1. 1
•GDPR
Auf der Zielgeraden zur DSGVO / GDPR
Stephanus Schulte
Partner Technical Architect, Microsoft Deutschland
Twitter: @StephanusSch
Email: stephanus.schulte@microsoft.com
Ragnar Heil, MVP
Microsoft Alliances Manager EMEA
Twitter: @ragnarh
Email: rheil@metalogix.com
2. 2
Agenda GDPR Trivia
Microsoft GDPR Resources
Office 365 E5 Compliance Demos
Metalogix Hybrid Solutions
Q&A
Privacy,Trust, and the General
Data ProtectionRegulation
1
2
3
4
5
6
4. 4
Which issues are GDPR related?
A. Security
B. Legal
C. Compliance
D. Risk
E. Data
5. 5
What is GDPR?
A. General Data Protection Regulation
B. General Data Protection Guideline
C. General Data Protection Recommendation
6. 6
What is the maximum data breach penalty,
under the GDPR compliance directives?
A. 20,000,000 euros or up to 4% of annual turnover, whichever is greater
B. 10,000,000 euros or up to 2% of annual turnover, whichever is greater
C. There is no maximum fine
7. 7
A. Any organization that processes personal data
B. All data controllers and processors established in the EU and organizations that
target EU citizens
C. Data controllers operating in the EU
GDPR applies to which types of individuals or
organizations:
8. 8
A. Within 48 hours
B. Within 12 hours
C. Within 72 hours
Within what period of time must an organization
notify a supervising authority about a data breach?
9. 9
A. The right to be forgotten
B. The right of data portability
C. The right to ignore GDPR
D. Both A and B
In May 2018, GDPR regulations will give EU
residents and citizens more rights and control over
their data. However, in what terms will they have
more rights and control?
10. 10
General Data Protection Regulation
Who is affected?
• Any organization handling a EU citizen’s data –
regardless of size or location
What is covered?
• Personal Data
• Data privacy and explicit consent
• Governance and compliance
GDPR impacts organizations worldwide
12. 12
Impact of GDPR
Non-compliance could lead to…
1. Fines of up to €20M or 4% of annual revenue
2. Class action lawsuits
3. Lengthy government audit
4. Customer dissatisfaction
5. Contract default / termination
Changes the way organizations process, store, and protect data
SOURCE: Ovum Report - Data privacy laws: Cutting the red tape
of global IT decision
makers think that they
will be fined due to the
GDPR
52%
13. 13
What are the key changes to address the GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel &
employee
• Audit and update data
policies
• Employ a Data Protection
Officer (if required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data using
appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate consents
for processing data
• Keep records detailing data
processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
15. 15
15
Microsoft Confidential – for internal only use by partners.
Discover
Identify what personal data you have and
where it resides1
Manage
Govern how personal data is used
and accessed2
Protect
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches3
Report
Keep required documentation, manage data
requests and breach notifications4
Step-by-Step GDPR Compliance
16. 16
16
Microsoft Confidential – for internal only use by partners.
In-scope:
Any data that helps you
identify a person
• Name
• Email address
• Social media posts
• Physical, physiological, or
genetic information
• Medical information
• Location
• Bank details
• IP address
• Cookies
• Cultural identity
Inventory:
Identifying where
personal data is collected
and stored
• Emails
• Documents
• Databases
• Removable media
• Metadata
• Log files
• Backups
• Microsoft Azure
Microsoft Azure Data Catalog
• Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
• Dynamics 365
Audit Data & User Activity
Reporting & Analytics
• Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
• SQL Server and Azure SQL Database
SQL Query Language
1
Discover
Identifywhatpersonaldatacustomershave andwhere
itresides
16
Example solutions
17. 17
17
Microsoft Confidential – for internal only use by partners.
Data governance:
Defining policies, roles and
responsibilities for the
management and use of
personal data
• At rest
• In process
• In transit
• Storing
• Recovery
• Archiving
• Retaining
• Disposal
Data classification:
Organizing and labeling data to
ensure proper handling
• Types
• Sensitivity
• Context / use
• Ownership
• Custodians
• Administrators
• Users
• Microsoft Azure
Azure Active Directory
Azure Role-Based Access Control (RBAC)
• Enterprise Mobility + Security (EMS)
Azure Information Protection
• Dynamics 365
Security Concepts
• Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
• Windows & Windows Server
Microsoft Data Classification Toolkit
2
Manage
Assist customersingoverninghowpersonaldataisused
andaccessed
17
Example solutions
18. 18
18
Microsoft Confidential – for internal only use by partners.
Preventing data
attacks:
Protecting data
• Physical datacenter
protection
• Network security
• Storage security
• Compute security
• Identity management
• Access control
• Encryption
• Risk mitigation
Detecting &
responding to
breaches:
Monitoring for and detecting
system intrusions
• System monitoring
• Breach identification
• Calculating impact
• Planned response
• Disaster recovery
• Notifying DPA &
customers
• Microsoft Azure
Azure Key Vault
• Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
• Office & Office 365
Advanced Threat Protection
Threat Intelligence
• SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
• Windows & Windows Server
Windows Hello
Credential Guard
3
Protect
Establishsecuritycontrolstoprevent,detect,andrespond
tovulnerabilitiesanddatabreaches
18
Example solutions
19. 19
19
Microsoft Confidential – for internal only use by partners.
Record-keeping:
Enterprises will need to record
the:
• Purposes of processing
• Classifications of personal
data
• Third-parties with access to
the data
• Organizational and
technical security measures
• Data retention times
Reporting tools:
Implement reporting
capabilities
• Cloud services (processor)
documentation
• Audit logs
• Breach notifications
• Handling Data Subject
Requests
• Governance reporting
• Compliance reviews
• Microsoft Trust Center
Service Trust Portal
• Microsoft Azure
Azure Auditing & Logging
Microsoft Azure Monitor
• Enterprise Mobility + Security (EMS)
Azure Information Protection
• Dynamics 365
Reporting & Analytics
• Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
4
Report
Keeprequireddocumentation,managedatarequestsand
breachnotifications
19
Example solutions
21. 21
PROCESS:
• Develop processes that
reinforce compliance activities
• Develop breach detection and
response plan
Solving for GDPR Compliance
PEOPLE:
• Assign a DPO
• Train staff on GDPR
requirements and new
processes
TECHNOLOGY:
• Leverage technology to
automate processes, build
redundancies, and reduce
human reliance
• Audit processes
Build a compliance program that focuses on resiliency
PEOPLE
PROCESS TECHNOLOGY
22. 22
How We Can Help
Manage
Track personal data
and apply governance
Four Steps to GDPR Compliance Readiness
Discover & Locate
Find personal data stored in
SharePoint repositories
Protect
Protect personal data
from damage, loss, or
breach
Audit & Report
Prove compliance and
conduct regular audits
23. 23
ControlPoint
Set and automatically enforce defined governance policies that
provide guardrails for normal and compliant business behavior.
Locate person-specific records on demand and govern personal
information as required.
Manage
Sensitive Content Manager
Scan data stored in SP on-prem / online, SP hybrid, or OneDrive for
Business for sensitive information in minutes using predetermined
search terms or customized searches.
Locate
How Our Products Align
24. 24
ControlPoint
Gain visibility into who has accessed personal information and
sensitive content over any period of time and show consistent,
effective processes through regular audit.
Audit
ControlPoint
Monitor user behavior to detect and automatically react to unusual
activity, helping to protect against potential breaches and support
compliance with the GDPR requirement to report breaches within
72 hours.
Protect
How Our Products Align
29. 29
Upcoming Feature Releases
• GDPR Dashboard
A visualization for the end-user on the level of internal GDPR
compliance in their environment
• GDPR Value: Gain transparency into internal GDPR compliance
activities and full environmental content coverage in a singular
view
• Redaction Capability
Ability to surgically remove sensitive information from
documents
• GDPR Value: “Right to be forgotten” requires data controllers to
have the ability to erase personal data on demand, even within
documents in which that data is shared with other unique users
who are not making the same demand, or may still serve a
business purpose.
30. 30
•GDPR
Which questions do you have?
Ragnar Heil, MVP
Microsoft Alliances Manager EMEA
Twitter: @ragnarh
Email: rheil@metalogix.com