Privacy and Protection – What you need to know about the GDPR

Does your company deal with data from individuals or companies in the European Union (EU)? If so, read on.

Data is everywhere – and at the heart of almost every business. Yet recent data breaches have meant heightened security concerns.

Here in South Africa we are familiar with the impending PoPI Act. But if you have clients that are European Citizens, or based in the EU you’ll also have to navigate a new piece of legislation: GDPR (the General Data Protection Regulation).

The GDPR: a 5-second overview

At core, The General Data Protection Regulation (or GDPR) is about safeguarding the privacy of individuals and companies in the EU, and reflects the implementation of the Digital Single Market Strategy.

What will the GDPR do?

The GDPR will place new rules on companies that deal with EU residents. It will also apply to companies that collect or analyse data tied to EU residents, no matter where they are located.

To do this, the GDPR establishes global requirements governing how companies manage and protect personal data – and respect individual choice. Importantly, it is a law that will apply no matter where the relevant data is sent, processed, or stored.

When is it due to take effect?

The GDPR comes into effect on 25 May 2018.

What will the impacts be?

Depending on what data a company holds, the GDPR may mean a number of changes. These may include updates to personal privacy policies or strengthening how data is protected.

What are some of the key elements of the GDPR?

• Enhanced personal privacy rights. Part of the law looks to improve data protection. It will do this by giving EU residents the right to: access their data, correct inaccuracies, erase or move their data, or object to processing of their information.
• Increased data protection duties. The accountability of companies that process personal data will be reinforced and their responsibility for ensuring compliance increased.
• Mandatory data breach reporting. In the event of a breach, companies will be required to report the situation quickly, generally no later than 72 hours after the fact.
• Penalties for non-compliance. The GDPR will mean sanctions and fines can be imposed on organisations that have failed to comply.

Does the GDPR apply to my business?

The GDPR applies to companies (operators or controllers) in the EU.

It also applies to those outside the EU who offer goods and services to, or collect personal data from, EU residents.

What kind of data does the GDPR consider ‘personal data’?

The GDPR considers personal data to be any information related to an identified – or identifiable –natural person. This relates to direct identification data (such as a legal name). However, it also covers indirect identification data (data that makes it clear who is being referenced).

Personal data also includes online identifiers (such as IP addresses and mobile device IDs) and location data.

I use Dynamics 365. What types of data might be affected?

• Customer data. This spans all text, sound, video or image files and software.
• Administrator data. This is information about administrators supplied during signup, purchase, or administration of Microsoft services. It includes names, phone numbers, email addresses and aggregated usage information.
• Payment data. This is the information companies provide when making online purchases with Microsoft, including credit card numbers, security codes, names and billing addresses and other financial data.
• Support data. This information is supplied in a support request or results from running an automated troubleshooter.
• A special note on children’s data: Children (defined as a natural person under the age of 16 or as specified by Member State law) need specific data protection. Data controllers will need to get the consent of a parent/guardian for using the child’s personal data.

Where do I begin? Dynamics 365 users have four stages to follow in the journey toward GDPR compliance: discover, manage, protect and report.

Step 1 – Discover: Companies need to identify what personal data they hold have and where that data rests. This means both searching for and identifying the relevant personal information and then classifying it.

Step 2 – Manage: This relates to governing how personal data is used and accessed. This means, among other things, putting in place a governance system that can: notify subjects about how their personal data will be processed, get consent from data subjects around the processing of their personal data, provide a way for subjects to ask that processing of their data be stopped, correct inaccurate or incomplete data, transfer and save data. The system should also make it clear how data requests are processed and resolved.

Step 3 – Protect: Companies need to establish security controls to prevent, detect, and respond to data vulnerabilities and data breaches. Companies must put in place data privacy and security controls that ensure the confidentiality, integrity and availability of personal data. Encryption is one tool that satisfies the GDPR requirements.

Step 4 – Report: To show GDPR compliance through reporting, companies need to maintain an audit trail of all processing activities, requests and their resolution. Companies will also need to track and record flows of personal data into and out of the EU and third-party service providers. Moving toward GDPR compliance needn’t be an involved or difficult process, but companies should start thinking today about the steps they may need to take. At The CRM Team, we’re helping our customers keep in step with this legislation. There are many ways this can be done, but our preferred platform is Microsoft Dynamics 365 – a suite of intelligent business applications that brings all your customer information together in one place.