GDPR

What is the GDPR?

The GDPR gives individuals control over their personal data collected by organizations. These rights are exercised through Data Subject Requests (DSRs). Organizations must provide timely information regarding DSRs and data breaches, as well as perform Data Protection Impact Assessments (DPIAs).

Several things should be considered when implementing or assessing GDPR requirements:

• Develop or evaluate your privacy policy for GDPR compliance.
• Assess your organization's data security.
• Who is your data controller?
• What data security processes might need to be implemented?

A suggested action plan for the GDPR and an accountability readiness checklist may prompt additional considerations.

The following tasks are related to achieving GDPR standards. Follow the links in the list for implementation details.

• Data Subject Requests (DSRs). A formal request made by a data subject to a controller to take action (change, restrict, access) on their personal data.
• Breach Notification. Under the GDPR, a personal data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."
• Data Protection Impact Assessments. The GDPR mandates that data controllers prepare a Data Protection Impact Assessment (DPIA) for data operations that are "likely to result in a high risk to the rights and freedoms of natural persons."

As noted above, the suggested action plan and accountability readiness checklist for the GDPR provide guidance for implementing or assessing GDPR compliance when using Microsoft products and services.