Effective May 25, 2018, the General Data Protection Regulation (GDPR) introduces new requirements about how organizations manage and protect personal data while respecting individual choice—no matter where the data is sent, processed, or stored. Take this 10-question quiz to check your knowledge about the GDPR and what it means for your organization.
1. Does the GDPR apply to my organization?
- Impacts organizations that offer goods and services to people in EU or collect and analyze data tied to EU residents, no matter where they are
- Includes companies, government agencies, non-profits, and others
- For all sizes of organizations: small, large, and enterprise
2. Is the data my organization processes subject to the GDPR?
- GDPR regulates collection, storage, use, and sharing of “personal data”
- Includes any data related to an identified or identifiable person
- Personal Identifiable Information (PII)
- Some identifiers: IP address, employee information, sales data, customer data, and biometric data
3. What are the risks if we don’t comply?
- Fines can be up to 4% of annual turnover or €20 million
- Individuals (or organizations acting on their behalf) can start civil litigation
- Other organizations may only work with you if you’re compliant
4. What are the main requirements?
- Transparency, fairness, lawfulness when handling and using personal data
- Data processing minimization
- Collection and storage minimization
- Ensure accuracy of personal data
- Limit storage
- Ensure security, integrity, and confidentiality
5. What does transparency really mean?
- Organizations must tell individuals about their data processing
- Why it is processed, how long it is stored, with whom it is shared, and is it transferred outside the EU
- Easy to access and understand format
6. What are some of the other requirements?
- Implement privacy by design and privacy by default
- Appoint a Data Protection Officer
- Institute data breach reporting
7. What are individual rights?
- Access to personal data an organization holds for an individual
- Right to be forgotten
- Stop processing, revoke consent, and data portability
8. What kind of record keeping is required?
Organizations need to maintain detailed processing records
- Purpose of processing
- Data categories processed
- Data transfers
- Security measures employed
9. What if a data breach occurs?
- Data breach includes accidental destruction, loss or alteration of personal data or unauthorized disclosure of personal data
- Obligation to notify regulator and/or consumers within 72 hours
10. Can Microsoft help us meet the GDPR requirements?
- Yes! Microsoft is adding technology, documentation, capabilities, and transparency to help organizations with GDPR compliance
- Microsoft has committed to Enterprise Online services compliance by May 2018