Prepare for General Data Protection Regulation with Microsoft 365
A new European Union (EU) privacy regulation is going to come into effect on 25 May 2018, with wide-reaching implications for businesses in New Zealand as well as Australia that offer services and products to people in the EU, or collect & analyse data tied to EU residents. This regulation, called the GDPR or General Data Protection Regulation sets a new global bar for privacy rights, security as well as compliance. It boosts individual privacy rights as well as imposes new requirements on the collection, storage & use of personal data. It details how companies must:
- identify & secure personal information in their systems
- be transparent about their data usage
- detect as well as report personal data breaches.
Microsoft is now on a journey to realise these important goals. Although it will be a difficult path for some, it is a path worth taking.
What is ‘personal data’ under the GDPR?
The General Data Protection Regulation seeks to protect the ‘personal data’ of EU Data Subjects. This is data from which an individual can be directly oe indirectly identified.
Australian as well as New Zealand companies will be familiar with the term ’personal information’. The definition of ‘personal data’ under the GDPR is much broader than the definition of ‘personal information’ under the Australian Privacy Act 1988 as well as the New Zealand Privacy Act 1993.The GDPR looks at whether the data could be “reasonably likely to be used” for identifying an individual. If it can, it’s most likely personal data. This could be a person’s name, location data, an ID number, an online identifier or one or more factors specific to the physiological, physical, economic, genetic, cultural, mental, or social identity of that person. The definition of ‘personal information’ under the AU as well as NZ Privacy Acts does not include a list of the types of information specifically included, such as location data & online identifiers.
There are additional protections as well as restrictions for special categories of personal data & sensitive personal data under the GDPR,
This is data relating to an individual’s:
- political opinion
- racial or ethnic origin
- health or sex life
- sexual orientation
- genetic data or biometric data
- religious or philosophical beliefs
- trade union membership
It all comes down to personal data
GDPR analysis begins with understanding what data exists as well as where it resides.
The GDPR regulates the collection, storage, use as well as sharing of broadly defined personal data.
For example, personal data can reside in:
- HR databases
- customer databases
- email content
- feedback forms filled out by customers
- CCTV footage
- loyalty program records
Who are controllers and processors under the GDPR?
Privacy laws in Australia & New Zealand do not differentiate between the types of organisations that deal with personal information. The GDPR differentiates 2 important roles assumed by organisations that fall under its umbrella: controllers & processors.
Under the GDPR, most obligations fall on the data controller who determines the purposes as well as means of processing personal data. The controller can act either alone or with others. The GDPR also imposes specific duties and obligations on processors. A data processor is an entity that processes personal data on behalf of a controller. The controller controls the processing of personal information, whereas the processor performs the processing on behalf of the controller. The same organisation can act as both controller as well as processor, or the roles can also belong to two separate organisations. In most cloud services relationships, the customer is the controller and the cloud services provider (e.g. Microsoft) is the processor that carries out the processing on behalf of the customer.
Controllers & processors are specifically required to demonstrate compliance with the GDPR. They need to demonstrate that they’ve undertaken appropriate technical as well as organisational measures to make sure & to be able to demonstrate that processing is performed in accordance with the GDPR.The GDPR also prohibits organisations from using third-party data processors until and unless those processors agree by contract to implement the technical & organisational requirements of the GDPR. As a processor, Microsoft has extensive expertise in protecting data, championing privacy as well as complying with complex regulations, & is committed to GDPR compliance.
What are the consequences of breaching the GDPR?
EU regulators can pursue an organisation located outside the EU, in case the GDPR applies to that organisation & that organisation fails to comply with the GDPR.
An organisation may need to pay compensation to the person who has suffered damage as a result of it failing to comply with the GDPR. For a serious breach of the GDPR, the maximum fine is up to €20 million or 4% of the global annual turnover of the company, whichever is greater. Other contraventions may be subject to the greater of up to €10 million, or 2%of the global annual turnover, whichever is greater. These fines are substantially more than those that may be imposed under the NZ Privacy Act or AU Privacy Act.
Some organisations may also face other practical consequences of breaching the GDPR such as temporary or permanent bans on processing personal data of EU Data Subjects in the EU country in which the GDPR was breached, which in turn can interfere with business activities.
For confirming that you ‘re complying with your privacy obligations, please follow the following steps to progress your journey.
- Identify what personal data you have as well as where it resides.
- Govern how you use & access personal data.
- Establish security controls to prevent, detect as well as respond to vulnerabilities & data breaches.
- Keep required documentation, manage data requests & submit breach notifications.
Microsoft Cloud is uniquely positioned to help you meet your GDPR compliance obligations.
Microsoft cloud solution is built for power, scale as well as flexibility. Microsoft 365 brings together Office 365, Windows 10 & Enterprise Mobility + Security – offering a rich set of integrated solutions that leverage AI in order to help you assess & manage your compliance risk, protect your most important data as well as streamline your processes.
Assess & manage your compliance risk
Achieving your organizational compliance goals can be quite challenging. It is difficult to stay up-to-date with all the regulations that matter to your organization, as well as to define & implement the controls. Compliance Manager is a new compliance solution that can help you to manage your compliance posture from one place. It allows you to conduct real-time risk assessment, giving one intelligent score that reflects your compliance performance against data protection regulatory requirements when using Microsoft cloud services.
Also, you can use the built-in control management & audit-ready reporting tools for improving as well as monitoring your compliance posture.
Simplify how you govern data
Organizations today face increasing quantities of complex electronic data and gaining control over this data overload for knowing what to keep as well as find what is relevant – when you need it – is highly important for both security as well as compliance purposes. Hence several new features has been introduced which further enhance the already rich set of capabilities available with Microsoft Information Protection & Advanced Data Governance. Organizations of all sizes need to protect their critical data as well as make sure that it does not get into the wrong hands. Employees today are using more SaaS apps, creating more data, as well as working across multiple devices. Although this has enabled people to do more, also it has increased the risk of data loss. It has been found that around 58 percent of workers have accidentally shared critical information with the wrong person.
Microsoft’s Information Protection solutions can help you identify, classify, protect as well as monitor your critical data – as it is created, stored, or shared. Microsoft has made several investments across their information protection solutions – helping provide more comprehensive protection across the data lifecycle.
Microsoft Cloud App Security now integrates with Azure Information Protection to classify & label files that reside in cloud applications.
Use intelligent tools for better discovering & controlling your data
Many organizations are evaluating how to find & protect the sensitive data they collect. With the explosion of data – many organizations are not able to manage their assets with traditional manual processes. Even once you know where all the data is as well as how it should be managed, it is important for you to constantly make sure it is protected from threats. The GDPR requires organizations to take necessary measures for preventing unauthorized access or disclosure & to notify stakeholders in the case of breach.
Microsoft continually invests in tools that help detect attacks as early as possible & remediate, as well as in pre-breach attack prevention tools.
Analysis of non-Office 365 data with Advanced eDiscovery:
While the amount of data being generated & stored in Office 365 is increasing at an exponential rate, many organizations still have data in legacy file shares as well as archives., Data is also being generated in other cloud services which may be relevant for an eDiscovery case surrounding a Data Subject Request.
Analysis of non-Office 365 data enables organizations to import the case-specific copy of such data into a specifically assigned Azure container & analyze it using Office 365 Advanced eDiscovery. Having one eDiscovery workflow for both Office 365 as well as non-Office 365 data provides organizations with the consistency that they need to make defensible decisions across the entire data set of a case.
To better protect against threats, Microsoft has also improved their anti-phishing capabilities in Office 365 Advanced Threat Protection, with a focus on mitigating content phishing, domain spoofing, as well as impersonation campaigns. Also, Office 365 Advanced Threat Protection is expanded to help secure SharePoint Online, OneDrive for business, & Teams. In Windows, Windows Defender has been added.
On the post-breach detection side, Microsoft announced Azure Advanced Threat Protection for users – that brings on-premises identity threat detection capabilities to the cloud as well as integrates them with the Microsoft Intelligent Security Graph. Finally, Windows Defender Advanced Threat Protection is integrating Hexadite’s AI technology for automatically investigating new alerts, determining the complexity of a threat, as well as taking the necessary actions to remediate it.
Office 365 security management updates:
A few updates have also been made to Advanced Security Management in order to give even better visibility as well as control over Office 365.
So why not make Microsoft 365, including the best of Office 365, Windows 10, & Enterprise Mobility + Security, the foundation of your journey as well as start accelerating your compliance with the GDPR?