How resellers can manage customer expectation under GDPR
Address customer concerns surrounding individual data rights, with help from Tech Data and Microsoft.
On May 25, 2018, the new EU General Data Protection Regulation (GDPR) will come into force, overhauling the way your customer’s organisation handles customer and other personal data.
People-centric data management
The purpose of GDPR is to shift control of personal data back to the owner of that data by providing EU citizens with a set of ‘data subject’ rights.
This includes the right to:
- Access readily-available information in plain language about how personal data is used.
- Access personal data.
- Have incorrect personal data deleted or corrected.
- Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”).
- Restrict or object to processing of personal data.
- Receive a copy of personal data.
- Object to processing of data for specific uses, such as marketing or profiling.
Collating data with context
Probably the greatest weight to be laid upon data management for your customers will be the ‘right to be forgotten’ – or the ‘ability to be found’ – which will require organisations to have access not only to the data, but the context associated with data throughout the environment.
Office 365 Advanced eDiscovery can help you identify documents by subject or situational context using machine learning, and Office 365’s DLP function can identify over 80 different types of sensitive data.
GDPR throws a spotlight on data, answering the following for your customers:
- Where is it located?
- Who is the actual author?
- Is it personal information?
- Where is every version stored?
- Who has access to the data?
- Who is the subject?
- With which departments is this individual associated?
- Is the content sensitive?
- Where is every piece of data relating to this person?
More severe sanctions and requirements of consent
Your customers will need to be able to answer these questions, and non-compliance in the event of a data breach can lead to huge fines – up to 4% of an organisations’ annual revenue or €20 million, whichever is greater.
The Microsoft cloud is specifically built to help you understand risks and to defend against them. But how Tech Data and Microsoft establish a secure cloud infrastructure is only part of a comprehensive security solution. Our entire product range - across Azure, Dynamics, and Office 365 - have security features to help keep customer data secure, both in the cloud and on premises.
If your customers fail to ask for explicit consent, giving accurate details of what is being taken and how it will be shared, they can be held to account. In addition, organisations will have 72 hours to disclose any serious data breaches to the relevant authorities – in the UK it’s the Information Commissioner’s Office (ICO) - as well as the victim of the breach. The penalty for failing to notify them will be €10 million, or two percent of revenues.
Products or processes?
For partners, the initial hurdle will be to make customers aware of the coming changes and to alert them to the fact that they may themselves be considered responsible for what happens in their data centre or cloud storage systems. However, you can help your customers navigate these new data protection rules, and ensure they are compliant in the run up to the May 2018 deadline.
GDPR doesn’t prescribe specific data protection technologies, only the processes that organisations should undertake. So, while the data storage, security and other solutions you choose to adopt from the Microsoft suite will be paramount to ensure data protection under GDPR – and should be a discussion point with the customer – remember, this isn’t just a technology conversation. It is about building security policies and processes that ensure data is protected and that their compliance is ensured.
Conduct data audit
As a first step, you should conduct an audit of your customers’ existing data processing activities, assess the risk of non-compliance, and work to fill any gaps. As GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability, it is also a good idea to review contracts and other arrangements your customers have in place when sharing data with other organisations.
Ultimately, you should ensure customers are documenting everything they have done at a technical and policy level to show due diligence for GDPR. There are lots of resources available that can help, including the UK’s national cyber security centre, which has a number of 10-step programmes that offer a basic checklist of areas that should be covered.
Despite the imposing fines for non-compliance, you should position the forthcoming regulations as an opportunity for your customers. Allow them to reassess and update their data protection, record-keeping, disaster recovery and backup policies, and ensure they are in the strongest possible position with their customers moving forward.
- The purpose of GDPR is to shift control of personal data back to the owner of that data by providing EU citizens with a set of ‘data subject’ rights.
- In terms of data management, the most significant change GDPR will bring is the requirement for organisations to have access not only to the data, but the context associated with data throughout the environment.
- If an organisation fails to ask for explicit consent, giving accurate details of what is being taken and how it will be shared, they can be held to account
- Ultimately, the forthcoming regulations present an opportunity for your customers, allowing them to reassess and update their data protection policies.