Prepare for change: The 11-Step Checklist to complete GDPR Compliance
Microsoft and Tech Data can help your customer’s organisation secure watertight GDPR compliance.
The introduction of the General Data Protection Regulation (GDPR) on 25 May 2018 will usher in a new era of data management, giving EU citizens more control over their data and introducing more substantial fines for any breaches.
Complying with the GDPR is a business-wide challenge, and one that will be made significantly easier by a well-architected cloud services model and an effective data governance programme in place.
Organisations that suffer a data breach can incur a fine of up to 4% of their annual global turnover, or €20 million, whichever is greater. After next May, failure to disclose any serious data breaches to the relevant authorities, and the victim of the breach, can result in a €10 million fine, or 2%of their revenues.
GDPR may require significant changes to operations to ensure organisations are compliant, so it is essential your customers don’t leave it until the last minute. With that in mind, Tech Data and Microsoft have compiled this checklist, based on the Information Commissioner’s Office (ICO)’s recommendations, that you should take your customers through.
1. Raise their awareness
You should make sure that decision-makers and key people in your customers’ organisations are aware that the laws regarding GDPR are changing. They need to appreciate the impact this will have on their business in the future.
2. Assess the information they hold
Your customers should document what personal data they hold, where it came from, and who they share it with. You may need them to organise an information audit.
3. Observe privacy information and individual rights
Your customers should review their current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Your customers, regardless of the size of their business, should review their procedures to ensure the organisation covers all the rights individuals have with regards to their own data, and how best to delete personal data both electronically or in other commonly used formats.
The main GDPR rights for an individual are to have:
- Subject access requests.
- Inaccuracies corrected.
- Information erased.
- Prevention from direct marketing.
- Prevention from automated decision-making and profiling.
- Data portability.
4. Know about subject access requests
Your customers should update their procedures and plan how they will handle requests within new timescales and provide any additional information. GDPR will, normally, not allow them to charge for complying with a request, and compliance with these requests should be achieved within 30 days.
5. Legal coverage
When it comes to processing personal data, your customer needs to look at the various types of data processing it is carrying out, identify the legal basis for doing so and document it.
If your customer operates in more than one EU country, they will need to determine and declare which data protection supervisory authority they are operating under.
6. Request consent
You should also advise customers to review how they seek, obtain, and record consent. Consent needs to be explicit and not inferred from silence, inactivity, or pre-ticked boxes.
Start thinking now about putting systems in place to verify individuals’ ages and to gather consent (parental or otherwise) for the data processing activity. In the UK, the ICO considers children to be anyone under the age of 13 years old.
7. Prevent data breaches
It is crucial your customers have the right procedures in place to detect, report and investigate a personal data breach, if they wish to avoid hefty fines and long-term reputational damage. Products such as Microsoft’s Enterprise Management + Security suite can help to put the right security measures in place.
8. Data protection by design, and data protection impact assessments
Firms should familiarise themselves now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in their organisation.
9. Assign data protection officers
Some organisations and public bodies will require a data processing officer (DPO) who will take responsibility for Data Protection compliance.
Your customers must designate a Data Protection Officer (DPO) if they are a public authority, an organisation that carries out the regular and systematic monitoring of individuals on a large scale, or an organisation that carries out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
The organisations in question will need to assess where this role will sit within their structure and governance arrangements.
10. Partner up with the right software vendor
If your customers want to secure watertight compliance with GDPR, it is essential that you sell solutions to them from the right software vendor. Sourcing your solutions from a principled, trustworthy vendor that applies due diligence to the areas of privacy, security, compliance, and transparency – and the legislative or regulatory measures around them – is crucial.
When it comes to helping your customers to successfully comply with GDPR, you can count on Tech Data and Microsoft’s extensive partner ecosystem. Microsoft has a long history of delivering trustworthy cloud services you and your customers can trust.
Microsoft Cloud App Security – a component of the Microsoft Enterprise + Security Suite – provides deeper visibility using risk assessments and analytics, as well as comprehensive controls, and improved protection for all data your customers choose to store on the cloud.
11. Invest in the right technologies
Microsoft products and services – such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, and Windows 10 – have solutions available today to help your customers to detect and assess security threats and breaches.
This is of particular importance when it comes to meeting the GDPR’s breach notification obligations and avoiding the reputational and financial damage these occurrences will inevitably bring to their business.
- The forthcoming regulations will give EU citizens more control over their data and introduce more substantial fines for any breaches.
- Depending on the model of an organisation or business, remaining compliant with GDPR may require significant operational changes.
- When it comes to adapting, neither vendors nor customers can afford to leave everything to the last minute.
- Microsoft’s range of services, solutions, and compliance portfolio will place you in great stead to securing your customer’s environment for complete adherence to GDPR.