Ways to ease EU GDPR impacts: Q&A with Microsoft legal counsel Neal Suggs

Ways to ease EU GDPR impacts: Q&A with Microsoft legal counsel Neal Suggs

Aaron Lee, Taipei; Willis Ke, DIGITIMES [Monday 13 November 2017]

Following a two-year buffer period, the General Data Protection Regulation (GDPR), enacted by the European Union in April 2016, will officially take effect on May 25, 2018. The GDPR, touted as the world’s toughest-ever data protection act, will bring great challenges to enterprises, with violators to face fines of EUR20 million (US$23.22 million) or 4{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} of their global business revenues, depending on the seriousness of violations. But the act will bring Taiwan manufacturers good business opportunities and enhance their market competitiveness if they can incorporate GDPR standards into their chip fabrication, terminal device design and production processes, according to Neal Suggs, Microsoft’s vice president and associate general counsel for the Consumer, Business and Public Sector team.

GDPR will have a wide coverage, applicable to all the enterprises engaged in businesses directly or indirectly associated with the EU, including hotels, aviation services, financial services and tech sectors, among others. Suggs said that as long as enterprises utilize computer systems and servers to do business with the EU or employ nationals from EU member states, they will have to observe GDPR regulations. In a recent interview by Digitimes, Suggs talked about problems facing enterprises in incorporating GDPR, its possible impacts on enterprises and Microsoft’s countermeasures.

Q: What is the biggest problem encountered by enterprises in incorporating GDPR into their operations?

A: In this aspect, the biggest problem facing the customers I have contacted lies in defining the data that should be regulated. Many enterprises tend to presume there should be no problems with their data, but once they start to examine the data, they will find it almost impossible to locate problematic data within various systems if without a set of formal process norm or policy to follow. Examining their digital footprints is quite an ordinary requirement for enterprises, but it’s the most important start in locating problematic data in the management process. Of course, this is also the biggest challenge for enterprises.

Q: Which kinds of enterprises will be influenced by GDPR?

A: Enterprises in almost all the industries will be affected unless they don’t want to do business with the EU, because any enterprises seeking to develop global markets cannot skip the EU, now the third largest market in the world. As long as enterprises operate computer systems or servers, or issue smartphones for their employees, there’s a chance they could violate GDPR. If enterprises fail to observe GDPR, they would face unpredictable risks.

Q: What has Microsoft done to cushion impacts of GDPR?

A: Microsoft kicked off its first step by making close contacts with related EU officials during the GDPR formulation process to understand the exact aspects and points that are most concerned by the EU, and we have found that some regulations are derived from the EU Directive 95/46/EC: the Data Protection Directive, enforced in 1995, and some are newly introduced.

Then we moved to assess the impact of GDPR on Microsoft, including its products and customers, to see if they comply with the regulations.

In facing GDPR, Microsoft has maintained two parallel lines, one for our products and customers and the other for our internal operation processes, strictly requiring that both meet GDPR requirements. Since one and a half years ago, Microsoft has started to assign more than 300 engineers to examine and modify its products and internal-use tools to secure their adherence to GDPR rules. This has earned Microsoft the recognition as the first company with successful incorporation of GDPR standards. Nevertheless, this is just the beginning of the job, not the end.

Q: As GDPR will be implemented less than a year from now, what suggestions will Microsoft give to enterprises?

A: First of all, enterprises must cooperate with reliable experts to examine their operating environments, including IT, information security and personnel departments, to gauge their compliance with GDPR. Here, I would strongly advise them against purchasing any set of solutions from the outside, because what should be addressed is the procedure issues, not technical problems. And as long as they can change their corporate cultures, enterprises can easily meet the GDPR requirements. But they should get started as soon as possible, because we have achieved a better status only after one a half years of efforts.

Q: For small and medium-sized enterprises or new ventures with little resources, what can they do to address GDPR?

A: Microsoft has made public its practices online, mainly to help small- to medium-sized enterprises. We have learned a lot, and still have a lot more to learn, and Microsoft hopes to help more enterprises in this aspect, no matter whether they have adopted Microsoft cloud services. Our company offers white papers, to-do lists and evaluation forms to enterprises.

Based on GDPR, you cannot use customer data unless you are entitled to use the data for a specific purpose that has a reasonable association with the original data collection purpose. If I were the owner of a startup or small- or medium-sized enterprise, I would first move to change and adjust my company culture to adapt to GDPR, instead of buying solutions products that can only solve some data flow problems.

Q: Do you think financial services and manufacturing industries will bear the brunt of GDPR impacts?

A: Financial services and manufacturing industries will be seriously affected as financial and health data they hold concern personal privacy the most. Many other industries will also be affected, including autonomous vehicles and aviation services. Autonomous cars will collect data concerning who are in the cars and where they are going, and these data are subject to protection. This data protection requirement is also applicable to airlines carrying European passengers or with transits in European cities.

In fact, I think GDPR will bring Taiwan manufacturers great challenges and huge business opportunities as well, because IoT (Internt of Things) will have a close linking with GDPR, including chip fabrication, device manufacture and solutions. If GDPR requirements can be well incorporated into their product design processes, Taiwan manufacturers will become more competitive in the markets.

Q: Has Microsoft cooperated with its Taiwan partners in preventing GDPR violations?

A: We have maintained cooperation with many Taiwan businesses, with Pegatron among our important partners, and we hope for more opportunities to collaborate with more enterprises in Taiwan. In case our Windows operating systems are applied to IoT operations, we should engage in close cooperation with chipset designers and equipment suppliers to make sure that the chipsets and devices comply with GDPR regulations during their design and production processes. For any manufacturing enterprise, the most difficult job is to have their finished products meet GDPR requirements. So Taiwan manufacturers can incorporate GDPR standards into their product design and production stages to prevent GDPR violations. Microsoft is still actively conducting close cooperation with Taiwan partners to assure full compliance of their products with GDPR.

Q: As many IoT devices are designed to collect personal data for big data analysis, do you think the GDPR implementation will hurt the development of the big data service industry?

A: I would not use the word “hurt ” here, because any law designed to protect personal data is a good law. Will firms offering big data analysis services face more restrictions after the GDPR is implemented? The answer is absolutely yes. This is because such firms will no longer be able to take “shortcuts,” and I think this is a good thing. The GDPR enforcement will surely slow down the development of the big data analysis service industry. In fact, over the past decade, Microsoft has proceeded with related studies and made simultaneous adjustments with customers in financial and medical service fields, and therefore we have won support from many customers in the fields.

Neal Suggs, Microsoft VP and legal counsel Photo: Aaron Lee, Digitimes, November 2017

Neal Suggs, Microsoft VP and legal counsel.
Photo: Aaron Lee, Digitimes, November 2017

Original article source: http://www.digitimes.com/news/a20171109PD203.html

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *