Have questions on GDPR? We have the answers for you in a weekly series. In this blog, learn how your organization is impacted.
The new law, which has an effective date of May 25, 2018, requires organizations to introduce protections to secure the data of European Union (EU) consumers and protect their privacy.
The General Data Protection Regulation (GDPR) is relevant to all organizations that collect and store personal data on EU individuals such as health data, email addresses, photographs, biometrics, national identity numbers; essentially any information about an individual that is collected or stored in such a way that it can be tied back to that individual.
While much of the focus on GDPR has been on organizations with a presence in Europe, organizations based outside of the EU may be governed by GDPR if they store personal data, monitor the behavior, or offer goods or services to EU individuals, whether free or paid – regardless of whether these individuals are customers, employees, partners, or suppliers.
Is your organization impacted?
To answer this question, you will need to understand the potential impact of GDPR on your business and should assess the potential risk.
All US-based companies, with or without a physical presence in the EU, especially those with a strong internet presence, should assess whether your business activity falls within Article 3 of GDPR.
Beyond understanding your compliance risk, protecting personal data and other sensitive content that’s relevant to your compliance goals is key. For example, data stored in Office 365 can be discovered, identified, classified, and protected using Microsoft technologies such as Azure Information Protection (AIP) and Microsoft Cloud App Security (MCAS).
To determine your company readiness to comply with GDPR, Microsoft provides a GDPR compliance assessment to help you get started. Learn more about the GDPR Assessment here.
Consequences of Non-Compliance with GDPR
A report by Gartner predicted that more than 50 percent of companies within the scope of GDPR will not be compliant by the end of 2018.
Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to four percent or €20 million (whichever is greater) for non-compliance with the GDPR, and two percent or €10 million (whichever is greater) for less important infringements such as failing to report a breach to a data regulator within 72 hours.