All organizations need to have an understanding of their obligations to protect any personal data that they hold in line with General Data Protection Regulation (GDPR). A proactive approach when it comes to data protection is essential and will enable compliance administrators to ensure that their organization is meeting their regulatory responsibilities. Microsoft 365 provides you with some tools and dashboards that help you prepare for these requirements.
In this chapter, we will show you how to plan for regulatory compliance in Microsoft 365. You will also learn how to access and understand the available reports and dashboards that contain relevant GDPR data, including the Microsoft Compliance Score tool. Finally, we will show you how to conduct Data Subject Requests (DSRs) from users who wish to review the personal information that your organization has stored for them.
We will cover these topics in the following order:
In order to meet the requirements of GDPR when using a Microsoft 365 environment, Microsoft recommends that all organizations undertake a three-phase action plan to achieve the following outcomes.
In the first phase of your action plan, compliance administrators should focus on achieving the following:
In order to gain the level of understanding that you require, you may wish to consider engaging a specialist GDPR consultancy; alternatively, you can review the vast quantity of GDPR-related material available on the Microsoft website, including the GDPR assessment tool mentioned previously. Links to these sorts of documents are included in the References section at the end of this chapter.
To start discovering the personal data used in your organization, you can use two of the tools included in the Security & Compliance Center. These tools are eDiscovery and Content Search. Further details on how to use these features can be found in Chapter 17, Search and Investigation.
In Phase 2, you will need to start considering the following:
These methods are all features contained within Microsoft 365 that we have discussed in earlier chapters of this book and will be available to you depending on your subscriptions.
The first two phases represent discovery and implementation. Phase 3 needs to continue the practices that you have established and you need to develop them further, as required, by taking the following steps:
Once again, these methods are all features contained within Microsoft 365 that we have discussed in earlier chapters of this book and will also be available to you depending on your subscriptions.
Important note
In order to deploy some or all of the previously mentioned features, it is crucial to understand what your Microsoft 365 tenant is licensed for. Some features, such as Advanced Threat Protection, may be activated at a tenant level with a single license. This does not mean, however, that you are properly licensed to use the feature for all of your Office 365 users.
In this section, we advised you how to plan and prepare for data privacy compliance in your Microsoft 365 environment with a three-phased approach consisting of discovery and analysis, implementation, and, finally, reinforcement and ongoing improvement. You will now have an understanding of how to implement your GDPR strategy within your organization.
Next, we will show you how to access and interpret the GDPR dashboards and reports.
Microsoft 365 provides you with a number of ways to discover, address, and monitor your GDPR requirements within your organization. The three key tools available to compliance administrators to fulfill these requirements are as follows:
In this section, we will examine each of these features in turn and explain their purpose, starting with STP.
Microsoft STP consists of a website containing a variety of tools and resources to help you implement and maintain security, privacy, and compliance best practices. STP can be accessed via your web browser by going to https://servicetrust.microsoft.com. This is shown in the following screenshot:
The STP dashboard shows some links at the top of the screen, which include the following:
The STP is a one-stop-shop for information and guidance relating to the subject of data privacy compliance.
Next, let's look at Microsoft Compliance Score.
Although still currently in public preview at the time of writing this book, Microsoft Compliance Score consists of a dashboard, which can be accessed by going to the Microsoft 365 compliance center at https://compliance.microsoft.com and then clicking on Compliance score. This will look as in the following screenshot:
The Compliance Score dashboard offers a simple and user-friendly experience to provide you with information relating to your organizational compliance. You will see a risk-based score, which measures your progress in addressing outstanding tasks that, when completed, will mitigate any risks that may exist relating to data protection and industry regulations.
Compliance Score is an evolution of the Compliance Manager feature that is currently available on STP, which we described previously in this chapter. Compliance Score uses the same backend as Compliance Manager, so any data present in Compliance Manager will also be available to you within Compliance Score.
As already stated, Compliance Score is in public preview at the time of writing this book. However, Microsoft recommends that the newer Compliance Score experience is used when you start to address your organizational compliance management activities.
The Compliance Score dashboard is broken down into four sections, as in the following screenshot:
The Overview section shows you a quick view of your current score and key improvement actions. This is shown in the following screenshot:
The Improvement actions section shows you a list of all recommend actions that you can take to improve your overall compliance score. This list can be exported to a spreadsheet if required and when you click on each improvement, you will see further details on that particular recommendation, along with information on how to implement the improvement. This is shown in the following screenshot:
The Solutions section shows you how individual Microsoft 365 solutions contribute to your overall compliance score and how your score could potentially be improved per solution, as in the following screenshot:
The Assessments section shows you an evaluation of the templates that contribute to your organization's score. Assessments groups together any actions that make up the requirements of an industry standard or regulation:
Assessments cannot currently be started from the Compliance Score dashboard; instead, you need to click on the Manage assessments in Compliance Manager option, which takes you to Compliance Manager within the STP. You can start an assessment by clicking on Add Assessment, as shown:
You can associate built-in Microsoft templates for your assessment from the Assessment wizard, shown in the following screenshot:
When you click on Save, your assessment will begin and you can immediately view its progress either from Compliance Manager or Compliance Score.
Next, let's look at the GDPR dashboard and the GDPR toolbox.
The GDPR dashboard can be accessed from the Microsoft 365 Security & Compliance Center by going to https://protection.office.com and navigating to Data privacy | GDPR dashboard.
The dashboard displays tiles that link to other content relating to GDPR, which include the following:
The GDPR dashboard is shown in the following screenshot:
The GDPR toolbox is the first tile visible on the GDPR dashboard. When you click on Open the GDPR toolbox, it pops out as a sub-menu, as shown:
The toolbox consists of a collection of tools that can be used by compliance administrators to configure the GDPR-related settings, which are broken up into the following categories:
The Discover category allows you to identify personal data in your organization relating to GDPR, as shown:
The Govern category allows you to manage how personal data in your organization is classified and consumed, as the following screenshot shows:
The Protect category allows you to set up security and cyberthreat policies, as shown:
The Monitor & respond category enables you to track label usage, respond to legal investigations, review and explore label usage, and much more, as shown:
All of the items listed in the previously mentioned categories in the GDPR toolbox will link you to other features or services within the Security & Compliance Center.
For example, if you select the Find personal data option under the Discover category, this takes you directly into the Search | Content Search feature, as shown:
So, essentially, the GDPR toolbox is a collection of handy shortcuts that guide you to the feature or service that you need to configure in relation to your organization's GDPR compliance.
All of the features that are linked from the GDPR toolbox have been discussed either in this chapter or another chapter of this book.
In this section, we demonstrated how to access the available GDPR-related dashboards and reports from the Security & Compliance Center. You learned that there are three main areas to focus on when managing your GDPR settings.
Microsoft STP is a website that collects together useful links to GDPR guidelines.
The Microsoft Compliance Score tool provides a user-friendly dashboard where you can view your organization's current compliance score and assess and implement improvements to increase your score.
Finally, the GDPR dashboard and GDPR toolbox contain links to other services and features within the Security & Compliance Center, where you can configure and apply settings related to GDPR by using the Discover, Govern, Protect, and Monitor & respond tabs.
In the final section of this chapter, we will show you how DSRs can be completed within Microsoft 365 when a user requests information relating to their personal data that is held in your organization.
GDPR refers to individuals within the European Union as data subjects. Under GDPR, data subjects have the right to access any of their personal data within Microsoft 365. Personal data is defined as "any information relating to an identified or identifiable natural person."
When a data subject makes a request to take action relating to their personal information, the Microsoft 365 Security & Compliance Center can be used to create a DSR in order for the organization to be able to fulfill its obligations to its user (or data subject). DSRs can be configured to locate information stored in the following Microsoft 365 locations:
In order to create a DSR case, we need to take the following steps:
From this point, you can click on the search and re-run it or export the report and results in the same manner as you would in a normal content search. Content searches and exporting the results of content searches are covered in more detail in Chapter 17, Search and Investigation, and in Chapter 16, Data Governance and Retention.
In this section, you learned that users (or data subjects) are entitled to request access to the personal information that is stored by your organization. We showed you how to use the Security & Compliance Center to run a DSR case, which in turn creates a content search that can be exported and provided to the requestor so that they can review the results.
In this chapter, we introduced you to the principles of planning to meet your regulatory compliance requirements under GDPR within your Microsoft 365 environment. You learned that planning to implement your GDPR strategy can be logically divided into three stages, consisting of discovery and analysis, implementation, and, finally, reinforcement and ongoing improvement.
We also demonstrated the various GDPR dashboards and reports that are available and can help you to investigate and maintain compliance principles. The tools available included STP, the Microsoft Compliance Score tool, and, finally the GDPR dashboard and GDPR toolbox.
Finally, we looked at how you are obliged to respond to requests from your Microsoft 365 users for access to personal information relating to them that is stored by your organization, and how you can do this by carrying out a DSR from the Security & Compliance Center. Compliance administrators can set up and manage DSR cases, which can then be saved and run as content searches and the results exported and provided to the requesting user.
This is the final chapter of this book. We have included a mock examination after this that closely reflects the actual test.
a. True
b. False
a. Search | GDPR dashboard
b. Data privacy | GDPR dashboard
c. Information Governance | GDPR dashboard
d. eDiscovery | GDPR dashboard
a. Microsoft Compliance Score
b. STP
c. The GDPR dashboard
d. Message trace
e. The GDPR toolbox
a. Govern
b. Monitor & respond
c. Protect
d. Discover
a. True
b. False
a. https://compliance.microsoft.com
a. True
b. False
a. True
b. False
a. Protect
b. Investigate
c. Discover
d. Govern
e. Monitor & respond
a. Assessments
b. Overview
c. Improvement actions
d. Solutions
Please refer to the following links for more information:
3.14.142.115