Are your prepared for the new era in privacy regulation?
By Rob Quickenden, Chief Strategy Officer and Microsoft Business Unit Lead at Cisilion Ltd
In May 2018, a European privacy law is due to take effect. This law will require big changes, and potentially significant investments, by organisations all over the world. This is the biggest change in privacy law since the Data Protection Act was first introduced. EVERY SINGLE BUSINESS WILL BE AFFECTED BY THIS.
Known as the General Data Protection Regulation (GDPR), the law imposes new rules on companies, government agencies, non-profits, and other organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents. The GDPR applies no matter where you are located.
GDPR represents an important step forward for individual privacy rights as it gives EU residents more control over their “personal data”. The GDPR also seeks to ensure personal data is protected no matter where it is sent, processed, or stored. The law updates European privacy regulations for the first time in more than two decades, bringing them more in line with current technologies, and increases the uniformity of privacy regulations across the EU’s member states. However, the GDPR is a complex regulation that may require vast changes in how you gather, classify and protect data.
For example, let’s say that you have a secure CRM environment that you use internally for accessing client data. It's secure, has multi-factor authenticated access and logs user access and activity. Well, that's great, but what happens when an authorised user downloads and shares client information either internally or externally? Whilst the CRM system may be able to log and report on the initial share, how do you track, protect and revoke access to this information once it’s left your organisation?
So… as of today, you have about 15 months to get GDPR fit. Like many of us in the first few months of 2017, fitness is high on the personal agenda. You can think of GDPR like getting ready to run next year’s London marathon – something I’m going to try to do! You wouldn’t leave it to the last minute to prepare and train - you’d have a fitness plan that gets from you from where you are today. If you're like me, that means a 10K is doable, a ½ marathon is way off and a full 26 miler is nothing but a “how on earth” moment!
Where do I start?
The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.
Given how much is involved, you won’t want to wait until the regulation takes effect in May 2018 to start thinking about this. You need to begin reviewing your privacy and data management practices now as companies that do not meet the requirements and obligations will face substantial fines, not to mention harm to their reputation.
The good thing, is if you think about it rationally and logically, there are five key areas in which businesses need to typically review, assess and potentially update their current information protection and privacy practices. The easiest way to start is to begin by:
- Discover and identify what personal data you have and where it resides
- Control and manage how personal data is used and accessed
- Protect data by establishing security controls to prevent, detect and respond to vulnerabilities and breaches
- Report on requests for information potential breaches and data leakages
- Review your systems continually to ensure you stay compliant and reduce risk
Where are you on your GDPR journey? Let’s get our trainers dusted down and put on our shorts!
Let’s get GDPR Fit
To get physically fit – you already possess many of the tools you need, assuming you’re able bodied of course. You have a body, you have air in your lungs, you probably have a pair of trainers, shorts and t-shirt, you’ll live near a road you can run on or ideally near a park. You know you want to get fit, you just need to use the tools you have to motivate yourself to use your body, measure your performance (you might use a fitness tracker to help), and set yourself milestones.
Getting GDPR fit is similar. If you use Microsoft technologies, then the good news is you likely already have many of the tools to help your business get “GDPR Fit”. Office 365 and the additional security and compliance tools provided within the Enterprise Mobility & Security suite can help you massively.
The features below are not an exhaustive list, but hopefully they'll give you some ideas and insights into what can be achieved, either by configuring what you already have or “bolting” on additional features in the event you don’t already have another tool or service which ticks the boxes for you.
Getting GDPR Fit with Office 365
Microsoft Office 365 is already designed with industry-leading security measures and privacy policies to safeguard your data, including the categories of personal data identified by the GDPR. By working with Cisilion and using the Office 365 service you already have, we can help you on your journey to reducing risks and achieving compliance with the GDPR.
The first essential step to meeting the GDPR obligations is discovering and controlling what personal data you hold and where it resides. There are several Office 365 components that you most likely already have access to that can be enabled and configured to help you identify or manage access to this personal data:
- Data Loss Prevention (DLP) in Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows for configuring of actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
- Advanced eDiscovery search can be used to find text and metadata in content across your environment including your Office 365 services. In addition, embedded machine learning technologies help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
- Customer Lockbox for Office 365 helps you meet compliance obligations for explicit data access authorisation during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.
Another core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:
- Advanced Threat Protection in Exchange Online Protection helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
- Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches, information being shared by people. In addition, it allows you to set up activity policies to track and respond to high risk actions.
- Office 365 audit logs allow you to monitor and track all user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.
For more information book a workshop with us at http://info.cisilion.com/office365.