The presentation provides an overview of GDPR and how organizations can accelerate compliance using Microsoft cloud services. It discusses the key changes introduced by GDPR including enhanced personal privacy rights, increased duty to protect data, mandatory breach reporting, and significant penalties for non-compliance. It then outlines how Microsoft can help organizations discover, manage, protect, and report personal data through solutions like Azure, Office 365, and Enterprise Mobility + Security.
1. SUGUK Northwest Region – 07th December 2017
With Andy Talbot
This presentation is intended to provide an overview
of GDPR and is not a definitive statement of the law.
Accelerate GDPR compliance with the Microsoft Cloud
2. Andy Talbot
- Independent Microsoft 365 Consultant
- http://Collab365.Community Live Show Host
- AvePoint Community Influencer
Contact
andy@andy.im | @SharePointAndy
https://linkedin.com/in/andytalbot/
…….....Anything else?
Love’s cats, art, travel, house renovation, tech,
and…….GDPR (of course!)
6. Providing clarity and consistency for the protection
of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods
and services to people in the EU, or that
collect and analyze data tied to EU
residents, no matter where they are
located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
7. What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
11. • To simplify your path to compliance, Microsoft are committing to
GDPR compliance across their cloud services when enforcement
begins on May 25, 2018.
• They will share their experience in complying with complex
regulations such as the GDPR.
• Together with their partners, they are prepared to help you meet
your policy, people, process, and technology goals on your journey
to GDPR.
12. Microsoft will stand behind you with contractual
commitments for their cloud services that:
• Meet stringent security requirements
• Support customers in managing data subject requests
• Provide documentation that enables customers to
demonstrate compliance for all the other requirements
of the GDPR applicable to processors and more
Microsoft was the first major cloud services provider
to make these commitments to its customers. Their
goal is to simplify compliance for their customers with
both the GDPR and other major regulations.
13.
14. Centralize, Protect, Comply with the Cloud
Centralize processing in a single system, simplifying data management,
governance, classification, and oversight.
Protect data with industry leading encryption and security technology
that’s always up-to-date and assessed by experts.
Utilize services that already comply with complex, internationally-
recognized standards to more easily meet new requirements, such as
facilitating the requests of data subjects.
Maximize your protections
Process all in one place
Streamline your compliance
15. Protect through
the entire lifecycle
Discover data across
systems
Govern access and
processing
• Protect user credentials with
risk-based conditional access
• Safeguard data with built-in
encryption technologies
• Rapidly respond to intrusions
with built-in controls to detect
and respond to data breaches
• Enforce use policies and access
controls across your systems
• Classify data for simplified
compliance
• Easily respond to data requests
and transparency requirements
• Easily discover and catalog
data sources
• Increase visibility with auditing
capabilities
• Identify where personal info
resides across devices, apps
and platforms
0
0
1
1
0
0
1
0
0
1
1
0
0
0
0
1
01
0
0
1
1
0
0
1
0
0
1
1
0
0
20. Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used
and accessed
Manage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches
Protect3
Keep required documentation, manage data
requests and breach notifications
Report4
22. Microsoft will help you
Discover:
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft Azure
Microsoft Azure Data Catalog
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Dynamics 365
Audit Data & User Activity
Reporting & Analytics
Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows Server
Windows Search
Example solutions
1
23. • Current project files
• Current reference docs
What is this?
• Client records
• Employee records
• Previous project files
What you use…
What you need to keep…
Dark Data
24. Where is it? What is it? Who can access it?
?
Who owns it?
Who can read it?
Who can edit it?
File Level Analysis
Content Level Analysis
e.g.
• Redundant, outdated and
trivial (ROT) data
• File types (Music, log files,
etc..)
e.g.
• Sensitive data
• Date Created
• Owner
Can you answer the following in your organisation?
e.g.
• File Shares
• SharePoint
• Office 365
• Yammer
• Skype for
Business
• Exchange
• SQL
WARNING! None Microsoft Applications excluded from the above…..ask me why!
25. Plan for the future
Remove what’s unnecessary
Keep what’s required
Protect what’s important
Establish a way to identify it
Find out what it really is
Reduce Cost.
Increase
Productivity.
$
Users:
Relevant Information
IT Admins:
Easier Maintenance
Compliance Officers:
Lowered Risks
26. 2
Example solutions
Microsoft will help you
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Security Concepts
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows Server
Microsoft Data Classification Toolkit
27. 3
Example solutions
Microsoft will help you
Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Microsoft Azure
Azure Key Vault
Azure Security Center
Azure Storage Services Encryption
Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
Office & Office 365
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
Windows & Windows Server
Windows Defender Advanced Threat Protection
Windows Hello
Device Guard
28. 4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Microsoft Azure
Azure Auditing & Logging
Azure Data Lake
Azure Monitor
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Reporting & Analytics
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows & Windows Server
Windows Defender Advanced Threat Protection
Microsoft will help you
Report:
31. Safeguard customer data in the cloud,
including personal data, with industry-leading
security measures and privacy policies
32. • Integrate Azure search for hosted
applications to locate personal data
across user-defined indexes
• Trace and identify personal data
stored in different data sources
Search &
identify
personal data
Protect data
in the cloud
Control
access
Detect &
Remediate
threats
Classify
data
Record-
keeping
• Securely manage access to your
data, applications and other
resources
• Enforce separation of duties
• Easily determine and assign
relative values to your data
• Employ advanced encryption,
cryptography, and monitoring
• Restore data availability with a
variety of recovery and Geo-
redundant storage options
• Proactively prevent, detect and
respond quickly to threats
• Deliver verifiable transparency
and delivers tamper-resistant
insights with activity log
• Leverage comprehensive
compliance and privacy
documentation for Azure
Discover Manage Protect Report
33. Safeguard customer data in the cloud,
including personal data, with industry-leading
security measures and privacy policies
34. • Create reports that uncover
personal data
• Discover, analyze and visualize
personal data using Power BI
Record-
keeping
• Securely manage access to your
data by roles, applications and
other resources
• Classify data and protect against
accidental disclosure
• Protect data by limiting access
based on user roles
• Restrict access to specific high-
impact fields or records
• Monitor service health and stay-
up-to-date on the latest security
updates
• Explore Microsoft’s comprehensive
documentation on Dynamics 365’s
compliance, security, privacy and
trust offerings
Discover Manage Protect Report
Define access
privileges
Monitor
service status
Control
access
Classify
content
Identify
personal data
35. Secure your IT environment and achieve
compliance with enterprise-grade user and
administrative controls
36. • Utilize eDiscovery to identify
types of personal data
• Easily find, classify, set policies
on and manage data with
Advanced Data Governance
Identify
personal data
Control
access
Safeguard
environment
Set retention
policies
Respond to
threats
Transparency
assurances
Classify
content
Record-
keeping
• Use Advanced eDiscovery to
export and/or delete personal
data from Exchange, SharePoint,
etc.
• Archive and preserve content
across your Office 365 systems
• Automatically protect against
accidental disclosure by
enforcing policy on sensitive
data
• Protect email from today’s
sophisticated malware attacks
with Advanced Threat Protection
• Prevent sensitive records from
being used by unauthorized users
with Data Loss Protection
• Proactively uncover and protect
against advanced threats and
risks with Threat Intelligence and
Advanced Security Management
• Conduct risk assessments using
built-in tools in the Service
Assurance Dashboard
• Track and report on user
activities with detailed Audit
Logs
Discover Manage Protect Report
37. Protect customer data both in the cloud, and
on-premises, with industry-leading security
capabilities
38. • Quickly identify sensitive data
across your environment with
Azure Information Protection
• Discover cloud apps in your
environment
• Gain deeper visibility into user
activity
Identify
personal data
Protect data,
identities,
devices &
apps
Detect
threats &
remediate
Gain rich
logging &
reporting
• Deliver consistent data protection with
Azure Information Protection
• Protect personal data with risk-based
conditional access and Privileged
Identity Management
• Protect data in mobile devices and
mobile apps with Microsoft Intune
• Detect data breaches with behavioral
analytics and anomaly detection
technologies
• Gain rich logging and reporting
to analyze how sensitive data is
distributed
• Monitor activities on shared
data and revoke access in
unexpected events with Azure
Information Protection
Classify &
label data
• Define a classification scheme
for better data manageability
• Use Azure Information
Protection to configure policies
for classifying, labeling and
protecting personal data
Discover Manage Protect Report
39. Protect the data inside your databases with
controls for managing access and
authorization at several levels
40. • Easily query databases to
uncover personal data
• Tag data with sensitivity labels
using Extended Properties
Identify and
track
personal data
Safeguard
data
Respond to
breaches
• Encrypt data whether at rest, in
transit or in client applications
• Track and log database events
to identify potential threats or
security violations
• Use continuously learning
algorithms to identify unusual or
suspicious activity
• Track and report on all database
activities with granularly
configurable auditing
• Securely authenticate to your
database and apply granular
authorization policies
• Restrict access to users using
Dynamic Data Masking and
Row-Level Security
Control
access
Record-
keeping
Discover Manage Protect Report
41. Protect devices with industry-leading
encryption, anti-malware technologies, and
identity and access solutions
42. • Uncover personal data on local
and connected machines
Locate
personal data
Safeguard
environment
Respond to
threats
Record-
keeping
• Move from password to more
secure forms of authentication
• Protect devices with both
detection-based solutions and
secure-by-design techniques
• Prevent data from leaking to
unauthorized documents or
locations
• Easily detect, investigate,
contain and respond to data
breaches on your network
• Audit detailed user and
application actions to meet
reporting auditing requirements
• Utilize sample search expression
and rules to ease compliance
requirements
Meet
compliance
requirements
Discover Manage Protect Report
53. West US
West US 2
38 Cloud regions worldwide (with more planned)
Central US
East US
North Central US
Brazil South
West Europe
Japan East
South India
Southeast
Asia
Australia Southeast
Australia East
Central India
West India
Japan West
East Asia
China West1
North Europe
Germany
Northeast2
Canada East
Canada Central
South Central US
China East1
Germany
Central2
Korea
South3
East US 2
Korea Central3
United Kingdom West
United Kingdom
South
West Central US
US Gov Virginia
US Gov Iowa
US DoD East
US DoD
West
France3
France3
100+ datacenters
One of 3 largest networks in the world
1China datacenters operated by 21 Vianet
2German data trustee services provided by
T-systems
3France, South Korea and US Gov datacenter
regions have been announced but are not
currently operational
Sovereign datacenters
Global datacenters
US Gov Texas3
US Gov Arizona3
54. HIPAA /
HITECH Act
FERPA
GxP
21 CFR Part 11
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC Japan
New Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
CDSA
Shared
Assessments
Japan My
Number Act
FACT UK GLBA
Spain
ENS
PCI DSS
Level 1 MARS-E FFIEC
China
TRUCS
Canada
Privacy Laws
MPAA
Privacy
Shield
India
MeitY
Germany IT
Grundschutz
workbook
Spain
DPA
HITRUST IG Toolkit UK
China
DJCP
ITAR
Section 508
VPAT
SP 800-171 FIPS 140-2
High
JAB P-ATO
CJIS
DoD DISA
SRG Level 2
DoD DISA
SRG Level 4
IRS 1075
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
GLOBALUSGOVINDUSTRYREGIONAL
ISO 27001
SOC 1
Type 2ISO 27018
CSA STAR
Self-AssessmentISO 27017
SOC 2
Type 2 SOC 3ISO 22301
CSA STAR
Certification
CSA STAR
AttestationISO 9001
Azure has the deepest and most comprehensive compliance coverage in the industry
55. GET ANSWERS TO COMMON
ENTERPRISE QUESTIONS AT THE
MICROSOFT TRUST CENTER
58. Please provide me with a
copy of, or access to, my
personal data that you
have or are processing!
Please confirm to me whether or not my personal
data is being processed. If it is, please provide me
with the categories of personal data you have about
me in your files and databases.
In particular, please tell me what you know about
me in your information systems, whether or not
contained in databases, and including e-mail,
documents on your networks, or voice or other
media that you may store.
Please provide a list of all third parties with whom
you have (or may have) shared my personal data.
Additionally, I would like to know what safeguards
have been put in place in relation to these third
parties that you have identified in relation to the
transfer of my personal data.
59.
60. There is so much to chose from, but here’s Andy’s top list
61. I recommend at least a weekly check - https://securescore.office.com/
64. GDPR Benchmark Report
Download full report
White Paper
The Operational Impact of the European Union General Data Protection
Regulation (GDPR) on IT
GDPR Blog Series
More ways to learn
AvePoint’s GDPR Solutions
Tools for GDPR compliance
www.avepoint.com/GDPR
DO AvePoint Privacy Impact Assessment System
Our free privacy impact assessment tool exclusively distributed by the
International Association of Privacy Professionals (IAPP)
https://iapp.org/resources/apia/
LEARN
MSFT Field - Please view presenter notes/talk track at: aka.ms/gdprnotes
Dana
File shares still represent a major document repository for many organizations, but the reality is it just does not give the control necessary to meet today’s complex regulatory requirements around data privacy and records management.
As time goes on, more and more data is created and accumulated, and you know less and less about what’s actually living within those file shares.
[CLICK]
There’s the data that are currently being used, and data that you are required to keep.
[CLICK]
Documents being collaborated on for current projects, such as plans, images, proposals, presentations, etc.
Or reference docs like company policies and official forms and templates.
[CLICK]
Most organizations are required to maintain certain files for a specific period of time such as client and employee records, or certain files/contracts from previous engagements.
[CLICK]
But there’s a vast amount of data that simply cannot be accounted for. 4 versions of the same file that Johnny Dogood created as drafts for some task before he left, that no one even realizes exists, let alone what’s within them [or insert your favorite examples/anecdotes].
All of that dark data sitting there, no one really knows what it’s for, who actually owns it, or what type of information it contains…
Where is it?
File Share
SharePoint
Office 365
Database
What is it?
File level analysis
redundant, outdated and trivial (ROT) data
file types (Music, log files, etc..)
Content level analysis
Sensitive data
Date Created
Owner
Who can access it?
Who owns it?
Who can read it?
Who can edit it?
File Analysis, helps you…
Find out what it really is – Start by understanding your data. What’s in it? Is it important?
Establish a way to identify it – Standardize your taxonomy. Set a structure around factors that determine classification.
Protect what’s important – Establish proper SLAs
Keep what’s required – Make sure your record requirements are met
Remove what’s unnecessary – Minimize clutter
Plan for the future – Consider scalability down the line as things like organizational structure change
[CLICK]
This way, users will be able to find what they need quickly and logically
IT Admins will be able to identify types of data and act accordingly
And compliance officers will have visibility into the information within the system and can be sure that updating policies means the data will conform accordingly.
[CLICK]
Ultimately reducing cost and making it easier for everyone to get their jobs done.
Microsoft Azure:
Azure Security Center
Data Encryption in Azure Storage
Azure Key Vault
Log Analytics
Enterprise Mobility + Security (EMS):
Azure Active Directory (Azure AD)
Azure Active Directory Premium
Cloud App Security
Microsoft Cloud App Security
Microsoft Intune
Microsoft Azure Information Protection
Office & Office 365:
Advanced Threat Protection
Threat Intelligence
Advanced Security Management
Office 365 Audit Logs
SQL Server and Azure SQL Database:
Azure SQL Database firewall
SQL Server authentication
Dynamic Data Masking (DDM)
Row-Level Security (RLS)
Transparent Data Encryption
Always Encrypted
Auditing for SQL Database and SQL Server audit
SQL Database Threat Detection
Windows 10 & Windows Server 2016:
Windows Hello
Windows Defender Antivirus
Windows Defender Advanced Threat Protection
Device Guard
Credential Guard
BitLocker Drive Encryption
Windows Information Protection
Shielded Virtual Machines
Just Enough Administration and Just in Time Administration
People – identity, device, apps, data
MSFT Field - Please view associated material at: https://microsoft.sharepoint.com/sites/Infopedia_G01/Pages/OneMicrosoftSecurity.aspx
http://www.reuters.com/article/US-microsoft-privacy-idUSKCN0XB22U
http://blogs.microsoft.com/on-the-issues/2016/07/14/search-warrant-case-important-decision-people-everywhere/#I5UQu7aUGCU56XCV.99
When governments or law enforcement make a lawful request for customer data from Microsoft, we are committed to transparency and limit what we disclose. Because Microsoft believes that customers should control their own data, we will not disclose data hosted in the Microsoft Cloud to a government or law enforcement except as you direct or where required by law.
We do not offer direct access to customer data. Microsoft does not give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct. We do not provide any government with our encryption keys or the ability to break our encryption.
We redirect law enforcement and other third-party requests to the customer. When we receive a government or law enforcement request for customer data:
We always attempt to redirect the third party to obtain the requested data from our customer.
We will promptly notify you of any third-party request, and give you a copy unless we are legally prohibited from doing so.
We disclose information only when we are legally compelled to do so for valid requests that we are not able to redirect to the customer, and we always make sure that we provide only the data specified in the legal order.
We are transparent regarding government requests for customer data. The Microsoft Transparency Hub, brings together reports that Microsoft issues regularly on requests for customer data made by law enforcement, as well as government requests related to US national security. These reports include:
Law Enforcement Requests Report discloses the scope and number of requests for access to Microsoft customer data.
U.S. National Security Orders Report documents government requests for customer data through legal orders issued pursuant to the national security laws of the United States.
The number of enterprise cloud customers subjected to law enforcement requests is very small. In the first half of 2016, Microsoft received twenty-eight requests from law enforcement for accounts associated with enterprise cloud customers. In twelve cases, the requests were rejected, withdrawn or law enforcement was successfully redirected to the customer. In sixteen cases Microsoft was compelled to provide responsive information, five of the sixteen cases required the disclosure of some customer content and in the remaining eleven cases we were compelled to disclose non-content information only.
Feb-2017: Azure compliance coverage includes 54 offerings.