Q&A: How is Microsoft preparing for the GDPR deadline?

With less than a month until the GDPR compliance deadline is upon us, companies more than ever need to be ensuring that they deal with data securely in the face of increasingly demanding regulatory requirements.

Speaking to Mike Yeh, Microsoft’s Assistant General Counsel of Corporate External and Legal Affairs for MEA, we find out how Microsoft is preparing for the GDPR deadline, and how recent data scandals have changed the way the US tech giant looks at the way it deals with data.

Is effective data management becoming paramount in the wake of significant data breaches, such as those experienced by Yahoo and Equifax?

Yes. Microsoft recognises the increasing importance of data to every business and to each individual and is committed to the privacy and security of our customers’ data. We believe that the digital information our customers create and store using our cloud services is and remains the property of the customer. Users will always have complete visibility into where their data is located and how it’s managed.

Having released the company’s findings in Microsoft’s GDPR Compliance Report, what is the general consensus about the GDPR readiness of EU companies?

The new GDPR is the most significant change to European Union privacy law in two decades and is likely to become a global baseline for data protection. While many companies are taking steps now to ensure compliance by 25 May 2018, when the law comes into effect, some companies, particularly those outside of Europe, will likely not be ready. Microsoft is committing to be GDPR compliant across our cloud services when enforcement begins on 25 May, and we are committed to our principles of cloud trust-security, privacy, transparency and compliance.

Would you say companies have underestimated the requirements for meeting GDPR effectively?

Yes, especially companies outside of Europe that offer goods and services to people in the EU or that collect data tied to EU residents. Some companies don’t realise the GDPR can apply to companies outside of Europe and others don’t think it will be enforced against companies outside of Europe. Given expectations that GDPR will become a global baseline for data protection, GDPR compliance should be prioritised by all companies.

See also:

• 30 day countdown: Capgemini on the opportunities of GDPR

• Progress: Preparing companies for the rising tide of data

• Cisco: 53% of companies surveyed lost $500,000 from cyberattacks last year

Aside from the obvious regulatory need for GDPR compliance, are organisations able to turn their improved data management into a beneficial asset in other ways?

For African and Middle East businesses looking to do business with the European Union, non-compliance could mean non-business. If businesses are to remain relevant in today’s market, digital transformation coupled with data protection must exist at the heart of their business models. Cloud services can help companies implement a modern data governance structure to understand when they are handling personal data and manage such data more efficiently and effectively across their organization.

Given the size of the European market and the increasingly global nature of business, companies that are using GDPR compliance as a milestone to drive business transformation will emerge with a significant advantage. While future technologies will empower people to seamlessly collaborate and access information, anywhere and across any device and tap into artificial intelligence (AI) and machine learning to stay a step ahead of customer needs and competitive threats, the ability to deliver such solutions in compliance with GDPR will help build customer and consumer trust.

How has Microsoft itself prepared for GDPR?

Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations, and currently complies with both EU-US Privacy Shield and EU Model Clauses. We believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights.

We are committed to GDPR compliance across our cloud services when enforcement begins, and provide GDPR related assurances in our contractual commitments. When small businesses use the Microsoft Cloud to process data they will be using services already compliant with the highest standards in data protection.

Outside of small businesses, we also recently announced new parental consent requirements for accounts held by children in the EU. To implement parental consent requirement in the GDPR, Microsoft is relying on the high standards afforded under the US Children’s Online Privacy Protection Act (COPPA) to verify parental consent for children’s accounts across our product platforms. We have already started to roll out the necessary notifications to our users in many EU member states, and we will complete the rollout by the end of April.

What key challenges has Microsoft faced in preparing for GDPR?

At its heart, the GDPR is about guaranteeing the privacy and integrity of individuals’ data. Microsoft is working on our own compliance, but our key challenge and opportunity is ensuring that our cloud services make it easy for customers to comply with the GDPR. The release of contractual commitments is an example of steps we are taking to help our customers prepare for the deadline. We’ve also made other GDPR resources available on our Trust Center to help companies assess their readiness.

Would you say the company has taken adequate steps to ensuring that it deals with data responsibly, particularly in the wake of the Cambridge Analytica, Facebook scandal?

For users to effectively exercise their right to control their data, they must have access and visibility to that data. Users must know where it is stored, and they must also know, through clearly stated and readily available policies and procedures, how cloud providers secure their data, who can access it, and under what circumstances.

We don’t use customer data for advertising or commercial purposes. Microsoft access to customer data is limited to key personnel on exception basis. Microsoft personnel only access customer data for troubleshooting and malware prevention. Further, in the event that customer data is compromised, Microsoft will notify customers.

Are digital skill shortages impeding progress in the way of GDPR compliance?

Within MEA, digital skills are a challenge, but the primary challenge is the assumption that the GDPR only applies to companies in Europe. Even some of the most sophisticated companies in the region who clearly offer goods and services in Europe have taken the position that GDPR compliance does not need to be prioritised, which may not be a smart decision in the long run.

That said, GDPR is a great opportunity to accelerate programs to increase digital skills in each community and country in the region. There is arguably an opportunity for people to specialize in GDPR compliance where they learn how to create a data governance regime and can advise companies on the four areas of focus – discover, govern, protect and report.

How will the GDPR regulations affect companies outside of Europe?

Although GDPR is designed to strengthen data protection within the EU, Middle East and African businesses wanting to do business with the EU are definitely affected as GDPR applies to businesses that offer goods and services to people in Europe, even if those businesses are based outside of Europe. Even companies that don’t offer goods or services in Europe should anticipate that the GDPR will likely become a global baseline for data protection.

If businesses are to remain relevant in today’s market, digital transformation coupled with data protection must exist at the heart of their business models. Cloud services can help companies implement a data governance regime, but the first step is ensuring that the underlying cloud service is GDPR compliant. By 25 May, businesses that use the Microsoft Cloud to process data – be it Office 365, Dynamics 365, Windows 10 or Azure – will be using services compliant with the highest standards in data protection.