On May 25, 2018 came into force the GDPR (Global Data Protection Regulation), the regulation that replaces the current Organic Law on Data Protection (LOPD), mandatory for all member countries of the European Union and that It aims to ensure that personal data is protected regardless of where it is sent, processed or stored. The regulation contemplates fines of up to 20 million euros and up to 4% of the turnover of the companies.
GDPR requirements address internal policies, processes, people and technology, requiring companies to:
- Identify the personal data they have and where they reside.
- Stipulate how to use them and access them.
- Establish adequate security controls.
- Prepare to respond to the requests of people whose personal data are in possession of them.
Microsoft 365: How do Office 365, Enterprise Mobility + Security, and Windows 10 help you?
Microsoft offers Office 365, Windows 10 and Enterprise Mobility + Security in a single, always-up-to-date solution called Microsoft 365, which frees organizations from most of the costs and complexity of using multiple fragmented systems.
Microsoft 365 is in a unique position to help you comply with the GDPR , offering you the most complete set of market compliance capabilities, far more comprehensive than any other cloud service provider.
Microsoft 365 solutions help you:
- Identify personal data and where they reside, regulate their access and use, and establish adequate security controls.
- Help protect data on all devices, applications and services in the cloud and locally using the integrated functions of classification, tagging and protection of Microsoft 365.
- Evaluate compliance risk and gain practical knowledge through the centralized Compliance Manager panel.
- Keep personal data protected with the Windows 10 identity and information protection functions.
Office 365 and the GDPR
There are several Office 365 solutions that can help you identify or manage access to personal data:
- Compliance Manager: Helps you to perform a continuous risk assessment so you can constantly monitor your compliance status.
- Office 365 Data Loss Prevention (DLP): You can identify more than 80 types of common confidential data, including financial, medical, and personal identification information. In addition, DLP allows you to configure the measures that will be adopted after identification to protect confidential information and prevent its accidental disclosure.
- Office 365 eDiscovery Searches: to find text and metadata in the content of your resources: SharePoint Online, OneDrive for Business, Skype for Business Online and Exchange Online. In addition, Office 365’s advanced eDiscovery employs machine learning technologies and can help you identify documents that are relevant to a particular topic (for example, regulatory compliance research) quickly and with greater accuracy.
- Customer Lockbox: Office 365 can help you meet regulatory compliance obligations related to express authorization of data access during service operations.
Among the current features of Office 365 that protect data and identify when a data security incident occurs, we highlight:
- Advanced Threat Protection for Exchange Online Protection: Protects email against new sophisticated malware attacks in real time. It also allows you to create guidelines that prevent users from accessing attachments or malicious websites whose links are sent by email. In addition, the Intelligence against threats helps you to detect and protect you in a proactive way against advanced threats.
- Advanced security management: Allows you to identify abnormal and high-risk uses, which will alert you to possible security incidents. It also allows you to configure activity policies to track and respond to high-risk activities.
- Office 365 Audit Logs: You can monitor and track the activities of administrators and users in all Office 365 workloads, which facilitates the early detection and investigation of security and compliance issues.
Microsoft Enterprise Mobility + Security and the GDPR
Enterprise Mobility + Security offers security technologies based on identities that help you detect, control and protect the personal data available to your organization, uncover possible blind spots and detect when data security incidents occur:
- Azure Active Directory (Azure AD): Helps you ensure that only authorized users can access your computing environments, data and applications.
- Intune: It helps you protect the data that can be stored on computers and mobile devices. You can control access, encrypt devices, remove data from mobile devices selectively, and control which applications store and share personal data.
- Azure Information Protection (AIP): Ensures data is identifiable and protected, a fundamental requirement of the GDPR, regardless of where they are stored or how they are shared. You can classify, tag and protect new or existing data, share them securely with people in your organization or outside of it, track their use and even revoke access remotely. It also includes functions for recording and generating reports to monitor the distribution of data.
- Advanced Threat Analytics: Helps pinpoint security incidents and identifies attackers using innovative behavior analysis and anomaly detection technologies.
- Microsoft Cloud App Security: Helps control the cloud applications that users use from the company. Also, you can read files labeled with AIP and set policies based on the labels. The service scans confidential files used in cloud applications by company users and automatically applies AIP protection, including encryption.
Windows 10 and the GDPR
Ensuring that devices are protected is another key aspect of information protection. Windows 10 Enterprise provides information protection and identity capabilities that help companies meet the requirements of the GDPR implemented security measures to protect personal data:
- Windows Hello: It is the password-free login method that offers you the fastest and safest way to unlock your Windows devices, through biometric recognition (recognition of fingerprint, facial and iris)
- Windows Defender Credential Guard: It is a functionality that protects corporate identities and credentials, storing and encrypting authentication information in a separate container that only the system’s software can access. If someone takes control of your computer, it can not enter your network or copy data or damage, because the system will also ask for a credential that is stored on the computer + Another authentication factor that can be: Pin, fingerprint or phone call to verify that the person who authenticates is who they say they are.
- BitLocker: It allows you to encrypt the content protecting the data of your computer in case of loss or theft of your device.
- Windows Information Protection: Allow your organization to control the use of corporate data in personal devices and applications according to the policies you have defined in your MDM (Movile Device Management). This allows remote deletion of corporate data only in case of loss / theft of device and / or loss of user of the company, as well as avoiding leaks of information, preventing users from copying / downloading corporate information in personal applications.
No matter at what point you are on your way to comply with the GDPR , at Softeng as Microsoft cloud solutions specialist partners we can offer you the latest technologies that have been designed to help you meet the requirements of the new regulations. These features, together with the correct processes and policies, will help you to be prepared.
Do you want us to help you comply with the GDPR? Contact us!