Editor’s note: The following is a guest post written by Christian Buckley, Founder and CEO of CollabTalk. For more information on Christian and CollabTalk, follow Christian on Twitter: @buckleyplanet.
What is GDPR?
The General Data Protection Regulation (GDPR) was ratified by the European Union Parliament on April 14, 2016 and is scheduled to take effect on May 25, 2018. As more and more business and consumer activities move to digital, the goal of this timely new regulation is to protect EU citizens from privacy and data breaches. While these regulatory changes certainly affect companies and individuals within the EU countries, the impact will be felt globally, regardless of where companies operate. In other words, for companies based in the EU, or who have customers in the EU, these data privacy changes will most definitely have an impact.
What You Need to Know
Collaboration has become an important part of the modern workplace, providing a common platform for organizations to create and share their content and intellectual property. The typical SharePoint environment can include a number of different types of personal data that would need to be reviewed in light of the pending changes. According to the website EUGDPR.org, personal data within the jurisdiction of this new regulation is defined as:
Any information related to a natural person or “data subject”, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
The regulation does not necessarily mean that you need to remove all data that can be classified as personal, but organizations will most certainly need to understand the potential impacts and review existing systems and data. Explicit consent is required for processing of sensitive personal data, but broader “unambiguous” consent is sufficient for non-sensitive data. It is recommended that any company holding this type of personal data work closely with legal counselors to understand the right level of individual consent required for ongoing compliance – and the penalties for non-compliance.
In addition to the increased territorial scope, penalties, and consent of GDPR, there are a number of data subject rights that come with this new regulation:
- Breach Notification. New rules around mandatory, 72-hour notification where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
- Right to Access. Individuals have a right to transparency, and can request confirmation as to whether or not personal data concerning them is being processed, in addition to where and for what purpose. This includes a copy of the personal data, free of charge, in an electronic format.
- Right to be Forgotten. Individuals can request all personal data to be removed, to cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability. In addition to receiving a copy of all personal data concerning them, individuals will receive this in a ‘commonly used and machine-readable format’ with the ability to transmit this data.
- Privacy by Design. This requirement calls for the inclusion of compliant data protection when designing systems, rather than as an addition after-the-fact.
- Data Protection Officers. Finally, there will be a simplification of the current reporting requirements to local Data Protection Authorities. Instead, GDPR requires new or additional internal record-keeping requirements, with DPO appointment mandatory only for those controllers and processors with activities requiring regular and systematic monitoring due to scale of special categories.
An important part of your own GDPR preparation will be to review your current systems, understand where there may be potential impacts, and create a readiness checklist. There are a number of great resources available to help you prepare, including the GDPR Benchmark Report and related whitepaper The Operational Impact of the European Union General Data Protection Regulation (GDPR) on IT, both available from the AvePoint team for free download. And if you have questions, there’s no better way to find answers than through the SharePoint community.
The Community Discussion
One of the best ways to learn about changes of this scope is to connect with other members of the community. On Thursday, June 29 at 9am PDT, AvePoint will be hosting a community discussion focused on “The Impacts of Data Privacy Regulation” as part of the #CollabTalk tweetjam series, a monthly Twitter-based conversation that is open to the public. The open model of the tweetjam allows anyone to join and participate, and to ask follow up questions to the answers provided. For a targeted topic like the impact of GDPR, this can be an invaluable information-gathering tool for your business.
The questions we will discuss during the tweetjam include:
- Are companies underestimating potential impact of the EU’s General Data Protection Regulation (GDPR) coming in 2018?
- Where should an organization start in terms of getting ready for GDPR, & what are the budget/timing implications?
- How should organizations benchmark their readiness for GDPR – and measure their progress?
- What is the role of PII within Office 365 workloads & other Microsoft solutions?
- What is Microsoft doing to help partners & customers prepare for GDPR?
- How will GDPR impact data privacy & portability, & the rate of innovation for collaboration technology?
- What practical guidance would you give organizations just starting to plan for GDPR?
The #CollabTalk tweetjam will include a hand-picked panel of experts, as well as Microsoft MVPs and community influencers experts, many of whom are focusing on the business impacts of GDPR and working with customers, partners, and Microsoft to develop solutions.
Among the 40+ panelists scheduled to participate in the June 29 tweetjam, we’re especially excited to include the following experts who are focused on GDPR:
- Ragnar Heil (@ragnarh), Office 365 E5 channel lead at Microsoft
- Milad Aslaner (@MiladMSFT) senior product manager, cyber security at Microsoft
- Dana Louise Simberkoff (@danalouise), chief risk, privacy and information security officer at AvePoint
- Paul Hunt (@cimares), Microsoft MVP and SharePoint solutions architect at Trustmarque Solutions
- Ant Clay (@soulsailor), founder of Soulsailor consulting Ltd.
- Ben Robb (@benrobb), SharePoint MVP and senior manager at Deloitte
- John Timney (@jtimney), transformation Enterprise Architect at Hewlett Packard Enterprise
- Andrew Woodward (@andrewwoody), enterprise architect at Zurich Insurance company Ltd.
- Dux Raymond Sy (@meetdux), Microsoft Regional Director, SharePoint MVP, and CMO of AvePoint
If you are interested in joining the community discussion on June 29 at 9am PDT, simply follow along using your Twitter platform of choice and the #CollabTalk hashtag, or you can join us through the dedicated tweetjam site at http://twubs.com/CollabTalk.
Find Out More
For more information on GDPR, there are a number of different resources available to you:
- Final version of GDPR legislation (PDF)
- GDPR Benchmark Report (AvePoint) with whitepaper and blog series
- EU GDPR Portal
- European Digital Rights (EDRi) key issues explained
- Norton Rose Fulbright GDPR checklist
- Full community panel for June 29 tweetjam (CollabTalk)
Christian Buckley has worked with SharePoint since 2005, and has been an Office Servers and Services MVP since January 2012. He is the Founder & CEO of CollabTalk LLC, an independent research and technical marketing services company that works extensively within the Microsoft ecosystem. Christian is a 6-time author on SharePoint and software configuration management topics, holds a BA in Marketing and MBA in Technology Management, and is a globally-recognized collaboration and social technology expert. He can be found at www.buckleyplanet.com and @buckleyplanet.