Thank you to everyone who joined the June 22 webcast, GDPR Compliance Planning for Microsoft Environments. Microsoft MVP Greg Schulz and Quest principal technology strategist Colin Truran led a great, interactive session where they discussed:
During the lively, one-hour discussion, we had a couple dozen questions from customers just like you trying to understand exactly how GDPR affects their Microsoft environment. We pulled the top 10 questions from the webcast below for your reference.
10 GDPR Compliance FAQs
Q1: What do you mean by “EU citizen data?”
A1: GDPR protects the personal data of EU citizens. ANY company (whether they're based in the EU or outside) that processes or stores personally identifiable information (PII) of EU citizens is regulated under GDPR.
Q2: What’s the scope of EU citizens’ personal data governed? Is it name, email, credit card number, etc.?
A2: All of that and much more, including biometrics, habits, hobbies, IP addresses, MAC addresses and pictures. It's a comprehensive list.
Q3: As an employee of a company, how can one become a Data Protection Officer?
A3: The DPO, the Data Protection Officer, is a unique role. If your organization has more than 250 people or you're dealing with sensitive information such as biometric information and medical history, then you must appoint a Data Protection Officer. Normally, they are at the board level, but they cannot have a conflict of interest. You can't have your IT staff also serve as DPO. Your CTO cannot be your DPO, and the same with the owner of the company. The DPO is responsible for coordinating efforts to adhere to the policies, but also for reporting to the Data Protection Authority if/when you have a potential breach, compliance failure or audit failure.
Q4: Which organization will assess and collect penalties in the U.S.?
A4: There will be a locally appointed Data Protection Authority, and it is usually the one responsible for current national and internal compliance. In the U.K. for example, it falls to the Information Commissioners Office (ICO) even after the U.K. leaves the EU.
Q5: When can an organization confirm that it is GDPR-compliant? Who audits that? Is it a third party?
A5: An external audit could happen at any time, and confirmation depends on the nature of the audit. Data Protection Officers work with the Data Protection Authority to ensure that you're complying with the regulations to a satisfactory level. It's a two-way process. Normally, you have to demonstrate good practice and process to them. There are certain things you have to produce to justify that, and detailed collateral and helpful resources are available on the GDPR website.
Q6: What about GDPR audit checklist documents? Where are they located? Where can they be found?
A6: There’s no single checklist, but your local Data Protection Authority will provide collateral in your native language. There are also some helpful resources available on the GDPR website. But really, it comes down to working with a data protection GDPR practitioner, because the checklist is going to be based on your environment and the nature of business you're doing, how you're sharing that information and whom you're working with. You need to work with your legal team because you will have to put contracts in place between yourself (if you’re a data controller) and your data processors, or vice versa.
Q7: Regulated industries must keep email or other data for 7 years. How will they accommodate GDPR?
A7: There are legal obligations that override GDPR. In some cases, they may be financial; in others, the party may have a legal obligation to you; in still others, you may need to maintain the data to provide the Data Subject with a service, or if they have a legal obligation to you.
Q8: What is the impact of GDPR on Infrastructure-as-a-Service (Iaas) providers?
A8: If you have access to personal data or are storing the data, you must comply. Even though you're providing the infrastructure, you're still hosting that personal information.
Q9: What do you mean by “consent” in the context of GDPR?
A9: As a data subject, you now have many more rights about how you provide personal information, how it's used and for how long it lives. Instead of just ticking a box saying, "Yes, I'm happy to be contacted for marketing material or by third parties," data subjects must now say, " I want to be contacted by email only," or by phone, etc. Much more granular consent can be given, and the ways in which that data may be used or shared are more explicit.
Q10: I teach at a university in the United States. We have foreign students attending from many countries, including those in the EU, and we have their home address, phone numbers and other personal data. Must we comply with GDPR?
A10: Yes, you must. You will need to talk to the authority that will be responsible for it. The difficulty is that, if you fail to comply with GDPR while a rival university is complying, you're now competing for European students on a totally different level. So it's worth investigating.
For more details, you can watch the on-demand webcast anytime you like: https://www.quest.com/webcast-ondemand/gdpr-compliance-planning-for-microsoft-environments8128095/.