This post is authored by Daniel Grabski, Executive Security Advisor, Enterprise Cybersecurity Group.

As an Executive Security Advisor for the Central and Eastern European region, I engage every day with Chief Information Security Officers (CISOs) to learn their thoughts and concerns. One very hot topic raised at nearly every meeting, conference or seminar I attend with customers and partners, regards the General Data Protection Regulation or GDPR. In essence, the GDPR is fundamentally about protecting and enabling the privacy rights of individuals. It establishes strict global privacy requirements governing how you manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.

Without a doubt, GDPR is one of the biggest changes coming to European Union privacy laws in recent years. It is a complex regulation that may require significant changes for every company that:

  1. Is established in the EU.
  2. Sells goods or services in the EU.
  3. Monitors and processes data of those in the EU, regardless of where that processing and monitoring takes place.

The GDPR requirements may also include the technology used within organizations, as well relevant people and processes required to be in place to manage all the stages. Even once the GDPR is enforced as of 25 May 2018, compliance will be an ongoing process.

In this post, in order to help answer the most common questions I hear from CISOs, I will briefly address the following:

  • What does Microsoft’s journey to GDPR compliance look like?
  • What can I do today?
  • What is the role of my cloud provider?
  • How can technology help me with compliance?

What does Microsoft’s journey to GDPR compliance look like?

Microsoft wears many hats under the GDPR: we offer consumer services for which we are a controller, we offer enterprise online services for which we are a processor, and setting aside our role as a technology company, we are an international company with a global employee base. This means that we are going through the same journey as your organization and are innovating to make GDPR compliance simpler for our customers by May 2018. As stated in a recent blog post by Brendon Lynch, Chief Privacy Officer at Microsoft, “To simplify your path to compliance, Microsoft is committing to be GDPR compliant across our cloud services when enforcement begins on May 25, 2018. We have also committed to share our experience complying with complex regulations, to help you craft the best path forward for your organization to meet the privacy requirements of the GDPR.”

You can read and observe the Microsoft journey to GDPR compliance and recommendations via our website and the Get GDPR compliant with the Microsoft Cloud blog. On the website, you will find a whitepaper which describes how Microsoft enterprise products and cloud services can help you to be ready for GDPR.

From my discussions with customers and partners, I can attest that many are keenly aware of GDPR requirements. However, awareness and readiness currently span a large divide. About one third have not yet begun the journey, another third is just beginning the process, and the final third are actively working to map GDPR requirements to their current processes and technology stack.

GDPR is not only the responsibility of the Chief Information Security Officer or Data Privacy Officer, but of the entire C-suite. It is not just about the application of technology, but it is important to consider the processes involved and align them to the new regulation. Last, but not least, it is also a topic that every employee should be aware of – from the executive level to operations. It is of paramount importance to give proper awareness and training across the company, emphasizing the importance of GDPR, its impact on the company operations and the consequences in the case of not complying with GDPR requirements. Therefore, becoming GDPR complaint includes the full scope of alignment of people, processes and technology.

What can I do today?

We recommend you begin your journey to GDPR compliance by focusing on four key steps (see Figure 1 below):

  • Discover—identify what personal data you have and where it resides. This is fundamental to any good risk management practice, and is critical with the GDPR as one can only protect and manage data, as required by the GDPR, when the data is identified.
  • Manage— execute on data subject requests, govern how personal data is used and accessed. Make sure that data is only used for the purposes it was intended for and accessible only to those with a need to access it.
  • Protect—establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. By properly securing your data across its lifecycle, you will reduce the risk of a breach occurring. Knowing when and if a breach occurs, can help you keep the data protection authority informed.
  • Report—report data breaches, and keep required documentation. Proving you are governing data in the right way and successfully handling data subject requests is the core of compliance.

Figure 1: Four steps to GDPR compliance

The Beginning your GDPR Journey whitepaper provides more details on the steps and the technologies available today to help you.

What is the role of my cloud provider?

This is a common question I hear from CISOs looking across their complex environments, as they try to understand what role their cloud provider plays in addressing the requirements of the GDPR.  The GDPR requires that controllers only use processors that have committed to comply with the GDPR and to support compliance efforts of controllers. Microsoft is the first major cloud service provider to make this commitment. That means, Microsoft will meet the stringent security requirements of GDPR.

Fundamentally, GDPR is also about a shared responsibility and trust. It requires a cloud service provider with a principled approach to privacy, security, compliance and transparency such as Microsoft. Trust can be viewed from many different angles, including how the provider is securing its own, and their customer’s, infrastructure to manage cybersecurity risks. How is data protected? What mechanism and principles are driving the approaches and practices in this very sensitive area?

Microsoft invests $1 billion per year to protect, detect and respond to security incidents, within the company, and on behalf of customers and the millions of victims of cybercrime around the globe. In November 2015 we announced the Microsoft Cyber Defense Operations Center (CDOC). This facility brings together security experts from across the company to help protect, detect and respond to cyber threats in real-time. CDOC dedicated teams operate 24×7, and the center has direct access to thousands of security professionals, data analysts and scientists, engineers, developers, program managers, and operations specialists throughout the Microsoft global network. This ensures rapid detection, response and resolution to security threats.

Figure 2: Cyber Defense Operations Center (CDOC)

Microsoft openly shares how we protect our own and our customers’ infrastructures. Read more about best practices used in the Cyber Defense Operations Center. The CDOC also leverages the power of the cloud through the Microsoft Intelligent Security Graph (ISG).

Every second of every day, we add hundreds of gigabytes worth of telemetry to the Security Graph. This anonymized data is coming from:

  • hundreds of global cloud services, both consumer and commercial
  • data about cyber threats faced by the +1 billion PCs we update via Windows Update every month
  • external data points we collect through extensive research, partnership with industry and law enforcement through the Microsoft Digital Crimes Unit

To give you a visual of what that means, we add to the Security Graph with data from the 300 billion monthly authentications across our consumer and enterprise services, as well as the 200 billion e-mails that are analyzed each month for malware and malicious websites.

Figure 3

Imagine all of this data coming together in one place. Think of how the insight that provides can help to anticipate and defeat attacks, protecting your organization. As you can see in Figure 3, we analyze feedback, malware, spam, authentications, and attacks. For example, data from millions of Xbox Live devices show how they are being attacked, and we learn how to apply that to better protect our customers. Much is incorporated through machine learning and data scientist analysis to better understand the newest techniques of cyber attacks.

In addition to the CDOC, the Digital Crimes Unit and the Intelligent Security Graph, Microsoft also created a dedicated team of enterprise cybersecurity professionals to help move you securely to the Cloud and protect your data. These are just a few examples of the continuous investments Microsoft makes in cybersecurity, that are crucial to create products and services that support your compliance with the GDPR.

How can technology help me with compliance?

Fortunately, there are many technology solutions to help with GDPR compliance. Two of my favorites are Microsoft Azure Information Protection (AIP) and Advanced Threat Protection (ATP) in Exchange Online. AIP ensures your data is identifiable and secure, a key requirement of GDPR – regardless of where it’s stored or how it’s shared. With AIP you can instantly get to work on Steps 1 & 2 mentioned above, to classify, label and protect new or existing data, to share it securely with people within or outside of your organization, to track usage, and even to revoke access remotely. It is intuitive, easy to use and a powerful solution that also includes rich logging and reporting to monitor the distribution of data, and options to manage and control your encryption keys.

When you are ready for step 3 in your GDPR compliance journey, Advanced Threat Protection (ATP) addresses the core requirement of GDPR to protect the personal data of individuals against security threats. Office 365 includes features that safeguard data and identify when a data breach occurs.  One such feature is Advanced Threat Protection (ATP) in Exchange Online Protection that helps protect email against new, sophisticated malware attacks in real time. ATP also provides a way to create policies that prevent users from accessing malicious email attachments or malicious websites linked through emails. For example, with the Safe Attachments feature you can prevent malicious attachments from impacting your messaging environment, even if their signatures are not known. All suspicious content goes through a real-time behavioral malware analysis that uses machine learning techniques to evaluate the content for suspicious activity. Unsafe attachments are sandboxed in a detonation chamber before being sent to recipients.

In conclusion

A recent issue of the Economist explained, “How to manage the computer security threat.” Their top recommendation was that both government and product regulations must lead the way. Without a doubt GDPR needs to be seriously addressed as a top priority on the agenda of every CISO now and beyond May 2018. This is a continuous commitment to security and privacy. By becoming more regulated through GDPR, providing a framework to better protect personal data, and giving tools to implement security controls for protecting, detecting and responding to threats, we will fight our best fight against cyber crime. Microsoft stands ready to work with CISOs to raise awareness, empower and ensure access to the resources available now and in the future.

Learn more about Microsoft GDPR and general security with these helpful resources:

About the author:
Daniel Grabski is a 20-year veteran of the IT industry, currently serving as an Executive Security Advisor for Europe, Middle East and Africa time zone in the Enterprise Cybersecurity Group at Microsoft. In this role, he focuses on enterprise, partners, public sector customers and critical security stakeholders.  Daniel delivers strategic security expertise and advice around cybersecurity solutions and services which are needed to build and maintain secure and resilient ICT infrastructure.