The General Data Protection Regulation (GDPR) is a new privacy law that applies to the digital data shared with citizens in the European Union (EU). The GDPR law is designed to protect EU citizens' personal data, wherever it is stored, and applies to any organization responsible for controlling or processing that data. That means starting on the 25 of May 2018, there will be a large and complex set of new regulations affecting any organizations that do any type of business with Europe—whether the organization has offices located in the EU or not.
This is important because the GDPR enacts severe penalties on companies that experience data breaches where an EU user's personal data are stored. Suffering a breach and not dealing with it as per the GDPR can result in extremely large fines of up to 4% of annual, global revenue or up to 20 million Euros, whichever is the greater. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This means that a breach can be more than just losing or leaking personal data. The data may never even leave your premises, but you can suffer a security breach nonetheless.
So, if your business sends email to a citizen of the European Union - regardless of the citizen's actual physical location - then in the eyes of the GDPR you are dealing with and processing an EU citizen's personal data. That means even the graphic designer contracted to make the logo for a European artisanal cheesemaker working from her home studio in tiny Carnation, Washington must comply with the GDPR. But companies using Microsoft Office 365 powered by the Microsoft Azure cloud have an advantage when it comes to GDPR compliance. While using Office 365 doesn't automatically make your company GDPR compliant, it does help meet the requirements of the regulation in the three key ways:
Identifying and managing access to personal data
The regulation is concerned with protecting European citizens' personal data, wherever it is stored, and applies to any organization responsible for controlling or processing that data. On top of that, the GDPR requires every organization to document they have a "lawful basis" for collecting and processing an EU citizen's personal data. We cannot stress enough the fact that whether the organization is based in the EU or not, the GDPR still applies.
Office 365 users have no fear of breaking GDPR compliance rules with documents stored in SharePoint Online and OneDrive For Business because of built-in Data Loss Prevention (DLP). With DLP, documents uploaded to the SharePoint and OneDrive For Business cloud storage can be identified as sensitive data. Data Loss Prevention can identify over 80 common data types including financial, medical, and personally identifiable information that would be considered "sensitive" by GDPR and other common regulatory frameworks such as HIPPA and PCI. In addition, DLP allows organizations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
Once your organization identifies the type of data that needs to be protected, you can manage them with the help of Office 365's Advanced Data Governance feature. Microsoft uses their investments in the cloud and artificial intelligence to help you set policies on and manage the lifecycle of documents and data your business "touches." This feature can help your organization to document which of the six different legal bases you are using to justify processing the personal data of EU citizens. Using DLP and Advanced Data Governance can help you to categorize the proper GDPR legal basis for each piece of data you process early on.
It's important to remember that using DLP and Advanced Data Governance in Office 365 doesn't automatically make you GDPR compliant. For example, DLP policies can protect emails coming in and out of your organization through Microsoft Exchange and documents shared using SharePoint and OneDrive. However, any of that same protected data shared internally in your organization using Teams and Yammer do not have the same protections.
Securing user data
A critical requirement of the GDPR is protecting personal data against hackers and other cybersecurity threats. Office 365 helps safeguard personal data and identifies when a data breach occurs using these features:
- Advanced Threat Protection helps protect your email against malware attacks. It also allows your Office 365 administrator to create policies that help prevent users from clicking on malicious attachments or malicious websites linked in an email
- Threat Intelligence helps proactively uncover and protect Office 365 against the dirty tricks and threats used by criminals to steal user data under your control. Office 365 administrators can leverage the global resources of Microsoft to identify potential threats to your data then push alerts, dynamic policies, and security solutions to your users
- Advanced Security Management enables an Office 365 administrator to identify high-risk and abnormal usage by users; often a telltale sign of potential breaches. In addition, it allows Office 365 administrators to set up activity policies to track and respond to risky actions taken by users that could lead to a data breach
Auditing and reporting
One of the ways GDPR compliance is monitored is through auditing and reporting of personal data. The GDPR requires companies to report any breach of personal data in less than 72 hours after the breach occurs. So, if that graphic designer in Washington State working on the European cheesemaker's logo loses her laptop while at her local coffee shop, the GDPR says she must report that potential loss of an EU citizen's personal data. Office 365 audit logs automatically track all user activities (including those with administrator-level access—literally "watching the watchers") in Office 365, which helps in the detection and investigation of GDPR compliance issues. In the case of the graphic designer, if she used Microsoft admin tools to remotely wipe the data from her lost laptop, Office 365 would log that activity and make it easier for her to report it to EU regulators.
Office 365 keeps these detailed audit records for 90 days for all business-related subscriber plans up to E3. However, we recommend Advanced Security Management (part of Office 365 E5 and available as an add-on for all other plans) because it doubles the amount of time. This is due to the fact that regulatory litigation is always a lengthy process; the last thing you want is for your audit records to disappear on the 91st day which is exactly when the EU wants to see them.
Do your due diligence on GDPR
Once you understand what data you are responsible for, and how that data is or could be processed, you will need to work on both protecting it and making
sure that the systems, processes, and procedures associated with it are secure and remain secure. Amaxra is in the unique position of being both a
Microsoft Gold Partner for Office 365 and
has certified cybersecurity experts on staff that are ready to assist
you in getting ready for GDPR compliance.
Contact me at Rosalyn.firstname.lastname@example.org or call 425 749 7471 if you have any questions or comments on this blog.