The new EU regulation 679/2016 (GDPR – of its abbreviations in English General Data Protection Regulation) has been created to regulate the protection of the privacy of the personal data of the European citizens.
From next May, this control and protection scheme will come into force, which will establish the responsibilities of organizations that: (1) request data (responsible for processing); (2) they house and process data (in charge of the treatment) also protecting the rights of the subjects.
No matter where the organizations are located, if the subjects are citizens of the EU, the regulation is mandatory, implying in this way a proactive responsibility:
- Be always prepared to request personal data from interested parties;
- Have clearly documented their use;
- Have a government of data of consensual management and the exercise of rights active ;
- Protect data with solid measures and oriented to the privacy of information.
All these requirements make organizations adopt management , audit and data lineage solutions in their internal processes , as well as systems to facilitate communication with stakeholders, in a secure manner.
All these solutions require investments that, if they are not made, can reduce the innovative capacity of the organizations, apart from the usual sanctions.
The new data governance
The adoption of BigData solutions and the unstoppable growth of artificial intelligence applied to data are trends that have made it possible to know users and customers much better. But these new opportunities also involve responsibilities, and GDPR compliance will require more advanced data governance solutions:
- The protection and prevention of unauthorized access with security, encryption and auditing solutions, where Microsoft already plays a very important role through its Cybersecurity offers ;
- The ability to react quickly in the event of a security incident with Incident Response (IR) solutions . As an example, remember that, if the security incident affects the privacy of personal data, it must be notified to the authority within a maximum period of 72 hours.
In the document Data governance for GDPR compliance: principles, processes and practices , all the actions and steps for the elaboration of a data governance according to the GDPR regulations are detailed.
Protecting from the design of the system and in the operation
The regulation also includes two mandatory requirements for organizations:
- Data protection from design and default . From Microsoft we always recommend incorporating security experts in all projects, through Secure Development Lifecycle (SDL) solutions ;
- Security in the treatment of data . Where through our Digital Advisory programs we help CDOs and Compliance and Security officers to define the responsibility in the treatment of data with guarantees and to use the tools for making decisions based on cost, complexity and risk analysis.
Optimizing the life cycle: the delegate of data protection and the processing cycle
Once the phases of 1) discovery of personal data, 2) definition of the data governance model and 3) implementation of security capabilities, you will implement measures and processes of operation and support of the organization, among others:
- Designation of DPD (Delegate of Data Protection): the role may be non-dedicated and in some cases external personnel who perform the function of coordinating compliance and dialogue with the regulatory authority;
- Continuous process of attention to the interested ones, as much for activities that have to do with the consent, as with the claim of rights, through solutions that combine the artificial intelligence and the personal assistants in CRM solutions;
- Active training in new tools and processes for all personnel in data management through training workshops;
- Impact evaluations when new technologies are introduced and / or notable changes are made in the treatment of data through offers of security control and architecture review;
- Detection of security breaches (to communicate to the authority in 72h), Incident Response already mentioned before;
- Coordination of data transfer to third countries or international organizations.
Transform the compliance challenge into an opportunity for improvement
All organizations that have to face compliance with the new regulation should see it as an opportunity to transmit a message of trust to customers, business partners and shareholders.
The “proactive responsibility” approach allows to assume the protection of personal data as a superior objective. Therefore, ICT and business processes must respect the principle of minimum risk for the privacy of the data of the users with whom there is a relationship. An efficient data governance will ensure that our organization always knows what data we have, its typology and the use that is being given to them, and in this way protect their privacy more adequately.
In addition, integration with other regulatory frameworks and market standards can benefit from compliance with GDPR, in particular new regulations such as: (1) the new EU PSD 2 framework (2015/2366) for payment services or ( 2) the usual standards in IT security: ISO 27001 (“Information Security Management Systems”), ISO 31000 (“Risk Management”) or ISO 22301 (“Business Continuity”) all have a link special in the new regulation.
How to organize my route to compliance?
In order to simplify the management of compliance with GDPR, Microsoft proposes to customers to address four phases that, as a company, we have followed ourselves and that are more detailed in the document Accelerate your GDPR compliance with the Microsoft Cloud :
The document covers both scenarios with Microsoft cloud technology and on-premise or hybrid environments.
The objective of the first phase, discovery , is to identify the personal data and where they reside. In this phase, the fundamental thing is to take advantage of the technologies that facilitate us, locate personal information and classify it, so that technology becomes a facilitator of compliance. Our Office 365 solution already provides a security and regulatory compliance console that allows this phase to be carried out.
In the second phase, management , the objective is to have governance of personal information within the organization. Once the personal data have been inventoried, it is necessary to establish the controls and policies that are applied according to the content. Once again, the solutions based on Microsoft’s Artificial Intelligence allow us to automate many of the procedures that must be done on the data. This management must also be transparent.
The objective of the third phase, to protect , is to establish the necessary security controls to prevent, detect and respond to vulnerabilities and security breaches (either by unauthorized access or alteration of these). This phase is the closest to all information security professionals. Microsoft already has a complete suite to protect data in Office 365, as well as in Azure and offers to protect the information in those on-premise infrastructures.
Finally, we have the fourth phase, report , whose objective is to maintain the necessary documentation that allows us to comply with data requests, report security gaps and provide the necessary evidence to facilitate the review of security processes.
Why Microsoft Services?
The international organization of Microsoft for Professional Services is specially prepared to help its clients in the different challenges they will face on their way to total regulatory compliance.
We have specialized personnel in the management and delivery of consulting projects that may include, among others, activities such as the following:
- Conducting workshops on ” Discovery and creation of GDPR plans “
- Consulting projects to build or update your ” Data Government “
- Accompaniment from support services to its secure development life cycle ” Secure Development LifeCycle (SDL) ” (” Default security ” command ).
- Architecture or consulting projects to reinforce and / or adjust the security measures related to personal data, integrating existing systems of services in the Microsoft cloud, as on-premise.
- Cloud adoption services in a secure manner, combining agility and speed to meet business needs, complying with privacy and security requirements through our “Security Control Framework” (SCF) offer
- Through the design and adaptation of our CRM Dynamics 365 platform to be able to respond to the complete (traceable) cycle of the exercise of rights by stakeholders.
- The ” Digital Advisory ” (DAS) programs in the ICT government, thanks to which you can benefit from our experience in other organizations and countries, and collaboratively learn from our best practices in the implementation of associated technology projects.