FAQ about GDPR

Q: Does the GDPR allow me to send data outside the EU?

A: GDPR applies worldwide, so wherever your company stores or processes personal data, even within the EU, it must comply with the GDPR guidelines.

Q: Does the GDPR also apply to internal sites, such as corporate intranets?

A: Yes. Whether you store personal information about consumers or employees, you still need to adhere to the GDRP guidelines.

Q: What are the GDPR requirements for classifying data?

A: GDPR does not explicitly require data classification, but given the rights it grants to EU citizens, and the requirements of any company storing a citizen’s personal data, classification of data is practically non-negotiable. For example, companies need to inform individuals about any personal data they have on file and ask for their consent before processing it. Companies must also ensure that they take appropriate measures to protect that data and can store it only for the prescribed purpose and period of time for which an individual has given his consent. So there really is no viable way to fulfill these requirements and responsibilities without cataloging your data and knowing the location of all personal data under the GDPR jurisdiction.

Q: Does GDPR require encryption?

A: Not in a prescriptive matter. Instead, it gives you guidelines and strongly suggests that you code.

Q: Has the EU developed best practices on what it means to be compliant?

A: The EU has published guidelines, but keep in mind that GDPR is just the basics – every country has the power to include additional requirements. And GDPR is more about giving guidance than about giving very prescriptive instructions.

Q: How does Brexit affect this?

A: Unfortunately, the UK is no longer considered the same level as the EU Member States. As such, the UK will no longer be considered sufficient to comply with data protection law. However, the UK is doing its best to comply with the GDPR.

Q: Will there be an official GDPR certification?

A: Ultimately, but it will not be completed for at least a few months after the GDPR is implemented. In the meantime, you can build on ISO 27001 and Microsoft has its own GEP analysis to help companies figure out how to become compliant.

Q: Do independent groups provide ratings?

A: A coalition of cloud infrastructure service providers, called CISPE, has developed its own code of conduct to help businesses get started. In December, the Cloud Security Alliance released its code of conduct, which we are evaluating. Meanwhile, we adhere to ISO 27001 and keep in touch with the EU data protection authority.

Q: Do data retention requirements take precedence over a person’s right to have their data deleted?

A: Yes, there are a few exceptions where personal data must be kept for tax or legal reasons to run your business. However, the whole idea of ​​companies that have permission to collect and store data has been abolished.

Q: Is IP subject to data subject rights?

A: Yes. In fact, IP is covered by existing EU DPA regulations, but GDPR extends the definition of personal data significantly to any information that can be connected to a known person. Examples include browser history and social media activities. It also includes special facilities for information related to an individual’s physical and mental health, such as genetic and biometric data.

I hope these questions get you thinking about what you can do to prepare for GDPR.