Photo - Dr. Jasmine Begum, Microsoft Malaysia's Director of Legal and Corporate Affairs and New Market
The European Union's General Data Protection Regulation (GDPR) came into effect on 25th May 2018. The GDPR also affects Malaysian entities that process data concerning EU nationals, according to Dr. Jasmine Begum, Microsoft Malaysia's Director of Legal and Corporate Affairs and New Market.
She said this during the recent Insights on GDPR and PCI DSS workshop, where she shared Microsoft's experience as the multinational corporation went about ensuring that its products - as well as its own internal data-handling practices - were GDPR compliant. The workshop was organised by Malaysia Digital Economy Corporation (MDEC), and hosted at the premises of leading cybersecurity company LGMS at its Asia Cybersecurity Exchange centre.
"The difference between GDPR and Malaysia's Personal Data Protection Act (PDPA) is that the GDPR standards are higher, and it requires enterprises to look at 4 big areas," Dr. Begum explained. Two major areas deal with privacy and security, with major penalties to ensure compliance, and an obligation to report any data breaches within 72 hours of discovery.
Dr. Begum pointed out that in this always-connected world, concerns about data portability and data erasure are on the rise. "Can cloud service providers prove to me that you have erased the data? This is a question that always comes up."
More fundamental was ensuring that organisations had a clear idea of all the sources of data within the organisation. Dr. Begum stressed that this did not apply only to digital data, but also paper-based records. "This is something that people in the financial services sector, particularly banking, need to start considering."
Digital rights are fundamental
From an implementation perspective, this translated to imposing tighter controls on data access, better data governance tools, and improved data policies and processes. "Digital rights have become as fundamental as other human rights today," she explained.
Internally, Microsoft went about assessing its GDPR compliance by assessing and managing its compliance risk, protecting personal data it held, and streamlining its processes.
Microsoft is present in 120 countries, with approximately 200 thousand employees that it collects data concerning. "But note that our products are also collecting data," Dr. Begum highlighted.
It then did impact assessments on its data protection measures, privacy reviews, and controls to test its compliance.
"In a 2017 survey, 47% of executives were unsure of what data standards apply. Malaysian enterprises know about the PDPA, but in the digital economy, you're looking at multiple standards, shifting regulatory landscapes, and different industries have different requirements, all of which you have to be compliant with."
As a result, Microsoft had previously made three commitments to its partners and customers. "We will be GDPR-compliant on 25th of May; we will share our experience; and together with our partners, we will help you be compliant."
Important for vendors to provide contractual commitments to GDPR compliance
Dr. Begum recommended that enterprises implementing GDPR ensure that their vendors provide contractual commitments to GDPR compliance. "If you are considering moving to the cloud, you should check if your provider is able to make these commitments," she said.
Microsoft, for instance, can assist its customers by providing them with documentation to help demonstrate compliance with GDPR.
While Microsoft is able to help enterprises with the technical aspects of GDPR, the organisational aspects are the responsibilities of the enterprises themselves.
"Being prepared is a shared responsibility. This is something that you would want to start training your people about."
With regards to protecting data privacy and security, Dr. Begum stated that one of the benefits of using cloud-based solutions is that the compliance onus on cloud service providers is heightened; however, organisations as data processors need to take measures. "This includes identity access management, information protection, and threat protection. For example, different products have different levels of protection, and only you can decide what suits your organisations best."
In terms of identity access management, Dr. Begum brought up the 'bring-your-own-device' trend, which requires organisations to ensure that they have the appropriate access controls across all devices in place. Malaysia still needs to work on information protection, as data governance practices, especially data classification, remains a challenge. "GDPR requires that you demonstrate that you are doing everything you can to protect your data throughout its lifecycle."
Sign up for Computerworld eNewsletters.