay compliant with the GDPR. Personal data should be tagged, for this you can use Azure Data Factory & Azure HDInsight. Azure Data Factory has capabilities to help trace and locate personal data, including visualisation and monitoring tools to identify when data arrived and where it came from. There are also capabilities for automating data pipelines with on-demand cloud resource management. Azure HDInsight helps by providing a platform to deploy various software frameworks that can trace and search for personal data. In addition, you can import Azure HDInsight data into Excel and query for personal data using the power query functionality.
Step 2. Manage: Azure Information Protection helps you to classify, label, and protect your documents and email. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination in which users are given recommendations. For example, if a user saves a Word document that contains personal data such as credit card information (after an administrator has created and applied a rule to automatically recognise this kind of information), the user receives a notice that recommends applying a specific label to the document. You can use Azure Role-Based Access Control (RBAC) to enforce separation of duties. This Azure service enables you to define fine-grained access permissions to grant only the amount of access that users need to perform their jobs. Instead of giving everybody unrestricted permissions for Azure resources, you can allow only certain actions for accessing personal data. You can use Azure Key Vault for web applications to support separation of duties. This service allows you to implement a segregation of role functionality in the management of keys and data. • To minimise the number of people who have access to certain information such as personal data, you can also use Azure Active Directory Privileged Identity Management. This functionality allows you to discover, restrict, and monitor privileged identities and their access to resources. You can also enforce on-demand, just-in-time administrative access when needed.
Step 3. Protect: The goal of the third step is to establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. Azure Storage Services Encryption helps you to protect and safeguard your data, including personal data, in support of organisational security commitments and compliance requirements defined by frameworks and regulations such as the GDPR. Azure Storage Service Encryption allows you to request that the storage service automatically encrypt the data when writing it to Azure Storage. Microsoft handles all the encryption, decryption, and key management in a fully transparent fashion. All data is encrypted using 256-bit AES (Advanced Encryption Standard) encryption, also known as AES-256, one of the strongest block ciphers available. You can enable this feature on all available redundancy types of Azure File Storage, since both options – LRS (locally redundant storage) and GRS (geo-redundant storage) – are included. Transparent Data Encryption with Azure SQL Database helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest. All of this takes place without requiring changes to the applications. Azure Key Vault, a cloud-hosted service for managing cryptographic keys and other secrets used in cloud applications, provides capabilities to help you with the protection of data and access to data. This Azure service enables you to safeguard your cryptographic keys, certificates, and passwords. Azure Key Vault uses specialised hardware security modules (HSMs) for maximum protection and is designed in a way that allows you to maintain control of keys and data . Microsoft also offers a secure connection option for cross-premises connectivity. Azure ExpressRoute is a dedicated WAN link between Azure and an on-premises location or an Exchange hosting provider. Because this is a direct connection of your telecommunication provider, your data does not travel over the Internet and therefore is not exposed to it
Step 4. Report: The goal of the fourth and final step is to retain the required documentation and to manage data subject requests and breach notifications. All Azure data is accessible and exportable at any time. For example, you can export a virtual machine (VM) in a virtual hard disk (VHD) and SQL databases into various database formats. In general, all Azure Storage content is fully exportable. Also, Azure BizTalk Services and Azure Data Lake are helpful in this context. Azure BizTalk Services may help enable application integration to facilitate data portability requests by enabling you to integrate data from disparate sources. Azure Data Lake has capabilities that enable the extraction and conversion of data. Azure Data Lake Analytics jobs are written in the U-SQL language that is easily adaptable to specific needs.