Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

What You Need to Know About the EU General Data Protection Regulation

Microsoft Announces New Approach to Security

In this Ask the Admin, I will provide guidance on what you need to know about the new regulation.



Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

All companies dealing with EU data subjects, even those not located in the EU, will need to comply with the EU General Data Protection Regulation (GDPR) by May 25, 2018. Fines for noncompliance can be up to 4 percent of annual turnover or 20 million euros, whichever is higher. It is impossible to cover all the intricacies of GDPR in this article. We will go over the basics.

Data Subjects, Controllers, and Processors

EU GDPR differs from current legislation. Organizations must comply, even if the data controller and processor are located outside the EU. It is important to note the location of the data subject. This is speaking about the person or body to which the data is related. A data controller decides how data can be used and in what manner it can be processed. Data processing includes actions such as retrieval, erasure, organization, alteration, and storage.

Like most regulatory codes that involve protecting personally identifiable information (PII), the EU GDPR probably does not require you to do anything that is not already considered a best practice. But considering many organizations turn a blind eye to even the most basic of security principles, it might be time to make some changes to IT operations and business practices. This is especially true if the new rules apply to you.

Data Protection By Design and By Default

GDPR does not contain a checklist of technical requirements that organizations must meet. Instead, it contains a set of principles. The first of these is to implement appropriate technical controls and organizational measures where data protection is by design and by default. Security cannot be an afterthought or something that is bolted on as an extra. Doing security after an app or system has reached production, is not only much harder, but not as effective as factoring it in from the beginning.

State of the Art

This is a principle that is left open to interpretation. I think it is safe to assume that organizations are expected to adopt current technologies and best practices when it comes to securing data. For example, it has long been acknowledged by experts that antimalware and endpoint firewalls are not enough to protect servers and end-user devices. Other measures, such as application control and removal of administrative privileges, are key to reducing the attack surface. As a constantly evolving arena, organizations need to review their security measures and procedures regularly.

Keeping Track of Data

Data processing must be audited. You need to know who did what and when. You need to know the DPA and any affected individuals. They must be notified of data breaches that expose PII with 72 hours to the DPA. The IT department needs to be able to identify where PII is located so that it can be accessed, modified, and destroyed. On that note, data subjects have the right to request information stored about them in a readable format. Organizations must ensure that all disaster recovery procedures are in place and have been tested.

Data Protection Officer

Public authorities must appoint a Data Protection Officer (DPO) to monitor compliance. For other organizations, a DPO is optional but recommended. This is even more important if there is a large-scale processing of subject data or especially sensitive information being processed, such as criminal records. Whoever is appointed to this role must have demonstrable experience in a similar position.

In this article, I outlined the basic requirements set out by the EU GDPR. For more detailed information, see Reform of EU data protection rules.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: