Q: Does the GDPR permit me to send data beyond the EU?
A: GDPR applies globally, so regardless of where your company stores or processes personal information-even from the EU, it needs to comply with GDPR guidelines.
Q: Does GDPR connect with internal sites, for example corporate intranets, too?
A: Yes. Whether you’re storing data about consumers or employees you should still adhere to GDRP guidelines.
Q: What are the GDPR requirements around classifying data?
A: GDPR doesn’t explicitly require data classification, but because of the rights it grants to EU citizens, as well as the requirements of the company storing a citizen’s personal information, classifying details are practically non-negotiable. For example, companies must inform individuals about all of the private data they have on file, and must manage to get thier consent before processing it. Companies must ensure that they’re taking appropriate measures to guard that data, which enable it to only store it to the prescribed purpose and length of time for which anyone gave their consent. So there’s really no feasible way to stick to these requirements and responsibilities without cataloging your details and learning the location of any personal information that falls under GDPR jurisdiction.
Q: Does GDPR require encryption?
A: Not in the prescriptive matter. Instead, it offers you guidelines and strongly demonstrates that you encrypt.
Q: Has the EU established any suggestions about what this would mean to be compliant?
A: The EU has published guidelines, but understand that GDPR is only the baseline-each country provides the authority to add in additional requirements. And GDPR is much more about providing you guidance, as an alternative to providing highly prescriptive instructions.
Q: How does Brexit impact this?
A: Unfortunately, the UK is not considered to get on the same level as being the EU member countries. As such, the UK do not be considered adequate in abiding by regards to data protection laws. However, the UK is progressing its part to adhere to GDPR.
Q: Will there be the official GDPR certification?
A: Eventually, however it won’t be completed for around a couple of months after GDPR is implemented. In the meantime, you’ll be able to build on surface of ISO 27001, and Microsoft features its own GEP analysis to aid companies understand how to get compliant.
Q: Are any independent groups giving assessments?
A: A coalition of cloud infrastructure carrier’s networks, called CISPE, is rolling out its own code of conduct that’s intended to assist companies get rolling. In December, the Cloud Security Alliance released its code of conduct, which we’re evaluating. In the meantime, we’re sticking with ISO 27001 and remaining in contact with all the EU’s Data Protection Authority.
Q: Do data retention requirements override anyone’s to have their data deleted?
A: Yes, there are several exceptions where personal information must be kept for tax or legal reasons why you should run your company. However, the complete notion of companies having carte blanche permission to gather and keep data may be done away with.
Q: Is IP in scope for data subject rights?
A: Yes. In fact, IP is within scope with all the EU’s existing DPA regulations, but GDPR significantly broadens the definition of personal information to include any information that may be connected with a known person. Examples include browser background social media activity. It also makes special provisions for information related to a person’s both mental and physical health, for instance genetic and biometric data.
I hope these questions bring you thinking with what you can do to get ready for GDPR.