There are big changes coming for organizations that conduct business in, or store and collect data tied to citizens of the European Union (EU). From data protection and breach reporting to governance documentation, the General Data Protection Regulation (GDPR) calls for businesses in any location that hold data on Europeans to be more efficient and accountable with their IT operations – or face significant penalties.
With May 25th, 2018 as the proposed GDPR enforcement date, you have just a few months to comply with the new (and slightly confusing) GDPR laws. Though that may seem far away, the date will come quick, as will the scrutiny into your data practices.
But the path to compliance doesn’t need to be difficult. At Interlink, through our cloud and on-premises solutions, we’ve identified a path forward.
Understanding the Road Ahead to GDPR Compliance
GDPR grants European citizens living in the EU enhanced data and privacy rights.
Under GDPR, businesses must obtain consent for storing an EU citizen's personal data in most cases. Businesses must also clearly explain what data is being stored, for how long, and what processes are in place to protect personal information. Citizens also have the legal right to:
- Access their personal data
- Revoke consent of personal data processing
- Export their data to their own devices
- Request that all their data be deleted.
GDPR defines personal data very broadly and includes names, email addresses, and online identifiers, as well as genetic, biometric, and demographic data too. Though there are some exemptions to data processing in GDPR, businesses that hold EU citizen data, whether they are operating inside or outside of the EU, will need to make the necessary compliance changes by May of 2018.
The Danger of Non-Compliance
Businesses that violate GDPR are subject to various penalties, including an upper-level fine that is equal to 4% of revenue.
Your business may be penalized for:
- Failing to report a breach within 72 hours of discovery (not business days)
- Failing to notify users without “undue delay” of a breach
- Automated profiling without consent (any form of analysis of personal data)
- Not being transparent in how personal data is collected, stored, and processed
- Outsourcing data storage and analysis to a non-compliant partner or vendor
- Not following the data governance policies you have defined
- Not adequately using available Security tools and processes to limit unauthorized data access
The Steps to Building Compliance
The first step in building a path to compliance is discovering what personal data your organization stores and where it resides.
Next, you’ll want to assess how your data is being managed. Management falls into two categories: data governance (policies, roles, and responsibilities) and data classification (organization and labeling).
After classifying the data into appropriate groups, you’ll then need to apply protection policies to that data when appropriate.
The final step, reporting, involves making sure that you not only keep up-to-date and accurate records of data collection and processing, but also have the reporting tools necessary to supply citizens and legislators any requested information. GDPR places a large emphasis on transparency and accuracy in data reporting, making it a critical process component that can make or break your overall level of compliance.
Microsoft Enterprise Mobility and Security Suite for Compliance
Microsoft will have its cloud platforms compliant by the GDPR enforcement date, supplying you with the tools and processes you need for guaranteed business continuity. For nearly all organizations, the Enterprise Mobility + Security Suite (EMS) covers many of the process and data administrative components required for GDPR compliance. EMS comes in two different options: EMS E3 and EMS E5.
With EMS E3, you get powerful data governance and protection features, including:
- Azure Active Directory P1: Secure single sign-on to cloud and on-premises applications with options for Multi-Factor Authentication, conditional access, and advanced security reporting.
- Microsoft Intune: Mobile device and application management that protects the apps and data on any corporate device and allows for their removal when needed.
- Azure Information Protection P1: Encryption for files and storage locations with cloud-based file tracking.
- Advanced Threat Analytics: Protection from advanced and targeted attacks using behavioral analytics which occur on the on premises network.
For enterprise customers, EMS E5 provides extra layers of data protection by including all the features of E3 and then some. These additions include:
- Azure Active Directory P2: Advanced identity protection that allows for automated responses to detected suspicious actions within your organization.
- Azure Information Protection Premium P2: Intelligent and automated classification and encryption for files shared inside and outside of your organization.
- Microsoft Cloud App Security: Discovery of cloud apps in use by your users with granular control over access and integration.
The Microsoft Advantage
The Microsoft Enterprise Mobility + Security Suite helps keeps your organization GDPR compliant by protecting with data from unauthorized use. The flexibility of the EMS solution lets you continue to write data policies and create responsive governance plans without the worry of how your IT processes will respond.
As your journey towards GDPR compliance continues, Interlink can help you identify which solutions and configurations will work best for your organization. Through a combination of cloud and on-premises deployments, we’ll work with your organization to help you on your security and compliance journeys.
Contact us today to secure your data and become GDPR compliant.
- ON-DEMAND WEBINAR | Everything You Need to Know About GDPR & How it Affects Your Business
- Article: The Road to General Data Protection Regulation (GDPR) Compliance with Microsoft and InterlinkThe Road to General Data Protection Regulation (GDPR) Compliance with Microsoft and Interlink