Ask Me Anything
The next Ask Me Anything will be June 27th, 8-8:45am PST; the topic will be "Microsoft Partner Community"

Don't see your topic? Start a Topic
Reply
Highlighted
Community Manager

Ask Me Anything Topic: GDPR

Ankur Arora.jpgIntroducing Ankur Arora, this months Microsoft Expert. Ankur is the WW Partner Strategy Lead: Security & Compliance, OCP. He has been at Microsoft for almost 10 years and has a wealth of experience in the S&C field.

This months AMA topic will be “GDPR”. Start asking questions March 21st and tune in for the AMA even on March 28th, 7-11am PST. The top Kudoed questions will be answered first. 

To ensure you do not forget, please download the calendar invite below!

-Your Microsoft Partner Community (MPC) Team

Influencer

Re: Ask Me Anything Topic: GDPR

Great topic! Great expert!

GDPR is a great opportunity as it provides multiple potential revenue streams for partners. Some partners are setting up GDPR practices and some are inventing cleverly crafted managed servcies around it!

 

Regards, Per 

Level 2 Contributor

Re: Ask Me Anything Topic: GDPR

Great topic. Since every business (including the partners own business) is different and the GDPR takes a risk-based approach to data protection, could you share some simple questions they should be considering to ensure that their business practices comply with the GDPR. For example - What personal data do we collect/store? Have we obtained it fairly?
Jon Rivers, President/Social Media Disruption Expert
Marketing Monarchs
Email: jon.rivers@marketingmonarchs.com
Tel: +1 617 256 6178
Website: www.marketingmonarchs.com
Skype: jon.rivers@marketingmonarchs.com
Twitter: @jon_rivers & @brandingnoise

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR

What specific functionality can we expect to see as part of the Dynamics solution stack?   

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

Great and top of mind topic.

Question - Is GDPR just the new SOX?

 

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

What are the risks for customers that don't implement GDPR?

Since this is a EU initiated effort - why should US based companies care?

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

What is Microsoft doing to enable GDPR compliance?

How do partners make sure they are following the most current information and guidance?

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

What are the actual risks for a GDPR breach?

 

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

What are the partner opportunities to serve customers with GDPR needs?

Is there a significant difference for ISV's vs. SI's 

Can new partner businesses be spun-up to help customers adresss their GDPR needs?

Please elaborate.

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

Where will GDPR be in 2 years? 

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@jshueywrote:

What are the risks for customers that don't implement GDPR?

Since this is a EU initiated effort - why should US based companies care?



Territorial scope for the GDPR (Article 3)

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@jshueywrote:

What is Microsoft doing to enable GDPR compliance?

How do partners make sure they are following the most current information and guidance?



The one stop resource set for Partners for the GDPR: Whitepapers, Assessments, customer briefing content, FAQ, GTM resources...  https://partner.microsoft.com/en-us/marketing/details/gdpr#/

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR

There is no link to the discussion in the caledar invite

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@jshueywrote:

What are the actual risks for a GDPR breach?

 



Data breaches, more than fines, actually lead to a loss of reputation/credibility.   However, the GDPR does document fines applicable in Article 83

General conditions for imposing administrative fines

  1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
  2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
    1. the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
    2. the intentional or negligent character of the infringement;
    3. any action taken by the controller or processor to mitigate the damage suffered by data subjects;
    4. the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
    5. any relevant previous infringements by the controller or processor;
    6. the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
    7. the categories of personal data affected by the infringement;
    8. the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
    9. where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
    10. adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
    11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
  3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
  4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
    1. the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
    2. the obligations of the certification body pursuant to Articles 42 and 43;
    3. the obligations of the monitoring body pursuant to Article 41(4).
  5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
    1. the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
    2. the data subjects’ rights pursuant to Articles 12 to 22;
    3. the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
    4. any obligations pursuant to Member State law adopted under Chapter IX;
    5. non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
  6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
  8. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
  9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@jshueywrote:

What are the partner opportunities to serve customers with GDPR needs?

Is there a significant difference for ISV's vs. SI's 

Can new partner businesses be spun-up to help customers adresss their GDPR needs?

Please elaborate.



Check out this BLOG for 2 new monetization opportunities for partners around The GDPR

https://blogs.partner.microsoft.com/mpn/gdpr-solutions-for-incremental-revenue/

 

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@Anonymouswrote:

What specific functionality can we expect to see as part of the Dynamics solution stack?   


Dynamics

Check out the new customer-facing GDPR white papers to understand how Microsoft Dynamics applications can be an important part of our customer’s journey toward GDRP compliance. Go to http://aka.ms/gdprdynamics365 to find links to the available Dynamics 365 GDPR white papers, as well as information about Compliance Manager—a cross–Microsoft Cloud Services solution designed to help organizations meet complex compliance obligations like the GDPR—and much more. Check back often throughout CY 2018 to find new GDPR info, new white papers on other Dynamics products, and updates to existing white papers.

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR

Hi,

As GDPR is about all personal data which you can have in everywhere, then, how  one partner can give the complete solution if you  are only specialist  on SQL and not in Oracle, or DB2, or Office 365, etc.?  The customer´d like to work with one company that covers all the technologies and legal issues instead  it has to work with several partners , one for each thing. What is the strategic of Microsoft with this?

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@jshueywrote:

Where will GDPR be in 2 years? 


25th May 2018 is really the starting date of this journey, we anticipate a 4-5 year hype-cycle with wide adaption across enterprises, mid size businesses and SMBs...other countries/regions seem to be following the trend of introducing regulations that protect the personal data of their residents/citizens...

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@Anonymouswrote:

Hi,

As GDPR is about all personal data which you can have in everywhere, then, how  one partner can give the complete solution if you  are only specialist  on SQL and not in Oracle, or DB2, or Office 365, etc.?  The customer´d like to work with one company that covers all the technologies and legal issues instead  it has to work with several partners , one for each thing. What is the strategic of Microsoft with this?


Microsoft products and services are available today to help customers meet the GDPR requirements, and we are investing in additional features and functionality.   Through our cloud services and on-premises solutions we’ll help customers locate and catalog the personal data in their systems, build a more secure environment, simplify management and monitoring of personal data, and provide the tools and resources they need to meet the GDPR reporting and assessment requirements.

Microsoft technologies that get leveraged for managing, protecting, and reporting on personal data:
Azure
Dynamics 365
Microsoft 365
SQL Server
Azure SQL DB
Windows 10
Windows Server 2016

For our customers, this is really comprehensive set of technologies covering both Cloud and On-prem. 

The Microsoft field teams work with customers to orchestrate and leverage the partner ecosystem with diverse skills and expertise across Discover-Manage-Protect-Report phases and then partners also get involved in providing managed services to customers. 

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR

Because if a US-based business wants to trade in the EU (whether merely selling or operating within), they will HAVE to comply. This means ensuring that any personal data that you capture about ANY EU citizen is kept secure and ONLY retained if that person has previously consented to it. Failure will result in fines of up to a maximum of €2m or 4% of the organisations worldwide turnover.

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

Great response. thank you for the detail and consideration.

GDPR is bigger than SOX, but a lot of companies are not fully aware of the risks.

CSO's can help!

Level 5 Contributor

Re: Ask Me Anything Topic: GDPR

Spot on! The Hype Cycle combined with the pulse of the community at the time will determine the life cycle of GDPR.

Anonymous
N/A

Re: Ask Me Anything Topic: GDPR


@jshueywrote:

Great response. thank you for the detail and consideration.

GDPR is bigger than SOX, but a lot of companies are not fully aware of the risks.

CSO's can help!


Actually, unline SOX, HIPPA, ISO, etc. where one get's a certificate of compliance...The GDPR is more of a Continuum...there is no certification per say...