The presentation provides an overview of GDPR and how organizations can accelerate compliance using Microsoft cloud services. It discusses the key changes introduced by GDPR including enhanced personal privacy rights, increased duty to protect data, mandatory breach reporting, and significant penalties for non-compliance. It then outlines how Microsoft can help organizations discover, manage, protect, and report personal data through solutions like Azure, Office 365, and Enterprise Mobility + Security.

1. SUGUK Northwest Region – 07th December 2017
With Andy Talbot
This presentation is intended to provide an overview
of GDPR and is not a definitive statement of the law.
Accelerate GDPR compliance with the Microsoft Cloud

2. Andy Talbot
- Independent Microsoft 365 Consultant
- http://Collab365.Community Live Show Host
- AvePoint Community Influencer
Contact
andy@andy.im | @SharePointAndy
https://linkedin.com/in/andytalbot/
…….....Anything else?
Love’s cats, art, travel, house renovation, tech,
and…….GDPR (of course!)

3. Outline

4. CoreNarrative

5. What are the key changes being introduced?

6. Providing clarity and consistency for the protection
of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods
and services to people in the EU, or that
collect and analyze data tied to EU
residents, no matter where they are
located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights

7. What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies

8. What does this mean for my data?

9. Protecting customer
privacy with GDPR

10. Microsoft’s commitments to you

11. • To simplify your path to compliance, Microsoft are committing to
GDPR compliance across their cloud services when enforcement
begins on May 25, 2018.
• They will share their experience in complying with complex
regulations such as the GDPR.
• Together with their partners, they are prepared to help you meet
your policy, people, process, and technology goals on your journey
to GDPR.

12. Microsoft will stand behind you with contractual
commitments for their cloud services that:
• Meet stringent security requirements
• Support customers in managing data subject requests
• Provide documentation that enables customers to
demonstrate compliance for all the other requirements
of the GDPR applicable to processors and more
Microsoft was the first major cloud services provider
to make these commitments to its customers. Their
goal is to simplify compliance for their customers with
both the GDPR and other major regulations.

14. Centralize, Protect, Comply with the Cloud
Centralize processing in a single system, simplifying data management,
governance, classification, and oversight.
Protect data with industry leading encryption and security technology
that’s always up-to-date and assessed by experts.
Utilize services that already comply with complex, internationally-
recognized standards to more easily meet new requirements, such as
facilitating the requests of data subjects.
Maximize your protections
Process all in one place
Streamline your compliance

15. Protect through
the entire lifecycle
Discover data across
systems
Govern access and
processing
• Protect user credentials with
risk-based conditional access
• Safeguard data with built-in
encryption technologies
• Rapidly respond to intrusions
with built-in controls to detect
and respond to data breaches
• Enforce use policies and access
controls across your systems
• Classify data for simplified
compliance
• Easily respond to data requests
and transparency requirements
• Easily discover and catalog
data sources
• Increase visibility with auditing
capabilities
• Identify where personal info
resides across devices, apps
and platforms
0
0
1
1
0
0
1
0
0
1
1
0
0
0
0
1
01
0
0
1
1
0
0
1
0
0
1
1
0
0

16. Learn from Microsoft’s
experience
Engage Microsoft’s global
partner ecosystem
Leverage Microsoft’s GDPR
preparation resources
+ +

17. How can you get started?

18. It allows you use your data as an asset without crashing and burning

19. Create & Collect
Use
Share
Dispose
DATA
LIFECYCLE

20. Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used
and accessed
Manage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches
Protect3
Keep required documentation, manage data
requests and breach notifications
Report4

21. Let’s Get Started!
REPORTPROTECTMANAGEDISCOVER

22. Microsoft will help you
Discover:
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft Azure
Microsoft Azure Data Catalog
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Dynamics 365
Audit Data & User Activity
Reporting & Analytics
Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows Server
Windows Search
Example solutions
1

23. • Current project files
• Current reference docs
What is this?
• Client records
• Employee records
• Previous project files
What you use…
What you need to keep…
Dark Data

24. Where is it? What is it? Who can access it?
?
Who owns it?
Who can read it?
Who can edit it?
File Level Analysis
Content Level Analysis
e.g.
• Redundant, outdated and
trivial (ROT) data
• File types (Music, log files,
etc..)
e.g.
• Sensitive data
• Date Created
• Owner
Can you answer the following in your organisation?
e.g.
• File Shares
• SharePoint
• Office 365
• Yammer
• Skype for
Business
• Exchange
• SQL
WARNING! None Microsoft Applications excluded from the above…..ask me why!

25. Plan for the future
Remove what’s unnecessary
Keep what’s required
Protect what’s important
Establish a way to identify it
Find out what it really is
Reduce Cost.
Increase
Productivity.
$
Users:
Relevant Information
IT Admins:
Easier Maintenance
Compliance Officers:
Lowered Risks

26. 2
Example solutions
Microsoft will help you
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Security Concepts
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows Server
Microsoft Data Classification Toolkit

27. 3
Example solutions
Microsoft will help you
Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Microsoft Azure
Azure Key Vault
Azure Security Center
Azure Storage Services Encryption
Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
Office & Office 365
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
Windows & Windows Server
Windows Defender Advanced Threat Protection
Windows Hello
Device Guard

28. 4
Example solutions
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Microsoft Azure
Azure Auditing & Logging
Azure Data Lake
Azure Monitor
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Reporting & Analytics
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows & Windows Server
Windows Defender Advanced Threat Protection
Microsoft will help you
Report:

29. Looking closer at Microsoft capability

31. Safeguard customer data in the cloud,
including personal data, with industry-leading
security measures and privacy policies

32. • Integrate Azure search for hosted
applications to locate personal data
across user-defined indexes
• Trace and identify personal data
stored in different data sources
Search &
identify
personal data
Protect data
in the cloud
Control
access
Detect &
Remediate
threats
Classify
data
Record-
keeping
• Securely manage access to your
data, applications and other
resources
• Enforce separation of duties
• Easily determine and assign
relative values to your data
• Employ advanced encryption,
cryptography, and monitoring
• Restore data availability with a
variety of recovery and Geo-
redundant storage options
• Proactively prevent, detect and
respond quickly to threats
• Deliver verifiable transparency
and delivers tamper-resistant
insights with activity log
• Leverage comprehensive
compliance and privacy
documentation for Azure
Discover Manage Protect Report

33. Safeguard customer data in the cloud,
including personal data, with industry-leading
security measures and privacy policies

34. • Create reports that uncover
personal data
• Discover, analyze and visualize
personal data using Power BI
Record-
keeping
• Securely manage access to your
data by roles, applications and
other resources
• Classify data and protect against
accidental disclosure
• Protect data by limiting access
based on user roles
• Restrict access to specific high-
impact fields or records
• Monitor service health and stay-
up-to-date on the latest security
updates
• Explore Microsoft’s comprehensive
documentation on Dynamics 365’s
compliance, security, privacy and
trust offerings
Discover Manage Protect Report
Define access
privileges
Monitor
service status
Control
access
Classify
content
Identify
personal data

35. Secure your IT environment and achieve
compliance with enterprise-grade user and
administrative controls

36. • Utilize eDiscovery to identify
types of personal data
• Easily find, classify, set policies
on and manage data with
Advanced Data Governance
Identify
personal data
Control
access
Safeguard
environment
Set retention
policies
Respond to
threats
Transparency
assurances
Classify
content
Record-
keeping
• Use Advanced eDiscovery to
export and/or delete personal
data from Exchange, SharePoint,
etc.
• Archive and preserve content
across your Office 365 systems
• Automatically protect against
accidental disclosure by
enforcing policy on sensitive
data
• Protect email from today’s
sophisticated malware attacks
with Advanced Threat Protection
• Prevent sensitive records from
being used by unauthorized users
with Data Loss Protection
• Proactively uncover and protect
against advanced threats and
risks with Threat Intelligence and
Advanced Security Management
• Conduct risk assessments using
built-in tools in the Service
Assurance Dashboard
• Track and report on user
activities with detailed Audit
Logs
Discover Manage Protect Report

37. Protect customer data both in the cloud, and
on-premises, with industry-leading security
capabilities

38. • Quickly identify sensitive data
across your environment with
Azure Information Protection
• Discover cloud apps in your
environment
• Gain deeper visibility into user
activity
Identify
personal data
Protect data,
identities,
devices &
apps
Detect
threats &
remediate
Gain rich
logging &
reporting
• Deliver consistent data protection with
Azure Information Protection
• Protect personal data with risk-based
conditional access and Privileged
Identity Management
• Protect data in mobile devices and
mobile apps with Microsoft Intune
• Detect data breaches with behavioral
analytics and anomaly detection
technologies
• Gain rich logging and reporting
to analyze how sensitive data is
distributed
• Monitor activities on shared
data and revoke access in
unexpected events with Azure
Information Protection
Classify &
label data
• Define a classification scheme
for better data manageability
• Use Azure Information
Protection to configure policies
for classifying, labeling and
protecting personal data
Discover Manage Protect Report

39. Protect the data inside your databases with
controls for managing access and
authorization at several levels

40. • Easily query databases to
uncover personal data
• Tag data with sensitivity labels
using Extended Properties
Identify and
track
personal data
Safeguard
data
Respond to
breaches
• Encrypt data whether at rest, in
transit or in client applications
• Track and log database events
to identify potential threats or
security violations
• Use continuously learning
algorithms to identify unusual or
suspicious activity
• Track and report on all database
activities with granularly
configurable auditing
• Securely authenticate to your
database and apply granular
authorization policies
• Restrict access to users using
Dynamic Data Masking and
Row-Level Security
Control
access
Record-
keeping
Discover Manage Protect Report

41. Protect devices with industry-leading
encryption, anti-malware technologies, and
identity and access solutions

42. • Uncover personal data on local
and connected machines
Locate
personal data
Safeguard
environment
Respond to
threats
Record-
keeping
• Move from password to more
secure forms of authentication
• Protect devices with both
detection-based solutions and
secure-by-design techniques
• Prevent data from leaking to
unauthorized documents or
locations
• Easily detect, investigate,
contain and respond to data
breaches on your network
• Audit detailed user and
application actions to meet
reporting auditing requirements
• Utilize sample search expression
and rules to ease compliance
requirements
Meet
compliance
requirements
Discover Manage Protect Report

43. Microsoft 365

46. Microsoft’s Security Story

47. Infrastructure
investments
Highly-regulated
industries
Global
requirements
Local & regional
compliance requirements
Future
requirements

48. Platform PartnersIntelligence

52. PROTECTING CUSTOMER DATA PRIVACY

53. West US
West US 2
38 Cloud regions worldwide (with more planned)
Central US
East US
North Central US
Brazil South
West Europe
Japan East
South India
Southeast
Asia
Australia Southeast
Australia East
Central India
West India
Japan West
East Asia
China West1
North Europe
Germany
Northeast2
Canada East
Canada Central
South Central US
China East1
Germany
Central2
Korea
South3
East US 2
Korea Central3
United Kingdom West
United Kingdom
South
West Central US
US Gov Virginia
US Gov Iowa
US DoD East
US DoD
West
France3
France3
100+ datacenters
One of 3 largest networks in the world
1China datacenters operated by 21 Vianet
2German data trustee services provided by
T-systems
3France, South Korea and US Gov datacenter
regions have been announced but are not
currently operational
Sovereign datacenters
Global datacenters
US Gov Texas3
US Gov Arizona3

54. HIPAA /
HITECH Act
FERPA
GxP
21 CFR Part 11
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC Japan
New Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
CDSA
Shared
Assessments
Japan My
Number Act
FACT UK GLBA
Spain
ENS
PCI DSS
Level 1 MARS-E FFIEC
China
TRUCS
Canada
Privacy Laws
MPAA
Privacy
Shield
India
MeitY
Germany IT
Grundschutz
workbook
Spain
DPA
HITRUST IG Toolkit UK
China
DJCP
ITAR
Section 508
VPAT
SP 800-171 FIPS 140-2
High
JAB P-ATO
CJIS
DoD DISA
SRG Level 2
DoD DISA
SRG Level 4
IRS 1075
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
GLOBALUSGOVINDUSTRYREGIONAL
ISO 27001
SOC 1
Type 2ISO 27018
CSA STAR
Self-AssessmentISO 27017
SOC 2
Type 2 SOC 3ISO 22301
CSA STAR
Certification
CSA STAR
AttestationISO 9001
Azure has the deepest and most comprehensive compliance coverage in the industry

55. GET ANSWERS TO COMMON
ENTERPRISE QUESTIONS AT THE
MICROSOFT TRUST CENTER

56. Key Takeaways

58. Please provide me with a
copy of, or access to, my
personal data that you
have or are processing!
Please confirm to me whether or not my personal
data is being processed. If it is, please provide me
with the categories of personal data you have about
me in your files and databases.
In particular, please tell me what you know about
me in your information systems, whether or not
contained in databases, and including e-mail,
documents on your networks, or voice or other
media that you may store.
Please provide a list of all third parties with whom
you have (or may have) shared my personal data.
Additionally, I would like to know what safeguards
have been put in place in relation to these third
parties that you have identified in relation to the
transfer of my personal data.

60. There is so much to chose from, but here’s Andy’s top list

61. I recommend at least a weekly check - https://securescore.office.com/

62. https://microsoft.com/gdpr
https://aka.ms/GDPRBlogPost
https://aka.ms/gdprwhitepaper
https://aka.ms/gdproverview
https://www.microsoft.com/en-us/TrustCenter/CloudServices/NationalCloud
http://andy.im/24

64. GDPR Benchmark Report
Download full report
White Paper
The Operational Impact of the European Union General Data Protection
Regulation (GDPR) on IT
GDPR Blog Series
More ways to learn
AvePoint’s GDPR Solutions
Tools for GDPR compliance
www.avepoint.com/GDPR
DO AvePoint Privacy Impact Assessment System
Our free privacy impact assessment tool exclusively distributed by the
International Association of Privacy Professionals (IAPP)
https://iapp.org/resources/apia/
LEARN

66. “Questions in life are guaranteed,
but answers not always!”

67. Thanks!
Contact
andy@andy.im | @SharePointAndy
https://linkedin.com/in/andytalbot/