Understanding Key Changes to How Companies Handle Data Under GDPR

The new European privacy law known as General Data Protection Regulation (GDPR) will take effect on May 25, 2018. GDPR will apply to any organization that handles EU residents’ data, regardless of where that entity operates. The law aims to better protect personal data by enforcing stricter regulations on how companies collect, store, use and share personal information.

The new law will have stricter penalties for non-compliance than previous legislation. This means companies must establish better controls to prevent, detect and respond to security vulnerabilities, as well as provide thorough records of security processes.

Key Changes to Know

While there are a number of changes companies will have to make in order to ensure compliance, Microsoft has outlined several key areas of importance:

Individuals have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Erase their personal data
  • Object to processing of their personal data
  • Export personal data
  • Risk and compliance assessor

Organizations will need to:

  • Protect personal data using appropriate security
  • Notify authorities of personal data breaches
  • Obtain appropriate consents for processing data
  • Keep records detailing data processing
  • Risk and compliance assessor

Organizations are required to:

  • Provide clear notice of data collection
  • Outline processing purposes and use cases
  • Define data retention and deletion policies
  • Risk and compliance assessor

Organizations will need to:

  • Train privacy personnel and employees
  • Audit and update data policies
  • Employ a Data Protection Officer (if required)
  • Create and manage compliant vendor contracts


Interested in learning more about how you can get GDPR-ready? Get started today with a free preliminary assessment.