Q: Does the GDPR allow me to send data outside the EU?
A: GDPR applications globally, so no matter where your company stores or processes personal data-even within the EU, it must comply with GDPR guidelines.
Q: Does GDPR apply to internal sites, such as corporate intranets, as well?
A: Yes. Whether you're storing personal data about consumers or employees you must still abide by GDRP guidelines.
Q: What are the GDPR requirements around classifying data?
A: GDPR does not explicitly require data classification, but given the rights that it grants to EU citizens, and the requirements of any company storing a citizen's personal data, classifying data is practically non-negotiable. For example, companies must inform individuals about all of the personal data that they have on file, and must get their consent before processing it. Companies must also ensure that they are taking appropriate measures to protect that data, and can only store it for the prescribed purpose and period of time for which an individual wave their consent. So there's really no feasible way to abide by these requirements and responsibilities without cataloging your data and knowing the location of any personal data that falls under GDPR jurisprudence.
Q: Does GDPR require encryption?
A: Not in a prescriptive matter. Instead, it gives you guidelines and strongly suggests that you encrypt.
Q: Has the EU established any best practices about what it means to be compliant?
A: The EU has published guidelines, but keep in mind that GDPR is just the baseline-each country has the authority to include additional requirements. And GDPR is more about giving you guidance, rather than providing highly prescriptive instructions.
Q: How does Brexit affect this?
A: Unfortunately, the UK is no longer considered to be on the same level as the EU member countries. As such, the UK will no longer be considered adequate in abiding by terms of data protection laws. However, the UK is doing its part to comply with GDPR.
Q: Will there be an official GDPR certification?
A: Usually, but it will not be completed for at least a couple of months after GDPR is implemented. In the meantime, you can build on top of ISO 27001, and Microsoft has its own GEP analysis to help companies figure out how to get compliant.
Q: Are any independent groups giving assessments?
A: coalition of cloud infrastructure service providers, called CISPE, has developed its own code of conduct that's intended to help companies get started. In December, the Cloud Security Alliance released its code of conduct, which we are evaluating. In the meantime, we are sticking with ISO 27001 and staying in contact with the EU's Data Protection Authority.
Q: Do data retention requirements override an individual's right to have their data deleted?
A: Yes, there are a few exceptions where personal data must be kept for tax or legal reasons to run your business. However, the whole notice of companies having carte blanche permission to collect and keep data has been done away with.
Q: Is IP in scope for data subject rights?
A: Yes. In fact, IP is in scope with the EU's existing DPA regulations, but GDPR significantly broadens the definition of personal data to include any information that can be connected with a known person. Examples include browser history and social media activity. It also makes special provisions for information related to an individual's physical and mental health, such as genetic and biometric data.
I hope these questions get you thinking about what you can do to prepare for GDPR.