Today’s post was written by Alym Rayani, director of Microsoft 365.
With the General Data Protection Regulation (GDPR) taking effect, today marks a milestone for individual privacy rights. We live in a time where digital technology is profoundly impacting our lives, from the way we connect with each other to how we interpret our world. Central to this digital transformation is the ability to store and analyze massive amounts of data to generate deeper insights and more personal customer experiences. This helps all of us achieve more than ever before, but it also leaves an extensive trail of data, including personal information and sensitive business records that need to be protected.
At Microsoft, our mission is to empower every person and every organization on the planet to achieve more. Trust is at the core of everything we do because we have long appreciated that people won’t use technology they don’t trust. We also believe that privacy is a fundamental human right that needs to be protected. As Julie Brill, Microsoft privacy lead, notes in her recent blog, Microsoft believes GDPR establishes important principles that are relevant globally.
In addition to our ongoing commitment to privacy, we made a number of investments over the last year to support GDPR and the privacy rights of individuals. Here is a recap of how you can use these capabilities to help your organization on the path to GDPR compliance.
Assess and manage compliance risk
Because achieving organizational compliance can be very challenging, understanding your compliance risk should be your first priority. Customers have told us about their challenges with the lack of in-house capabilities to define and implement controls and inefficiencies in audit preparation activities.
The Compliance Manager and Compliance Score helps you continuously monitor your compliance status. Compliance Manager captures and provides details for each Microsoft control, which has been implemented to meet specific requirements, including implementation and test plan details, and management responses if necessary. It also provides recommended actions your organization can take to enhance data protection capabilities and help you meet your compliance obligations.
Here’s a look at how Microsoft 365 customer Abrona uses Compliance Manager:
Protect personal data
At its core, GDPR is all about protecting the personal data of individuals—making sure there is proper security, governance, and management of such data to help prevent it from being misused or getting into the wrong hands. To help ensure that your organization is effectively protecting personal data as well as sensitive content relevant to organizational compliance needs, you need to implement solutions and processes that enable your organization to discover, classify, protect, and monitor data that is most important.
The information protection capabilities within Microsoft 365, such as Office 365 Data Governance and Azure Information Protection, provide an integrated classification, labeling, and protection experience—enabling more persistent protection of your data—no matter where it lives or travels. A proactive data governance strategy of classification of personal and sensitive data enables you to respond with precision when you need to find the relevant data to satisfy a regulatory request or requirement like a Data Subject Request (DSR) as a part of GDPR.
Azure Information Protection scanner addresses hybrid and on-premises scenarios by allowing you to configure policies to automatically discover, classify, label, and protect documents in your on-premises repositories such as the File Servers and on-premises SharePoint servers. You can deploy the scanner in your own environment by following instructions in this technical guide.
Azure’s fully managed database services, like Azure SQL Database, help alleviate the burden of patching and updating the data platform, while bringing intelligent built-in features that help identify where sensitive data is stored. New technologies, like Azure SQL Data Discovery and Classification, provide advanced capabilities for discovering, classifying, labeling, and protecting the sensitive data at the database level. Protect personal data with technologies like Transparent Data Encryption (TDE) that offer Bring Your Own Key (BYOK) support with Azure Key Vault integration.
Let’s take a look at how Microsoft 365 customer INAIL leverages Azure Information Protection to classify, label, and protect their most sensitive data:
Respond with confidence
Ensuring processes are in place to efficiently manage and meet certain GDPR requirements, such as responding to DSRs or responding to data breaches, is a tough hurdle for many organizations.
To help you navigate the GDPR resources provided across cloud services, we introduced the Privacy tab in the Service Trust Portal last month. It provides you with the information you need to prepare for your own Data Protection Impact Assessments (DPIAs) on Microsoft Cloud services, the guidance for responding to DSRs, and the information about how Microsoft detects and responds to personal data breaches and how to receive notifications directly from Microsoft.
Watch the new Mechanics video to learn more about the GDPR resources in the Service Trust Portal.
Features to support DSRs
Several features help support DSRs across Microsoft Cloud services, including a Data Privacy tab in Office 365, an Azure DSR portal, and new DSR search capabilities in Dynamics 365.
The new Data Privacy tab, GDPR dashboard, and DSR experience in Office 365 are now generally available for all commercial customers. This experience is designed to provide you with the tools to efficiently and effectively execute a DSR for Office 365 content—such as Exchange, SharePoint, OneDrive, Groups, and now Microsoft Teams.
As Kelly Clay of GlaxoSmithKline says, “The GDPR 2016/679 is a regulation in E.U. law on data protection and privacy for all individuals within the European Union. GDPR also brings a new set of ‘digital rights’ for E.U. citizens in an age of an increase of the economic value of personal data in the digital economy. GDPR will require large data holders and data processors to manage DSRs, and organizations will need tools in Office 365 to manage DSRs.”
Patrick Oots of the law firm Shook, Hardy & Bacon observes his client organizations and their steps towards GDPR. “We are excited to see Microsoft investing in Office 365. As our clients prepare for GDPR, we see tremendous value in tools within the Data Privacy Portal to manage DSRs in response to Article 15. As data privacy law evolves, we remind our Office 365 clients of the overall importance in the proper implementation of information governance polices within the Security & Compliance Center to minimize risk.” Patrick further highlights how a proactive data governance strategy can help organizations react to regulations such as GDPR with precision when required.
The Azure DSR portal is now also generally available. Using the Azure DSR portal, tenant admins can identify information associated with a user and then correct, amend, delete, or export the user’s data. Admins can also identify information associated with a data subject and will be able to execute DSRs against system-generated logs (data Microsoft generates to provide a given service) for Microsoft Cloud services. Other new offerings from Azure include the general availability of Azure Policy, Compliance Manager for Azure GDPR, and the Azure Security and Compliance Blueprint for GDPR.
Learn more by reading the Azure blog post on GDPR features.
To help customers respond to DSRs in Dynamics 365, we have two search capabilities: Relevance Search and the Person Search Report. Relevance Search gives you a fast and simple way to find what you are looking for, and is powered by Azure Search. The Person Search Report offers a prepackaged set of extendible entities, which Microsoft authored, to identify personal data used to define a person and the roles they might be assigned to.
You can learn more in the Dynamics 365 blog post.
The new Windows Privacy hub converges related content about Windows privacy on docs.microsoft.com. Here you can find new guidance to help IT decision makers get ready for GDPR, a list of Windows 10 services configuration settings used for personal data privacy protection, understand Windows diagnostic data, and much more.
Handling data breaches
The onset of GDPR also means stricter regulations that organizations must adhere to in the event of a data breach. Microsoft 365 has a robust set of capabilities, from Office 365 Advanced Threat Protection (ATP) to Azure ATP, that can help protect against and detect data breaches.
Get started today on your GDPR journey with Microsoft
Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations. We believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights and provide GDPR related assurances in our contractual commitments.
No matter where you are in your GDPR efforts, we are here to help on your journey to GDPR compliance. We have several resources available to help you get started today:
- Download our free white paper and e-book.
- Take our free online GDPR assessment.
- Find a GDPR partner.
Learn more about how Microsoft can help you with the GDPR.