The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. Complying with all of the provisions of this law will require time, effort, resources, and an unflappable commitment to privacy by design for enterprises the world over. TechRepublic, and other members of the IT industry press, have been sounding the alarm on the GDPR for years now, so IT pros and enterprises should be aware of what is required and well on their way toward compliance. Right?

The GDPR will impact businesses both large and small, but certain enterprises will have an additional burden placed on them. Any business collecting substantial personal data from customers will be expected to hire a designated GDPR compliance officer. To comply with this part of the GDPR, Microsoft announced that it has promoted Steve May to be their European data protection officer (DPO).

The particulars of why Microsoft choose Steve May for the position serves as a potential lesson for other enterprises as they make their personnel decisions regarding the appointment of a DPO.

SEE: EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)

Data protection officer

The GDPR requires a new approach toward the collection and processing of personal data–an approach that many enterprises are ill-equipped to implement. According to the GDPR, the appointment of a DPO is required for any organization meeting at least one of these criteria:

  1. The organization is a public authority,
  2. The organization engages in large scale systematic monitoring, or
  3. The organization engages in large scale processing of sensitive personal data.

Unfortunately for businesses looking for clarity, the term “large scale” is loosely defined. The general consensus is that organizations with over 250 employees or that process the personal data of more than 5,000 data subjects in a 12-month period, will be required to have a DPO.

The other key factor in hiring a DPO in compliance with the GDPR is that the person must be qualified. In a nutshell, the designated DPO must have expert knowledge, must be provided with adequate resources to perform the job, and must report directly to the highest level of management. However, the job of DPO can be performed by an external service provider where appropriate.

In Microsoft’s case, Steve May has worked for the company for over 20 years and is intimately familiar with its products and services. Most recently, May served as a privacy leader in the Windows and Devices Group. May will report to Microsoft’s chief privacy officer, and will be located in Dublin, Ireland.

SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)

Bottom line

Without a doubt, complying with the GDPR is going to place an increased regulatory burden on many businesses. It is important that IT industry leaders like Microsoft drive compliance standards not only with their products and services, but also with their own internal operations. Microsoft’s promotion of Steve May to the DPO position should serve as an example of the commitment required by businesses operating in this global environment.

So, while compliance with the GDPR presents a significant, and potentially expensive, challenge to just about every modern business enterprise, hiring a DPO to take control of your enterprise’s personal data privacy initiative indicates a substantial level of commitment toward complying with the law. Draw your cue from Microsoft and other industry leaders, hire a DPO if you are required to do so and take a measurable step toward GDPR compliance.

Also read:

Your thoughts:

Is your business ready for GDPR? If not, what are you going to do? Share your thoughts and opinions with your peers at TechRepublic in the discussion thread below.