On May 25, 2018, data legislation is significantly upgraded for the first time in 20 years, and for most companies it means making substantial changes in the way data is collected and stored.
The new General Data Protection Regulation (GDPR), which will replace the current Organic Law on Data Protection (LOPD), is mandatory for all member countries of the European Union and aims to ensure that Personal data are protected regardless of where they are sent, processed or stored. This law updates European privacy legislation so that it is more in line with current technologies and increases the uniformity of privacy regulations in different EU member states.
The most relevant aspects of the new regulation
The GDPR is a complex regulation that may require major changes in the way you collect and process personal data, not only how to identify and protect the personal data contained in your systems, but also how to meet the new data requirements. Transparency, detect and report security incidents with personal data.
From Softeng we have elaborated this article that will help you to understand the new regulation, to quantify the requirements and to offer you solutions:
Strict definition of personal data
With the entry of the GDPR has been clearly marked the types of data that are considered personal data, since in previous regulations could be interpretations. Personal data is considered to be all information that directly or indirectly identifies an individual, whether in his or her private, public or professional role.
Private data may include:
- First name
- Email address
- Publications in social networks
- Physical, physiological or genetic information
- Medical information
- Fiscal or banking data
- Cultural or religious identity
The new territorial framework
With the application of the Regulation, any entity (company, organization, etc.) based in the EU must comply with the European Regulation, even if it processes personal data in another part of the world. Just as any entity in the world must comply with the European Regulation if it processes personal data of EU citizens.
Fines for entities that violate the European Regulation can reach up to 4% of annual turnover or 20 million euros (the maximum of both), depending on the severity of the case.
Improvements in consent agreements
So far, when a user gave the legal consent of the transfer of their personal data to the entities responsible for storing and processing them, in some cases the text is incomprehensible or too technical for those who are not experts in legal terminology. With the new regulation the texts of legal consent for the transfer of personal data must be intelligible, clear and concise with respect to the reasons for which personal data are requested and what use will be given. In addition, consent will not be viable for children under 16 years if not given by one of their legal guardians.
Notification of security breaches
Any entity that has stored or is engaged in processing personal data, in case it is a victim of cyberattack, must notify the competent authorities and all affected users in less than 72 hours. No type of delay will be allowed in the communication of this type of incidents.
Right to access own personal data
Any citizen of the EU can request a digital copy of the personal data that an entity has of himself, as well as receive a justification of what and how his data are used.
Right to forget
Any EU citizen may request the complete deletion of his / her data to any entity, including cessation of processing thereof, as well as notify third parties with whom they have shared this information; Provided that this request does not violate the right of the entity to publish such information in the interest and benefit of the general public.
Portability of personal data
At any time an EU citizen may request that his personal data be extracted in digital format in order to be able to transfer them from one entity to another, without it being able to prevent or store copies of such information without the consent of the subject.
Incorporation of a Data Protection Officer (DPO)
With the emergence of the European Regulation, the requirement for some entities to incorporate a new professional profile that ensures the protection of the personal data of their workers, customers and suppliers, called Data Protection Officer, is created. The presence of this profile is mandatory within an entity when it performs intensive processing of personal data, or is responsible for processing data of extreme sensitivity, such as medical, financial, etc.
At Softeng we help you meet the GDPR with Microsoft cloud solutions
Microsoft believes that the GDPR represents a significant advance in fundamental privacy rights and that its objectives are consistent with the company's longstanding commitment to security, privacy and transparency.
Softeng helps you focus on your core business while preparing for the GDPR . Our goal is to facilitate compliance with the new regulations through the use of intelligent technology, innovation and collaboration and for this, we help you implement and activate the products in the Microsoft cloud.
How do Office 365, Enterprise Mobility + Security and Azure help you?
Microsoft offers the most complete set of compliance capabilities in the market, far more comprehensive than any other cloud service provider. Currently there are products and services in the Microsoft Cloud that will help you:
- Locate and categorize the personal data in your systems.
- Create a more secure environment.
- Simplify the management and monitoring of personal data through the tools and resources required to comply with GDPR reporting and evaluation requirements.
Microsoft Office 365 and GDPR
There are a number of Office 365 solutions that can help you identify or manage access to personal information:
- Office 365 Data Loss Prevention (DLP): You can identify more than 80 types of common confidential data , including financial, medical, and personal identification information. In addition, DLP allows you to configure the measures to be taken after identification to protect confidential information and prevent accidental disclosure.
- Office 365 eDiscovery Searches : To find text and metadata in the content of your SharePoint resources, SharePoint Online, OneDrive for Business, Online Business Skype, and Exchange Online. In addition, Office 365 Advanced eDiscovery employs machine learning technologies and can help you identify documents relevant to a particular topic (eg, regulatory compliance research) quickly and accurately.
- Customer Lockbox: Office 365 can help you meet regulatory compliance obligations related to express authorization to access data during service operations.
Among the current features of Office 365 that protect data and identify when a security incident occurs, we highlight:
- Exchange Online Protection Advanced Threat Protection: Protects email from new sophisticated malware attacks in real time. It also lets you create guidelines that prevent users from accessing attachments or malicious Web sites whose link is sent by email. Likewise, Threat Intelligence helps you proactively detect and protect against advanced threats.
- Advanced Security Management: Allows you to identify abnormal and high-risk uses that will alert you to potential security incidents. It also allows you to configure activity policies to track and respond to high-risk activities.
- Office 365 Audit Logs : You can monitor and track the activities of administrators and users across Office 365 workloads, making it easy to detect and investigate security and compliance issues early.
Microsoft Enterprise Mobility + Security and the GDPR
Enterprise Mobility + Security offers identity-based security technologies that help you detect, control and protect your organization's personal data, uncover potential blind spots, and detect when data security incidents occur:
- Azure Active Directory (Azure AD): Helps ensure that only authorized users can access your computing environment, data, and applications.
- Intune: Helps protect data that may be stored on computers and mobile devices. You can control access, encrypt devices, delete data from mobile devices selectively, and control which applications store and share personal data.
- Azure Information Protection: Ensures that data is identifiable and protected, a core requirement of GDPR, regardless of where it is stored or how it is shared. You can sort, tag and protect new or existing data, share it securely with people in your organization or outside it, track usage and even remotely revoke access. It also includes logging and reporting functions to monitor the distribution of data.
- Advanced Threat Analytics: Helps locate security incidents and identifies attackers using innovative behavior analysis and anomaly detection technologies.
Microsoft Azure and GDPR
A fundamental requirement of the new regulations is to identify the data you have and for this, Azure allows you to manage the identities and credentials of users, as well as control access to data through various tools or services:
- Azure Security Center: Continuously monitors resources, provides helpful security recommendations, and helps you prevent, detect, and respond to threats. Built-in advanced scanning features help you identify attacks that might not otherwise be detected.
- Data encryption in Azure Storage: Protects both idle data and data in transit, encrypting them automatically. You can also use Azure Disk Encryption to encrypt the data disks and operating systems used by virtual machines.
- Azure Key Vault: It allows you to protect the cryptographic keys, the certificates and the passwords that contribute to the protection of the data.
- Log Analytics : Helps you collect and analyze data generated by resources in your local environments or in the cloud. Provides real-time information through built-in custom search and dashboards so you can immediately analyze millions of logs across all workloads and servers regardless of their physical location.
Overall, Microsoft leads the industry in engaging with customers, regulatory agencies, and regulatory and standards boards to advance compliance with the most stringent privacy and security standards. However , the company is working on additional features and functionality in compliance with the GDPR before May 2018.
Our recommendation is that you do not wait until the Regulation comes into force to prepare you . You should start reviewing your privacy and data management practices since GDPR breach can be very costly. For this, Softeng offers you its experience and quality to help you to draw and to agree the most appropriate strategy for your company to comply with the GDPR helping you to implement and take advantage of all the security tools that we have explained in this post.
You want to know more? Contact us!