Industry voice: Ensuring you comply with the General Data Protection Regulation can open the door to additional benefits, writes Nicholas Revell, cloud solutions architect, data platform at Microsoft
At first glance the EU General Data Protection Regulation (GDPR) presents a series of challenges, effectively raising the bar for the protection of privacy and the lawful processing of data.
But problems provide opportunities, and efforts to comply with the GDPR can yield a number of benefits for public sector organisations, going beyond data processing to the delivery of better services and outcomes.
GDPR will come into force this month, replacing the EU Data Protection Directive and bringing a series of significant changes. Firstly, its status as a regulation rather than a directive will demand much more consistency among member states in its implementation, and the UK is committed to comply after it leaves the EU.
Secondly, it will change the balance of privacy rights against the free flow of data. People will have the right to ask for the data an organisation holds on them, for it to be transferred or erased on their instruction, and to prevent it being shared with other organisations.
It will introduce new rules on what constitutes the lawful processing of data, with an emphasis on explicit and unambiguous consent from the subject, and extending to any third party responsible for the processing.
Requirements and penalties
There will be requirements for a public authority to have a data protection officer, to carry out risk assessments on the processing of sensitive data, and to report any data breaches within a specific timeline. Along with all this there will be punitive penalties for organisations that fail to comply.
These are significant challenges, but it has to be understood that they come in response to the explosion of personal data that has come with the emergence of digital technology and the internet, and amount to significant steps forward in personal privacy rights.
Organisations need to recognise the challenges, but they should also be able to identify significant opportunities. It is an area in which Microsoft has been working with clients, helping them in the ‘heavy lifting’ of bringing data together and using its technology, notably the Azure cloud platform, to help them realise the benefits.
Bringing the data together is an important step towards compliance with GDPR, and this provides an opportunity in making it easier to detect and identify all the data. The benefits of this go beyond more effective data management: it can ensure that employees have the key pieces of information to support an individual in need, or that the delivery of one service is aligned with another to ensure that both work effectively. It is a key factor in the provision of better outcomes for the public.
To support this, the platform makes the identification, documentation, and monitoring of ongoing processing easier by only needing to apply logging tools, integrated authorisation and permissioning systems, and data categorisation in one place, rather than widely distributed among devices, servers, data centres and cloud services.
A product named Advanced e-Discovery provides one example, using machine learning to search across documents and unstructured data to find anything related to a specific subject. This can be an asset in searching for data that is important to a case but has not been kept within specific files or datasets.
Secondly comes the potential for tightening security. Placing the data on a single cloud platform gives administrators closer control and helps to address concerns around inadvertent or non-malicious breaches of data; they find it easier to see who within an organisation is handling the data and why.
It also strengthens protection against direct attacks, making it possible to use advanced security capabilities, such as data being encrypted by design and the services of Microsoft’s Cyber Defence Operations Centre to detect and automatically respond to threats. In addition, it lays the groundwork for security operations such as data protection risk assessments and consultations, and makes it easier to establish and enforce the necessary governance measures.
Thirdly, it is possible to streamline compliance with demands beyond the GDPR. With more certifications and attestations than any other major public cloud provider, Microsoft can support an organisation in complying with any relevant standards and regulations. This includes being the first cloud provider to meet the ISO 27018 cloud privacy standard, which defines the security, cloud service and privacy requirements for public cloud service providers acting as data processor based on the EU Data Protection Directive.
It is also important to recognise that, as technology and the use of data advances, the demands of compliance with GDPR could be subject to change. Microsoft has the expertise to adapt its technology to enable organisations to keep up with evolving requirements.
The company is committed to GDPR compliance across its cloud services, and is ready to include the details in service terms of contracts with public sector customers. These include only processing data under the client’s instructions, allowing it to object to any sub-processors, assisting with subject access requests and help with risk assessments.
It can provide high quality support for a public authority in complying with GDPR, and go beyond this to grasping the opportunities. The ultimate prizes are a better data regime, better services and better outcomes for the public.
To find out more about Microsoft's GDPR compliance policy:
Learn more at a GDPR workshop near you:
You can view Nicholas's presentation and other speaker videos here from UKAuthority Data4Good, as well as download the Data4Good briefing paper.
Image by Descrier, CC BY 2.0 through flickr