GDPR: What It is, What It isn’t & How It Affects Your Organization

If you’ve gone anywhere online within the past few months, you’ve probably heard about the General Data Protection Regulation (GDPR). Ever since GDPR went into effect on May 25, 2018, the entire business world (and, as a result, the internet) has been in a frenzy. But, according to GDPR experts such as UK Information Commissioner Elizabeth Denham, the situation isn’t as dire as it’s made out to be.

In this GDPR Q&A, we’ll explain what GDPR is, who it affects, and attempt to set the record straight on some common GDPR myths.

What is GDPR?

To deconstruct some of the fallacies surrounding GDPR, we must first clarify what it is. The General Data Protection Regulation, or GDPR, is the European Union’s (EU) new directive for data protection law; it replaces the 1995 data protection directive.

According to official EU documentation, GDPR “regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU.” Put in laymen’s terms, GDPR is designed to protect the data privacy of EU citizens.

GDPR doesn’t apply to the processing of personal data of deceased persons or of legal entities, nor does it apply to data processed by an individual for personal reasons or within one’s home. The only exception to this final stipulation is if the individual uses personal data for socio-cultural or financial activities.

How does the EU define “personal data”?

According to the EU, personal data is “any information that relates to an identified or identifiable living individual.” Any information that could potentially lead to the identification of a particular person also qualifies as personal data. Encrypted personal data also falls under the scope of GDPR.

Who is subject to GDPR?

Official GDPR documentation is phrased in such a way that its geographic parameters are somewhat unclear. To clarify, if your organization is based in the EU, you are subject to GDPR, even if your clientele is located outside the EU. If your organization is based outside the EU but provides services to EU citizens, you are also subject to GDPR.

What are my obligations under GDPR?

Under GDPR, organizations are obligated to only process personal data with full consent of the data subject (which is why so many businesses updated their privacy policies in advance of May 25). Therefore, businesses must provide transparent information about their purpose for processing a data subject’s personal data. Data subjects reserve the right to withdraw their consent at any time, at which point you no longer have the right to process their personal data. If, at any point, the security of your networks that process personal data is compromised, you are required to notify the public within 72 hours.

To see more specific information about your obligations under GDPR, refer to this helpful guide produced by the EU.

You keep saying “data subject” — what does that mean?

“Data subject” simply refers to any individual whose personal data is processed by a third-party entity.

What are the consequences of failing to comply with GDPR?

According to Article 83, which outlines the general conditions for imposing administrative fines, GDPR fines and penalties are based on several factors, including:

• The nature, gravity and duration of the infringement
• Whether the infringement was intentional or negligent
• What actions the controller or processor took to mitigate the damage
• Any relevant previous infringements by the controller or processor
• The degree of cooperation with the supervisory authority
• The categories of personal data affected
• The manner in which the supervisory authority was made aware of the infringement

For lower tier infringements, organizations can be fined €10 million or up to 2 percent annual global revenue, whichever is higher. Higher tier infringements, such as not having sufficient customer consent to process data, will result in a fine of €20 million or 4 percent annual global turnover, whichever is higher.

What are some common GDPR myths?

• Data subjects have the right to have their personal data erased.
  • Although GDPR introduces the right to erasure (also known as the right to be forgotten), it isn’t as much of a right as its name implies. Organizations are only required to comply with a data subject’s request under certain circumstances, as outlined under Article 17.
• All countries within the EU adhere to the same rules for compliance.
  • Unfortunately, since not all EU member states agree on GDPR regulations, each member state is permitted to have its own set of specific rules. Likewise, each member state has its own independent public authority responsible for identifying and investigating GDPR infractions. Be sure to read up on each member state’s special rules before you proceed.
• Encryption is mandatory for GDPR compliance.
  • Although encrypted personal data falls under the scope of GDPR, nowhere does official GDPR documentation stipulate that encryption is a requirement for compliance.
• GDPR doesn’t apply to data collected prior to May 25, 2018.
  • All personal data, regardless of when it was collected, falls under GDPR.
• Every organization must appoint a Data Protection Officer (DPO).
  • Your organization only needs to appoint a DPO in these three situations:
    • If you’re a public authority or body that processes data
    • If your core activities require widespread, regular monitoring of data subjects
    • If you process sensitive information on a large scale

Although a DPO isn’t mandatory for all instances, it’s generally advisable to err on the side of caution and appoint one.

How can I ensure that my organization stays GDPR-compliant?

There are four essential pillars that you should observe to ensure GDPR compliance:

1. Privacy: Data subjects must be able to access and export their personal data and have the right to object to the processing of their personal data.
2. Transparency: Organizations must provide detailed information about the processing of all personal data, including a clear notice of data collection and a stated purpose for processing, and maintain meticulous records of data processing
3. Security: Organizations must protect data subjects’ personal data, obtain proper consent prior to processing personal data, and notify authorities of personal data breaches in a timely manner.
4. IT and training: Organizations are advised to audit and update data policies, train privacy personnel and employees, and employ a DPO, if necessary.

Although remaining GDPR-compliant might seem like a daunting task, the right software can make it easier. Microsoft Dynamics 365 (D365) includes a suite of innovative and cutting-edge applications — all based in the Microsoft Cloud — to ensure compliance.

D365 makes it easier to track GDPR obligations, maintain a thorough, up-to-date record of all user interactions from a single interface, define roles and access privileges, and more. Compliance Manager performs ongoing risk assessment for all Microsoft Cloud services, including Office 365, Azure and D365. Compliance Manager also enables you to perform regular self-assessments to closely monitor your compliance status. D365’s high-powered security capabilities, including Azure Information Protection scanner, Azure Information Protection, Microsoft Cloud App Security, and Windows 10 Enterprise protection features, enable you to better monitor and protect the personal data with which you’ve been entrusted.

Interested in learning more about how GDPR will affect your specific industry or how Microsoft Dynamics 365 can help your organization stay compliant? The experts at Hitachi Solutions can help. At Hitachi Solutions, we specialize in delivering success with business applications based on the Microsoft Cloud. We help clients across multiple industries tackle complex issues — such as GDPR compliance — with world-class business solutions. Start a conversation with us today to get started.