GDPR Readiness

The General Data Protection Regulation (GDPR) will come into force on May 25th 2018 and will involve all organizations that process European residents’ personal data. In case of failure of compliance with such a regulation, businesses could face fines of up to €20 million or 4% of global revenues.

So as to handle and minimize such risk, Cluster Reply has identified in partnership with Microsoft a best practice able to guarantee a principled approach to the management of the privacy and security of personal data. This best practice goes under the name of “GDPR Readiness”.

Introduction

The General Data Protection Regulation (GDPR) is a privacy-relative regulation that is born as an evolution of the Data Protection Directive (DPD).

The DPD dates back to 1995 and requires EU member states to develop laws able to meet rigorous minimum standards taking into account the use of computers and electronic devices for the processing of personal data. Over time, however, this directive has led to several disadvantages and inconsistencies, like the impossibility of protecting inviduals’ rights and privacy from the steady march of technological progress. Hence, and in order to overcome such disadvantages, the GDPR has come to existence.

From the perspective of businesses and organizations, the GDPR represents a real revolution, since it entails the review and redefinition of all existing organizational policies and procedures as well as the implementation of new and adequate security controls. This because many new mandatory requirements have been introduced, like:

• Privacy by design. Companies must minimize the collection of personal data, delete data that are no longer necessary, restrict access to data, and more generally secure data through its entire lifecycle.
• Breach notification. Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. If the data pose a high risk to individual’s rights and freedoms, data subjects will also have to be notified.
• Fines. A tiered penalty structure has been defined and it will take a large bite out of offender’s funds. In fact, more serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security. A lesser fine of up to 2% of global revenue – still enormous – can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach.

The GDPR, then, represents something that every organization must take into account and face in a structured and well-defined manner. Only in this way it can be able to come out as a winner.

Application

“GDPR Readiness” is the security practice that Cluster Reply and Microsoft have crafted to support organizations in their quest for compliance. Based on Microsoft best of breed technology and on Cluster Reply expertise in its operation and configuration, it allows companies to successfully face and overcome the GDPR challenge.

The principle at the basis of this practice simply consists in subdividing the entire process of compliance in four key phases:

• Discover. Organizations must identify what personal data they have and where they reside. As a matter of fact, the first step towards the GDPR compliance must always be assessing whether the GDPR applies, and, if so, to what extent.
• Manage. The personal data belonging to a given organization must be managed so as to clearly define how they are used and accessed. The GDPR, in fact, will provide individuals with more control on how their data are captured and used. They can, for example, request that an organization shares data that relate to them, transfer their data to other services, correct existing mistakes, or restrict certain data from further processing. In some circumstances, morever, these requests must even be addressed within fixed time periods. It hence becomes fundamental for a company to define and develop a data governance plan able to describe policies, roles, responsibilities, and procedures for the access, management, and use of personal data so as to ensure that the data handling practices are compliant with the GDPR instructions.
• Protect. Businesses must implement security controls to prevent, detect, and respond to vulnerabilities and data breaches. The GDPR, in fact, requires that organizations take appropriate measures to protect personal data from loss or unauthorized access or disclosure.
• Report. Companies have to execute on data requests, report data breaches, and keep required documentation. In this regard, the GDPR sets new standards in transparency, accountability, and record-keeping. An organization will have to be more transparent about not only how it handles personal data, but also how it actively maintains a documentation defining processes and use of data. Organizations processing personal data will need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data are shared; whether (and which) third countries receive personal data, and the legal basis of such transfers; organizational and technical security measures; and data retention times applicable to various datasets.

Discover, manage, protect and report on personal data represent four mandatory activities to be able to adequately respond to the requirements imposed by the GDPR. The “GDPR Readiness” practice addresses this issue and enables organizations to streamline their process of compliance and be prepared to safeguard the rights of their customers and partners.

Benefits

As described above, the “GDPR Readiness” security practice is a structured approach to the problem of achieving compliance with the GDPR. As such, it enables companies to be organized and prepared in the face of such a fundamental activity.

Organization and preparation, however, are not the only available features. On top of that, in fact, there are two essential elements: Microsoft technology and Cluster Reply know-how.

Being a leading IT company, Microsoft has developed over time an extensive expertise in protecting data, championing privacy, and complying with complex regulations. Its products are designed with industry-leading security measures and privacy policies to safeguard customers’ data, and its services have been defined to help meet the GDPR requirements.

On its side, and as a Microsoft Gold Certified Partner, Cluster Reply stands out in adopting and operating these products and services, and through its more than ten-year expertise excels at helping customers in achieving their business objectives taking advantage of Microsoft technology.

This two-fold advantage will be the real driver able to lead customers to success and will eventually help them to overcome the fear of the GDPR.

Conclusion

Achieve compliance with the General Data Protection Regulation requires the implementation of a large set of different activities, which, on its part, entails the need for a careful planning and demands an in-depth expertise.

Through the definition of a well-structured framework and the knowledge of Microsoft cutting edge technology, Cluster Reply “GDPR Readiness” security practice aims at supporting organizations in facing this challenge and coming out as a winner.

The final purpose underlying the definition of this security practice is to definetely help customers meet their policy, people, process and technology goals, and facilitate them to start their journey to GDPR.