Did you see my post a couple of weeks ago about our upcoming webcast and the one-year countdown for GDPR compliance?
Did that get you thinking about complying with EU GDPR (General Data Protection Regulations) in your Microsoft environment?
Or did you just hit the snooze button?
Maybe GDPR compliance isn’t on your list of priorities yet. Maybe you think you can procrastinate until, say, a week or two before the May 25, 2018, deadline. Maybe you think GDPR compliance doesn’t apply to you because you have no offices in Europe.
Or maybe you think that €20 million in fines isn’t enough money to worry about.
Wait, what? €20 million?
You read that right. The EU is officially woke about consumer privacy and data breaches, so you’d better have GDPR on your radar.
The goal of GDPR is to tighten privacy protections for online users, and the fines for violations are set to skyrocket after May 25, 2018. “For less serious violations,” writes Deloitte, “the maximum is €10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher).” For more serious violations, this goes up to €20 million or 4% of turnover.
(And even if you don’t know what a € is, you can bet that 20 million of them is enough money to worry about.)
Effective May 25, 2018, the General Data Protection Regulation (GDPR) will require organizations – both the “data controllers” and the “data processors” — to strengthen data protection and security measures to protect the personal data of EU citizens. They must also be able to demonstrate compliance at any time.
Are we a data processor or a data controller? Or both? Or neither?
That’s another important thing you have to sort out.
“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be processed.
“Data processor,” in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
GDPR states that data controllers and data processors should develop or update their internal data breach notification procedures, including incident identification systems and incident response plans. When a data breach occurs, organizations must notify authorities and all affected customers within 72 hours.
Wait, what? 72 hours?
That’s pretty quick. And that takes us back to the discussion about €10 or €20 million and 2% or 4% of turnover if you can’t respond quickly.
GDPR may seem onerous, but once you’ve put automation and the right tools in place, achieving and maintaining your goals for GDPR compliance won’t be so difficult.
Of course, if you keep hitting the snooze button and delaying your deployment of automation and tools, that compliance deadline will come up fast and without mercy.
Webcast: “GDPR Compliance Planning for Microsoft Environments”
On June 22, we’ll conduct a webcast titled GDPR Compliance Planning for Microsoft Environments. We’ll cover the main GDPR topics germane to Microsoft environments:
- Why GDPR and other regulations impact your environment
- How to assess and identify compliance risks
- How to discover who has access to sensitive resources
- Why to implement real-time auditing and alerts on user access