8 things IT resellers need to know about GDPR

Microsoft and Tech Data reveal the ‘need-to-know’ points for resellers regarding GDPR developments and how they can help their customers moving forward.

1. What is GDPR?

The General Data Protection Regulation (GDPR) replaces the 1995 Data Protection Directive. It has been developed by the EU to bring data protection policies up to date with how companies now store, secure, and manage personal data. The new regulations focus on protecting and enabling the privacy rights of individuals by providing them with control over their personal data through a set of 'data subject’ rights.

2. When will GDPR come into effect?

GDPR will finally be implemented on May 25, 2018, but it is essential that your customers are fully-prepared before this date to ensure their compliance.

3. Who will it affect?

GDPR applies to organisations that collect and process data for their own purposes (‘controllers’) as well as to organisations that process data on behalf of others (‘processors’).

This is a shift from the existing Data Protection Directive, which applies primarily to controllers. GDPR will affect the whole of the EU Zone, which currently spans 28 member countries and half a billion citizens. However, companies outside these zones will still have to meet the standards if they want to continue using data from customers in the EU. This includes the UK, regardless of its decision to leave.

4. What does it mean for organisations?

GDPR includes detailed rules about which organisations must tell individuals about their processing of personal data. This must include, among other things, information as to why the personal data is being processed, how long the data will be stored, and with whom the personal data will be shared.

This is why it is essential that you can provide your customers with the right Microsoft products and solutions. Their particular organisation may benefit most from the customer-controlled data access of the Office 365 Customer Lockbox, or Microsoft EM+S features that effectively control and safeguard personal data. Microsoft’s suite will help them to prepare for GDPR and it will create the opportunity for you to grow your sales.

5. What is the legal basis for processing personal data?

Under GDPR, you must have a legal basis for processing personal information. For example, where the processing is necessary to perform a contract, where an individual has consented to the processing of their data, or where the processing is in the organisation’s “legitimate interest” (assuming that interest is not outweighed by the individual’s rights).

6. What are the repercussions for companies that don’t comply with the new regulations?

Organisations should be aware that GDPR can bring huge fines for data breaches – up to four percent of annual global turnover or €20 million, whichever is greater. Therefore, the consequences of any data loss could be financially devastating for any company. After next May, organisations will have 72 hours to disclose any serious data breaches to the relevant authorities, as well as the victim of the breach. The penalty for failing to notify them of a breach will be €10 million, or two percent of revenues.

Microsoft’s Enterprise Mobility + Security (EM+S) suite stops identity or PII threats right at the front door via risk-based conditional access policies. This serves to combat the cause of most data breaches, where attackers gain corporate network access through weak, default, or stolen user credentials.

7. What is the reseller’s role in GDPR?

The new directive provides a fantastic opportunity for IT channel partners to become experts in GDPR, advising and guiding their customers through the maze of new regulation.

IDC predicts GDPR will create a $3.5 billion market opportunity for data security and storage vendors – of which the channel will take their share. IT practices may need to be overhauled, including how backup and archiving can be managed to ensure specific data can be located and deleted, and security infrastructure updated.

The role of trusted advisor is a valued one, and so partners should see GDPR as an opportunity to strengthen and add value to their relationship with their customers.

“Clients will be relying on their providers to help them meet regulations, which is a great opportunity to build on your relationships, all while creating new business with current and potential end users.” - CompTIA.

8. What can Microsoft do for you?

Unfortunately, GDPR laws don’t come with a recommended prescription of specific data protection technologies, and there is no ‘one-size-fits-all’ solution to ensure your customers are GDPR compliant. It will take a mixture of technology, people and processes to ensure organisations tick all the right boxes.

There are numerous platforms, products and solutions on hand to help you effectively index and navigate through the reams of your customer’s organisation’s personal data. Factors such as the nature of your business, the data it stores, and their individual policies on storing it will determine which features offered by Dynamics, Office 365, Azure, EM+S and Windows 10 (or a combination of these) will be best suited to your customer.

In terms of providing the best archiving and backup capabilities, Sharepoint, the indexing options provided by Windows server, and the Advanced eDiscovery and Data Governance functions of Office 365 are just a few examples.

Takeaways

  • Coming into effect on May 25, 2018, GDPR will bring data protection policies up to date with how companies now use personal data.
  • GDPR applies to organisations that collect and process data for their own purposes, as well as to organisations that process data on behalf of others.
  • GDPR includes detailed rules about which organisations must tell individuals about their processing of personal data, such as why the personal data is being processed, how long the data will be stored, and with whom the personal data will be shared.
  • Under GDPR, organisations must have a legal basis for processing personal information. Those that don’t comply face huge fines in the event of data breaches, particularly if relevant authorities or affected parties are not notified in due course.
  • Ultimately, GDPR provides a fantastic opportunity for IT channel partners to become experts in GDPR, guiding their customers through this regulatory maze.

Visit the Microsoft hub