Windows 10 and GDRP vs. HIPAA Compliance

Posted on: May 4th, 2018 04:28 pm

Updated on: March 24th, 2023 09:28 pm

Note: This information has been updated. Please visit our M365 Compliance page.

On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR regulation has been characterized as the most sweeping and impactful change to privacy and data protection regulations in history. GDPR goes into effect on May 25, 2018 with broad reaching implications for EU-based organizations and multinationals around the globe. It is critical to note that GDPR imposes new rules on organizations that offer goods and services to people in the EU or those that collect and analyze data tied to EU residents, no matter where they are located.  This means that US based healthcare covered entities and organizations defined as controllers or processors of an EU citizen’s or resident’s healthcare data will be directly affected by GDPR and must be prepared to meet these regulatory requirements.

GDPR Compliance and Microsoft 10

The General Data Protection Regulation (GDPR) sets a new bar for privacy rights, security, and compliance, which will be enforced through heavy penalties. Microsoft has made the commitment that all its online services will be GDPR compliant and backed by contract, providing assurance that any of their personal info is protected and in compliance. With Privacy-by-design as a core guiding principle, Microsoft provides a comprehensive set of software services to enable customers to meet their GDPR requirements.  Microsoft recognizes that end-to-end compliance is required and must be implemented as a holistic process across the organization including (and beginning with) the protection of endpoints. Windows 10 enables organizations to begin their GDPR compliance journey.

GDPR Focus: Data Protection and Security – Not Technology

Like the HIPAA regulations, GDPR makes no direct reference to technical or technology requisites. However, GDPR does require organizations to build a holistic & structured approach to data protection and overall security.

More specifically, GDPR states the following:

(Art. 24.1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary,

(Art. 24.2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller,

(Art. 28.1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Microsoft GDPR Readiness and Assessment Tool

Microsoft Windows 10 enables an organization’s GDPR security and privacy requirements with its cloud-enabled security stack that includes device protection, identity protection & management, information protection, threat detection and protection, and security management and operations. For example, beginning with the Windows 10 Anniversary Edition, Microsoft includes the Windows Information Protection (WIP) component that provides integrated protection against accidental data leaks.

With WIP Windows 10 can:

  • Protect data at rest locally and on removable storage
  • Enable corporate versus end user data to be identified wherever it rests on the device with the ability to wipe that data
  • Provide a common experience across all Windows 10 devices and prevent unauthorized apps from accessing business data and users from leaking data with copy and paste protection
  • Enable seamless integration into the Microsoft cloud platform
Additional Resources