The European Union (EU) and its commission ratified the final version of the General Data Protection Regulation (GDPR) on April 14, 2016. The new EU GDPR regulation has been characterized as the most sweeping and impactful change to privacy and data protection law in history. GDPR goes into effect on May 25, 2018 with broad reaching implications for EU-based organizations and multinationals around the globe. It’s critical to note that the EU GDPR imposes new rules on organizations that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located. This means that US based healthcare covered entities and organizations defined as controllers or processors of an EU citizen’s or resident’s healthcare data will be directly affected by GDPR and must be prepared to meet these regulatory requirements.
The General Data Protection Regulation (GDPR) sets a new bar for privacy rights, security, and compliance, which will be enforced through heavy penalties. Microsoft has made the commitment that all its online services will be GDPR compliant and backed by contract, providing assurance that any of their personal info is protected and in compliance. With Privacy-by-design as a core guiding principle, Microsoft provides a comprehensive set of software services to enable customers to meet their GDPR requirements. Microsoft recognizes that end-to-end compliance is required and must be implemented as a holistic process across the organization including (and beginning with) the protection of endpoints. Windows 10 enables organizations to begin their GDPR compliance journey.
General Data Protection Regulation (GDPR) Focus: Data Protection and Security – Not Technology
Like the HIPAA regulations, EU GDPR makes no direct reference to technical or technology requisites. GDPR does require organizations to build a holistic & structured approach to data protection and overall security. More specifically, GDPR states the following:
(Art. 24.1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary,
(Art. 24.2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller,
(Art. 28.1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Microsoft GDPR Readiness and Assessment Tool
Microsoft began its GDPR preparation in 2016 and has published a GDPR readiness and assessment tool that can be accessed at https://www.gdprbenchmark.com/.
Microsoft Windows 10 enables an organization’s GDPR security and privacy requirements with its cloud-enabled security stack that includes device protection, identity protection & management, information protection, threat detection and protection, and security management and operations. For example, beginning with the Windows 10 Anniversary Edition, Microsoft includes the Windows Information Protection (WIP) component that provides integrated protection against accidental data leaks. With WIP Windows 10
• Protects data at rest locally and on removable storage
• Enables corporate versus end user data to be identified wherever it rests on the device with the ability to wipe that data
• Provides a common experience across all Windows 10 devices and prevents unauthorized apps from accessing business data and users from leaking data with copy and paste protection
• Enables seamless integration into the Microsoft cloud platform
Go forward, Microsoft’s and HIPAA One’s Windows 10 HIPAA compliance whitepaper will be expanded and updated with additional detail.
More GDPR readiness resources are provided in the Microsoft Trust Center at https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/resources.
These resources will be continuously updated and/or augmented so you can fully comply with the new data protection law.