Chapter 18: Data Privacy Compliance

All organizations need to have an understanding of their obligations to protect any personal data that they hold in line with General Data Protection Regulation (GDPR). A proactive approach when it comes to data protection is essential and will enable compliance administrators to ensure that their organization is meeting their regulatory responsibilities. Microsoft 365 provides you with some tools and dashboards that help you prepare for these requirements.

In this chapter, we will show you how to plan for regulatory compliance in Microsoft 365. You will also learn how to access and understand the available reports and dashboards that contain relevant GDPR data, including the Microsoft Compliance Score tool. Finally, we will show you how to conduct Data Subject Requests (DSRs) from users who wish to review the personal information that your organization has stored for them.

We will cover these topics in the following order:

  • Planning for regulatory compliance in Microsoft 365
  • Accessing the GDPR dashboards and reports
  • Completing DSRs

Planning for regulatory compliance in Microsoft 365

In order to meet the requirements of GDPR when using a Microsoft 365 environment, Microsoft recommends that all organizations undertake a three-phase action plan to achieve the following outcomes.

Phase 1 – the first 30 days

In the first phase of your action plan, compliance administrators should focus on achieving the following:

In order to gain the level of understanding that you require, you may wish to consider engaging a specialist GDPR consultancy; alternatively, you can review the vast quantity of GDPR-related material available on the Microsoft website, including the GDPR assessment tool mentioned previously. Links to these sorts of documents are included in the References section at the end of this chapter.

To start discovering the personal data used in your organization, you can use two of the tools included in the Security & Compliance Center. These tools are eDiscovery and Content Search. Further details on how to use these features can be found in Chapter 17, Search and Investigation.

Phase 2 – after 90 days

In Phase 2, you will need to start considering the following:

  • Begin implementing the compliance settings in the Security & Compliance Center using data governance and compliance tools such as Microsoft Compliance Score and sensitivity labeling, along with eDiscovery cases and Content search.
  • Protect administrator and user accounts using Multi-Factor Authentication (MFA) and Conditional Access.
  • Monitor the audit log regularly for any suspicious or malicious behavior.
  • Protect sensitive data by implementing Data Loss Prevention (DLP).
  • Use Advanced Threat Protection tools, such as anti-phishing policies.

These methods are all features contained within Microsoft 365 that we have discussed in earlier chapters of this book and will be available to you depending on your subscriptions.

Phase 3 – ongoing

The first two phases represent discovery and implementation. Phase 3 needs to continue the practices that you have established and you need to develop them further, as required, by taking the following steps:

  • Continue to monitor and refine all the settings that you configured in Phase 2.
  • Consider implementing advanced data governance practices by updating your Azure AD subscriptions to include Identity Protection and automatic labeling based on sensitive information types.
  • Ensure that retention policies are set to retain information for only as long as required by both the internal company policy and the relevant industry regulations.
  • Use Microsoft Cloud App Security to monitor all cloud application usage and implement advanced alerting.
  • Ensure that sensitive data is accessed only from compliant devices using Intune with Conditional Access.

Once again, these methods are all features contained within Microsoft 365 that we have discussed in earlier chapters of this book and will also be available to you depending on your subscriptions.

Important note

In order to deploy some or all of the previously mentioned features, it is crucial to understand what your Microsoft 365 tenant is licensed for. Some features, such as Advanced Threat Protection, may be activated at a tenant level with a single license. This does not mean, however, that you are properly licensed to use the feature for all of your Office 365 users.

In this section, we advised you how to plan and prepare for data privacy compliance in your Microsoft 365 environment with a three-phased approach consisting of discovery and analysis, implementation, and, finally, reinforcement and ongoing improvement. You will now have an understanding of how to implement your GDPR strategy within your organization.

Next, we will show you how to access and interpret the GDPR dashboards and reports.

Accessing the GDPR dashboards and reports

Microsoft 365 provides you with a number of ways to discover, address, and monitor your GDPR requirements within your organization. The three key tools available to compliance administrators to fulfill these requirements are as follows:

  • Microsoft STP
  • The Microsoft Compliance Score tool
  • The GDPR dashboard and GDPR toolbox

In this section, we will examine each of these features in turn and explain their purpose, starting with STP.

Service Trust Portal

Microsoft STP consists of a website containing a variety of tools and resources to help you implement and maintain security, privacy, and compliance best practices. STP can be accessed via your web browser by going to https://servicetrust.microsoft.com. This is shown in the following screenshot:

Figure 18.1 – STP

Figure 18.1 – STP

The STP dashboard shows some links at the top of the screen, which include the following:

  • Compliance Manager: Provides an at-a-glance summary of the shared responsibility model for your organizations and Microsoft's data. It also includes a risk assessment workflow, management tools, and intelligent tracking.
  • Trust Documents: This includes guides on audit reports, data protection, and security and compliance.
  • Industries & Regions: Guides on industry and regional solutions.
  • Trust Center: Contains information and links to principles of maintaining data integrity in the cloud.
  • Links to further resources
  • A Library: Where you may save reports and whitepapers relevant to your organization in one place

The STP is a one-stop-shop for information and guidance relating to the subject of data privacy compliance.

Next, let's look at Microsoft Compliance Score.

Microsoft Compliance Score

Although still currently in public preview at the time of writing this book, Microsoft Compliance Score consists of a dashboard, which can be accessed by going to the Microsoft 365 compliance center at https://compliance.microsoft.com and then clicking on Compliance score. This will look as in the following screenshot:

Figure 18.2 – The Compliance Score dashboard

Figure 18.2 – The Compliance Score dashboard

The Compliance Score dashboard offers a simple and user-friendly experience to provide you with information relating to your organizational compliance. You will see a risk-based score, which measures your progress in addressing outstanding tasks that, when completed, will mitigate any risks that may exist relating to data protection and industry regulations.

Compliance Score is an evolution of the Compliance Manager feature that is currently available on STP, which we described previously in this chapter. Compliance Score uses the same backend as Compliance Manager, so any data present in Compliance Manager will also be available to you within Compliance Score.

As already stated, Compliance Score is in public preview at the time of writing this book. However, Microsoft recommends that the newer Compliance Score experience is used when you start to address your organizational compliance management activities.

The Compliance Score dashboard is broken down into four sections, as in the following screenshot:

Figure 18.3 – The Compliance Score sections

Figure 18.3 – The Compliance Score sections

The Overview section shows you a quick view of your current score and key improvement actions. This is shown in the following screenshot:

Figure 18.4 – Overview

Figure 18.4 – Overview

The Improvement actions section shows you a list of all recommend actions that you can take to improve your overall compliance score. This list can be exported to a spreadsheet if required and when you click on each improvement, you will see further details on that particular recommendation, along with information on how to implement the improvement. This is shown in the following screenshot:

Figure 18.5 – Improvement actions

The Solutions section shows you how individual Microsoft 365 solutions contribute to your overall compliance score and how your score could potentially be improved per solution, as in the following screenshot:

Figure 18.6 – Solutions

Figure 18.6 – Solutions

The Assessments section shows you an evaluation of the templates that contribute to your organization's score. Assessments groups together any actions that make up the requirements of an industry standard or regulation:

Figure 18.7 – Assessments

Figure 18.7 – Assessments

Assessments cannot currently be started from the Compliance Score dashboard; instead, you need to click on the Manage assessments in Compliance Manager option, which takes you to Compliance Manager within the STP. You can start an assessment by clicking on Add Assessment, as shown:

Figure 18.8 – The Add Assessment option from Compliance Manager

Figure 18.8 – The Add Assessment option from Compliance Manager

You can associate built-in Microsoft templates for your assessment from the Assessment wizard, shown in the following screenshot:

Figure 18.9 – The Assessment wizard

When you click on Save, your assessment will begin and you can immediately view its progress either from Compliance Manager or Compliance Score.

Next, let's look at the GDPR dashboard and the GDPR toolbox.

The GDPR dashboard and the GDPR toolbox

The GDPR dashboard can be accessed from the Microsoft 365 Security & Compliance Center by going to https://protection.office.com and navigating to Data privacy | GDPR dashboard.

The dashboard displays tiles that link to other content relating to GDPR, which include the following:

  • The GDPR toolbox
  • DSRs
  • Data classification statistics
  • Risks and threats

The GDPR dashboard is shown in the following screenshot:

Figure 18.10 – The GDPR dashboard

The GDPR toolbox is the first tile visible on the GDPR dashboard. When you click on Open the GDPR toolbox, it pops out as a sub-menu, as shown:

Figure 18.11 – The GDPR toolbox

The toolbox consists of a collection of tools that can be used by compliance administrators to configure the GDPR-related settings, which are broken up into the following categories:

  • Discover
  • Govern
  • Protect
  • Monitor & respond

The Discover category allows you to identify personal data in your organization relating to GDPR, as shown:

Figure 18.12 – The Discover category

The Govern category allows you to manage how personal data in your organization is classified and consumed, as the following screenshot shows:

Figure 18.13 – The Govern category

The Protect category allows you to set up security and cyberthreat policies, as shown:

Figure 18.14 – The Protect category

The Monitor & respond category enables you to track label usage, respond to legal investigations, review and explore label usage, and much more, as shown:

Figure 18.15 – The Monitor & respond category

All of the items listed in the previously mentioned categories in the GDPR toolbox will link you to other features or services within the Security & Compliance Center.

For example, if you select the Find personal data option under the Discover category, this takes you directly into the Search | Content Search feature, as shown:

Figure 18.16 – The Content Search feature via the GDPR toolbox

So, essentially, the GDPR toolbox is a collection of handy shortcuts that guide you to the feature or service that you need to configure in relation to your organization's GDPR compliance.

All of the features that are linked from the GDPR toolbox have been discussed either in this chapter or another chapter of this book.

In this section, we demonstrated how to access the available GDPR-related dashboards and reports from the Security & Compliance Center. You learned that there are three main areas to focus on when managing your GDPR settings.

Microsoft STP is a website that collects together useful links to GDPR guidelines.

The Microsoft Compliance Score tool provides a user-friendly dashboard where you can view your organization's current compliance score and assess and implement improvements to increase your score.

Finally, the GDPR dashboard and GDPR toolbox contain links to other services and features within the Security & Compliance Center, where you can configure and apply settings related to GDPR by using the Discover, Govern, Protect, and Monitor & respond tabs.

In the final section of this chapter, we will show you how DSRs can be completed within Microsoft 365 when a user requests information relating to their personal data that is held in your organization.

Completing DSRs

GDPR refers to individuals within the European Union as data subjects. Under GDPR, data subjects have the right to access any of their personal data within Microsoft 365. Personal data is defined as "any information relating to an identified or identifiable natural person."

When a data subject makes a request to take action relating to their personal information, the Microsoft 365 Security & Compliance Center can be used to create a DSR in order for the organization to be able to fulfill its obligations to its user (or data subject). DSRs can be configured to locate information stored in the following Microsoft 365 locations:

  • User mailboxes
  • Skype for Business conversations
  • Microsoft Teams one-to-one chats
  • Mailboxes associated with Office 365 groups
  • SharePoint Online Sites
  • OneDrive accounts
  • Microsoft Teams sites
  • Office 365 group sites
  • Exchange Online public folders

In order to create a DSR case, we need to take the following steps:

  1. Log in to the Security & Compliance Center at https://protection.office.com and navigate to Data privacy | Data subject requests. This is shown in the following screenshot:
    Figure 18.17 – Data subject requests

    Figure 18.17 – Data subject requests

  2. Click on New DSR case and then enter a name and an optional description for your case, as shown:
    Figure 18.18 – A new DSR case

    Figure 18.18 – A new DSR case

  3. Click Next, then enter the name of your data subject by searching for the username of the person who made the request. This is shown in the following screenshot:

    Figure 18.19 – Request details

  4. Click Next and you will be able to Confirm your case settings, as shown:

    Figure 18.20 – Confirm your case settings

  5. Click Save. That completes the setup of your DSR case. You will see the options shown in the following screenshot:

    Figure 18.21 – Successful creation of a DSR case

  6. If you want to run the case search at a later time, you can click on Finish. However, in this example, we will run the case search immediately by clicking on Show me search results. This will take you directly to the content search, as shown:

    Figure 18.22 – A new content search

  7. Once the content search is complete, you can click on Back to saved searches, and you will see the search in the search list, as shown:

Figure 18.23 – The DSR case is saved as a content search

From this point, you can click on the search and re-run it or export the report and results in the same manner as you would in a normal content search. Content searches and exporting the results of content searches are covered in more detail in Chapter 17, Search and Investigation, and in Chapter 16, Data Governance and Retention.

In this section, you learned that users (or data subjects) are entitled to request access to the personal information that is stored by your organization. We showed you how to use the Security & Compliance Center to run a DSR case, which in turn creates a content search that can be exported and provided to the requestor so that they can review the results.

Summary

In this chapter, we introduced you to the principles of planning to meet your regulatory compliance requirements under GDPR within your Microsoft 365 environment. You learned that planning to implement your GDPR strategy can be logically divided into three stages, consisting of discovery and analysis, implementation, and, finally, reinforcement and ongoing improvement.

We also demonstrated the various GDPR dashboards and reports that are available and can help you to investigate and maintain compliance principles. The tools available included STP, the Microsoft Compliance Score tool, and, finally the GDPR dashboard and GDPR toolbox.

Finally, we looked at how you are obliged to respond to requests from your Microsoft 365 users for access to personal information relating to them that is stored by your organization, and how you can do this by carrying out a DSR from the Security & Compliance Center. Compliance administrators can set up and manage DSR cases, which can then be saved and run as content searches and the results exported and provided to the requesting user.

This is the final chapter of this book. We have included a mock examination after this that closely reflects the actual test.

Questions

  1. True or false – users who formally request access to their personal data within Microsoft 365 are referred to as data subjects.

    a. True

    b. False

  2. Where in the Security & Compliance Center would you go to access the GDPR dashboard?

    a. Search | GDPR dashboard

    b. Data privacy | GDPR dashboard

    c. Information Governance | GDPR dashboard

    d. eDiscovery | GDPR dashboard

  3. Which of the following tools or dashboards does not relate to GDPR?

    a. Microsoft Compliance Score

    b. STP

    c. The GDPR dashboard

    d. Message trace

    e. The GDPR toolbox

  4. Which section of the GDPR toolbox would you go to find personal data?

    a. Govern

    b. Monitor & respond

    c. Protect

    d. Discover

  5. True or false – the process of creating a DSR involves setting up a content search.

    a. True

    b. False

  6. Where would you go to access the Microsoft Compliance Score dashboard?

    a. https://compliance.microsoft.com

    b. https://protection.office.com

    c. https://portal.azure.com

    d. https://security.microsoft.com

  7. True or false – it is possible to re-run a DSR case content search after it has completed.

    a. True

    b. False

  8. True or false – you can manage assessments directly from the Microsoft Compliance Score dashboard.

    a. True

    b. False

  9. Which of the following is not one of the four section headers within the GDPR toolbox?

    a. Protect

    b. Investigate

    c. Discover

    d. Govern

    e. Monitor & respond

  10. Where on the Microsoft Compliance Score dashboard can you view recommendations to enhance your score, along with implementation guidance?

    a. Assessments

    b. Overview

    c. Improvement actions

    d. Solutions

References

Please refer to the following links for more information:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.142.115