GDPR and You

Disclosure: this is a Microsoft-sponsored post, but all thoughts and opinions are my own. 

We are currently counting down the months, weeks, and days until the EU’s newest data protection legislation goes into enforcement. The General Data Protection Regulation (GDPR), passed in 2016, replaces its aging predecessor, Data Protection Directive 95/46/EC circa 1995. This change was arguably necessary, as the technological landscape and the Internet’s reach and risk have grown and changed exponentially since the mid-nineties. A primary purpose of GDPR is to harmonize data privacy laws across Europe, removing the obstacles to flows of personal data, while ensuring a high level of protection of the rights and freedoms of the people behind that data.

With its extended reach through extra-territorial applicability, GDPR will affect companies outside of EU borders and so has captured world-wide attention. It applies to all organizations, whether controllers or processors, that store personal data of subjects residing in the EU, regardless of where the organizations themselves are headquartered. The GDPR also applies to controllers or processors that monitor behavior that takes place within the EU (profiling), or that offer goods or services to EU citizens, whether payment is involved or not.

Organizations outside of the EU that process large amounts of personal data from EU residents will most likely need to appoint a Data Protection Officer (DPO) to operate as liaison to the GDPR supervisory authority within the EU.

To be certain, there’s a lot to dig into, plan for, and process around GDPR. But don’t just take my word for it, be sure and register for the Microsoft’s Modern Workplace webcast, “GDPR Impact”, airing November 6, where there will be plenty more discussion and talking points.

Organizations, no matter their location, found in breach of the GDPR can be fined up to 4% of annual global turnover or $20M, whichever is greater. There is a tiered approach to penalties, with the most serious infringements resulting in maximum fines. One of the greatest takeaways from the GDPR is the concept of privacy by design and by default. The opportunity to implement appropriate technical and organizational measures designed to implement data-protection principles in an effective manner and ensuring that, by default, only personal data which is necessary is processed is long overdue. The requirement applies to the amount of personal data collected, the extent of the data processing, the period of their storage and their accessibility. Data security is no longer an add-on to an already existing business model, but rather has an integral role to play in every level of research, development and production.

Because of its increased territorial scope and highly punitive damages, it’s critical to know whether the GDPR will apply to you or your business and how.

I would submit that whether or not the GDPR legally applies to your organization, it should definitely affect your organization in some tangibly beneficial ways. We should allow this legislation to spur deep thought and open conversation around the types of data we touch, how we use and house it, and whether we are doing all we can to protect it.

Stay tuned for the next post where I’ll examine the talking points that are raised in the Modern Workplace episode, available on-demand beginning today.