Posted by Yep, here is another blog on the General Data Protection Regulation (GDPR). You’ll probably be wondering:
aren’t there enough of these blogs to go around?
or
isn’t that subject to complex for a simple blog?
And the simple answer to this is yes. 🙂 Just try to find some information on GDPR by using a simple search and you will end up with more than 4 million results.
So, instead, this blog will guide you to some of the Microsoft resources related to the GDPR. But before I do, here’s a small GDPR for Dummies. And as I’m no information manager, compliance officer or data protection officer, I’m the dummy as well 🙂
General Data Protection Regulation facts
The GDPR (Regulation (EU) 2016/679) replaces the previous data protection directive (Directive 95/46/EC) from 1996. It will come into effect om May 25th of 2018 and is of that moment binding.
GDPR aims at strengthening data protection for individuals within the European Union. Which does not mean that non-EU companies are exempt from this regulation.
Roles
One of the important facts regarding GDPR are the roles. First you have the EU individual. Then there are the data processors and data controllers. Let’s say you work at a company that uses Microsoft Office 365 as (the basis for) their digital workspace. The content stored in that digital workspace is owned by the organization (data controller). Microsoft enables you to work with that content using their technology (data processor). Oh, and there’s you: the person 🙂 This is the so-called data subject.
As an EU individual, the GDPR allows you to have access to your personal data and have incorrect personal data be deleted or corrected. You even have the right to be “forgotten”, when certain conditions are met. When you want to, you should be able to receive a copy of your personal data. And, you must be ensured that your personal data is secure and protected at all times.
Compliance
Working together, the data controller and processor must ensure that GDPR compliance is met. Some of the parts of GDPR will amount to having written agreements with the required GDPR terms, between data processor and data controller. If you want to look at some of these types of agreements, visit the Security & Compliance center of your tenant. There, in the Service assurance section you’ll find all relevant documents.
The penalties for not being compliant can be severe: non-compliant data processors risk fines of up to 4% of global annual turnover.
Microsoft solutions for GDPR
Here is an overview of some of the solutions by Microsoft to help you being GDPR ready. In the links below, you will find information of all solutions in detail.
- Data loss prevention including 80 sensitive data types – specific GDPR types are coming very soon;
- Advanced data governance, including label policies;
- eDiscovery and case management;
- Customer lockbox;
- Advanced threat detection;
- Threat analysis;
- Advanced security management;
- Azure Information Protection;
- Audit logs.
Useful links
- https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
- https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/solutions
- https://www.sogeti.nl/sites/default/files/Europese%20Datawet-IBM.pdf
Concluding
Microsoft has a lot of options to offer us. Many of these are related to security and access. But in order to be truly compliant, you will need to know which options are relevant and how to employ these.
I think to most complex subject on this is the ability to provide the data subject (the person) with the information required. Let’s remember that an organization only has 30 days to comply to a data request. And this requires fool-proof processes and excellent content search.
And Microsoft does offer some solutions for this (80 new GDPR sensitive types will become available, for example), but it’s not the only one. You might also want to look at Nintex, Metalogix or Brightcloud, for example.
It’s going to be an interesting 2018 🙂
Governance, Risk, Security and Compliance 
One comment