GDPR is a European Union (EU) regulation, officially called the General Data Protection Regulation or 2016/679/EU, and is directly applicable as law in all 28 EU countries. The regulation was published in April 2016 and became effective May 25th 2018. It concerns the protection of personal data;which means

  • any information relating to an identified or identifiable natural person or what it calls a “data subject.” A “natural person” is what the regulation calls a living human being. If you read the regulation, and it says “natural person,” it means a human being, and when it talks about “data subjects,” that means human beings whose data you have.
  • as a provider of cloud services and products such as Azure, Microsoft serves as a data processor – an entity that processes data on behalf of its customers.
  • another party in this relationship is the controller. This is the entity that determines the purposes, conditions, and means for the processing of personal data that is carried out by a processor.

For applications hosted on Microsoft Azure, the Customer Organisation usually would be the Controller, and the Processor responsibility is shared between the Customer and Microsoft.

In total, the personal data protection law of the EU consists of 99 articles. It is supplemented by a number of annotations in the form of 173 recitals (a recital can contain additional explanations of an article , for official website please see here)

Among the many articles of EU GDPR, only 20% of them are Data controller and Processors responsibilities and ~5% of them are specific to securing of personal data (Data Controllers responsibilities).

Cloudneeti’s GDPR Dashboard

Cloudneeti’s GDPR dashboard is pivoted towards two major chapters of GDPR regulation: The general principles and the responsibility of the controllers i.e. securing personal data.

All other sections are essentially Organisation’s processes, training/preparation and reaction to customer’s DSRs, and are related as below

  • Rights of data subject (Art 12 – 23)
  • Responsibilities for the Supervisory authorities (Art 85-91)
  • Transfers of personal data to third countries or international organisations (Art 44 – 50)
  • Processes for managing Data Subject Requests, Remedies, Liabilities and penalties (Art 77 – 84)
  • Delegation processes (Art 92 – 93)

That leaves out the two chapters…

Chapter 2 – Principles (Articles 5-11)

  1. Article (5)(1)(f) User and privileged access rights management : To govern how personal data is used and accessed within your organisation.

Chapter 4 – Controller and processor (Articles 24-43)

  1. Article (25)(1) Data protection by design and by default : The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed
  2. Article (30)(1) Data discovery and classification : To identify personal data and where it resides, categorizing and tagging of assets.
  3. Article (32)(1)(a) Pseudonymisation and encryption of personal data : Implement appropriate technical security measures in the product to confirm the ongoing confidentiality, integrity, and availability of personal data and processing systems
  4. Article (32)(1)(c) Availability and access to personal data : To provide mechanism to restore the availability and access to personal data
  5. Article (32)(1)(d) Independent review of information security : Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  6. Article (35)(3)(c) Data protection impact assessment : To maintain auditable trails that record processing activities and retain the required documentation and to manage data subject requests and breach notifications.

Concluding Thoughts

Under GDPR, not all data requires the same level of governance; the use cases can define the differentiation. The most important consideration for organisations now is to introduce data ‘Privacy by Design & by Default’ as a foundation rather than as an add-on. Organisations should make sure that they process personal data lawfully, stored and only transmitted to trusted, authorized persons and third parties, ensuring technical and organisational security measures.  Although the road to compliance is challenging, GDPR presents an excellent opportunity for businesses to build customer trust and delight by demonstrating their commitment to securing personal data.

Let us know what you think.

Disclaimer : Details provided here are for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to your organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.