What is GDPR?

The GDPR gives individuals control over their personal data collected by organizations. These rights are exercised through Data Subject Requests (DSRs). Organizations must provide timely information regarding DSRs and data breaches, as well as conduct Data Protection Impact Assessments (DPIAs).

When implementing or assessing GDPR requirements, consider these points:

• Develop or evaluate your privacy policy for GDPR compliance.
• Assess your organization's data security.
• Who is your data controller?
• What data security procedures might need to be implemented?

Thesuggested action plan for GDPRand theaccountability readiness checklistmay prompt additional considerations.

The following tasks relate to achieving GDPR standards. Follow the links in the list for implementation details.

• Data Subject Requests (DSRs). A formal request made by a data subject to a controller to take an action (change, restrict, access) regarding their personal data.
• Breach Notification. Under the GDPR, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
• Data Protection Impact Assessments. The GDPR mandates that data controllers prepare a Data Protection Impact Assessment (DPIA) for data operations that are “likely to result in a high risk to the rights and freedoms of natural persons.”

As noted above, the suggested action plan for GDPR and the accountability readiness checklist provide guidance for implementing or assessing GDPR compliance when using Microsoft products and services.