A platform approach to the GDPR
The systems you use to create, store, analyse, and manage data can be spread across a wide array of IT environments-personal devices, on-premises servers, cloud services, even the Internet of Things. This means that most of your IT landscape could be subject to the requirements of the GDPR.
Your efforts to meet the GDPR’s requirements will be best served by looking at the requirements holistically and within the context of all your regulatory and legal privacy obligations. For instance, many of the security controls to prevent, detect and respond to vulnerabilities and data breaches required by the GDPR are similar to the controls expected by other data protection standards, such as the ISO 27018 cloud privacy standard.
Rather than track the controls required by individual standards or regulations on a case-by-case basis, a best practice is to identify an overall set of controls and capabilities to meet these requirements. Likewise, rather than assessing individual technologies and solutions against a comprehensive regulation such as the GDPR, taking a platform view-such as one encompassing Windows, Microsoft SQL Server, SharePoint, Exchange, Office 365, Azure and Dynamics 365-can provide a clearer path to ensure you comply not only with the GDPR, but also with other requirements important to you as well.
We recommend you begin your journey to GDPR compliance by focusing on four key steps:
- Discover-identify what personal data you have and where it resides
- Manage-govern how personal data is used and accessed
- Protect-establish security controls to prevent, detect, and respond to vulnerabilities and data breaches
- Report-execute on data requests, report data breaches, and keep required documentation
For each of the steps, we have outlined example tools, resources and features in various Microsoft solutions that can be used to help you address the requirements of that step. While these pages are not a comprehensive “how to”, we have included links for you to find out more details, and more information is available at Microsoft.com/GDPR.
Given how much is involved, you should not wait until GDPR enforcement begins to prepare. You should review your privacy and data management practices now.
Use the Discover, Manage, Protect and Report pages for an outline of the specific elements of each component of the GDPR and ways that you can use products and services available from Microsoft today to get started.