Through an arrangement with TechSoup, PND is pleased to offer a series of articles about the effective use of technology by nonprofits.
What is GDPR? The General Data Protection Regulation is Europe's new privacy law.
It raises the bar for the protection of personal data, which is any data that can be linked to an individual.
What does this mean in simple terms for the average person or organization? GDPR imposes new rules on companies, government agencies, nonprofits, and other organizations. It imposes those rules, regardless of location, on organizations that offer goods and services to people in the European Union (EU) or that collect and analyze data tied to EU residents.
The average person will have more explicit rights under GDPR to know who stores, processes, and has access to their personal data. Under GDPR, EU residents can request access to, rectification of, and deletion of their data.
Organizations need to review their data governance practices, get rid of legacy systems that store unnecessary data, and delete data not collected as prescribed under GDPR rules. They also need to document appropriate technical and organizational measures and work only with reliable vendors or face high financial and reputational risks.
How will GDPR impact organizations based in the U.S.? Many organizations in the U.S. do not operate or have business in the EU or process information of individuals living in a subject to EU regulations. For them, GDPR will not have an immediate impact. However, many other countries around the world are looking at GDPR as a basis for their own privacy laws and regulations. Microsoft believes compliance with the GDPR standard can be a best practice in data management of personal information.
Why did the EU put GDPR into place? In Europe, privacy is a fundamental right, and the EU is dedicated to protecting it. The EU's operational philosophy is built on the concept that personal data belongs to the individual. This is different than how the United States operates, where information collected on an individual is seen as the property of the organization that collects it.
Data breaches have become part of our everyday life, and Europe wants to lead the way internationally to require companies to be more principled and transparent around data use and to invest more in security and data protection. Any company or agency collecting or utilizing personal information may do so only if they have a lawful basis to process the information.
Will other countries follow the EU and put similar regulations in place? GDPR applies to anyone who provides goods or services to residents in Europe. Other countries are considering similar laws with some variations, as some countries consider GDPR to be overly prescriptive.
Who will monitor GDPR compliance? The Data Protection Authorities in the member states, as well as the European Data Protection Board, will monitor GDPR compliance.
When does GDPR take effect? It takes effect May 25, 2018. It has been made clear that there will be no enforcement grace period, as companies received two years' notice to prepare for the new regulations.
What are the main requirements of GDPR? GDPR requires enhanced security, data protection, appropriate technical and organizational measures, transparency, record keeping, accountability, and supporting data subject requests. It also requires a 72-hour personal data breach notification by data controllers to the authorities. Responsibility for data protection will be shared within organizations and with vendors, establishing a shared responsibility model.
Organizations must know what and how personal information is collected and processed in their internal systems. Conforming to this rule will require executive awareness of how information collection and processing takes place and cannot be considered an IT or legal issue alone. Internal awareness and training will be key.
How do I know if GDPR applies to my organization? And what are the risks to my organization if it doesn't comply? GDPR applies to any organization that operates within the borders of the European Union or processes the personal data of any person in the European Union. Failure to comply will expose the organization to legal and financial penalties from privacy regulators in the EU, plus legal claims from individuals.
Can Microsoft help us meet the requirements of GDPR? The final responsibility for GDPR compliance lies with the organization. It's up to nonprofits to determine what data will be collected, how it will be used, and who the people in the organization are who are responsible. It's also up to nonprofits to figure out how individuals can request their personal information and request rectification and deletion.
However, Microsoft does provide a suite of tools to assist with meeting requirements. Our Azure cloud infrastructure has been designed with GDPR in mind and has the systems in place to assist in GDPR compliance. Our Office 365 E3 and E5 licenses allow for ease of data tagging and automatic identification of sensitive information even if the user does not know it to be. And we've launched a GDPR compliance dashboard that can be used by organizations to monitor their own compliance.
You can also visit the GDPR web page on our new Microsoft Trust Center website to learn more about how the features and functionality of Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, and Windows 10 will enable you to meet GDPR requirements.
What steps should I take next? Start by reviewing our Nonprofit Guidelines for Cybersecurity and Privacy white paper. From there, decide internally who will be responsible to assure compliance and the steps needed. GDPR compliance will not happen overnight with a final endpoint; it's a continuous journey.
Cameron Birge is humanitarian response manager at Microsoft Philanthropies, where he is responsible for coordinating, across the company, the provision of resources to external agencies providing humanitarian relief during humanitarian disasters and engages with nonprofits in other areas, including data privacy and cybersecurity.
Andrea Simandi was appointed to the role of European data protection attorney for Microsoft in February 2017. As part of Microsoft's European commercial legal team, she supports the company's enterprise customers in complying with the requirements of the General Data Protection Regulation and accelerating their digital transformation.