GDPR, what’s in it for me?

31 oktober 2017

Subject: GDPR (New EU uniform data protection law on 25 may 2018)
Audience: C-level and IT-Pro

The new EU General Data Protection Regulation enforcement date is on 25 May 2018 and will apply to all organizations that trade products or services with European customers or in the European market. The main goal of the new GDPR is to protect all citizen’s in the European Union from privacy and data breaches in a data-driven ICT society. Technology changed fundamentally and take into account that modern data flows became more complex nowadays which requires more security regulations to protect privacy data. GDPR is there to implement an uniform agreement within all states of the EU.

So how will this regulation effect my organization?

All companies within the EU must achieve the GDPR compliance status and all global companies who do business with European customers. Prepare your organization for the new regulation on time, so you’re in control and understand which actions you need to take to reach the GDPR compliant-status. You might already have your own security policy to protect personal data and the company’s data. You also probably aware of possible security breaches and put a lot effort into security measures to prevent that from happening. However you still need to find out if your data and network environment is secure enough. Below a few steps that requires your attention:

  1. Find out if the GDPR apply to your data
  2. Collect the data that is targeted by GDPR and identify all sources, processing details and storage location.
  3. Classify and label the specific data.
  4. Based on your infrastructure and solutions you can map the right security solution within your Cloud, Windows Server, Windows, Dynamics 365 and Office 365 environment.

GDPR core rules

  • Requiring transparency on the use and handling and use of personal data.
  • Privacy by design. (systems need to address the requirements of the regulation).
  • Data Protection Officers. (internal staff member or external service provider who will secure privacy data and maintain the GDPR compliance).
  • Mandatory breach notification within 72 hours when there is a serious threat that a data breach results into a risk for the rights and freedoms of individuals.
  • Penalty for non-compliance can be up to 4% of your global revenues or €20 Million. (“whichever is greater”)

Real benefits from the GDPR

Although this new regulation requires administrative effort, there are real benefits for you organization when you already have or reach the compliance status. Your data is secure and labelled and you do have more control over your company data. The company is able to track and trace data transactions and the firm’s trusted partner status will increase more and more to all your stakeholders. Beyond protecting your customers data, while implementing the GDPR, you also protect your own intellectual property and employee data. The firm’s dataset is a higher class asset and now with GDPR, there is a real consolidation opportunity to reorganize your data management.

Are you well prepared for the General Data Protection Regulation? Are there sufficient mitigation measures in place to prevent heavy fines? Go on your own GDPR journey to confirm or reach the GDPR compliant-status and get better grip on company data management.

Portiva is able to assist you on the GDPR journey and advise you on implementing the right Microsoft security solutions when you work toward GDPR compliance. Do not wait until the regulation takes effect but prepare your organization on time. Below you will see in table 1 an overview of the Microsoft security platform. We highlighted Data Loss Prevention within the Discover phase. This blog ends with a simple security user story.

Discover >Manage >Protect >Report
Microsoft Azure
Microsoft Azure Data Catalog
Microsoft Azure
Azure Activity Directory
Azure Role-Based
Access Control (RBAC)
Microsoft Azure
Azure Key Vault
Microsoft Trust Center
Service Trust Portal
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Enterprise Mobility + Security (EMS)
Azure Information Protection
Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
Microsoft Azure
Azure Auditing & Logging
Microsoft Azure Monitor
Dynamics 365
Audit Data & User Activity Reporting & Analytics
Dynamics 365
Security Concepts
Office & Office 365
Advanced Threat Protection
Threat Intelligence
Enterprise Mobility + Security (EMS)
Azure Information Protection
Office & Office 365
Data Loss Prevention
Advanced Data
Office 365 eDiscovery
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
SQL Server and Azure Dynamics 365
Reporting & Analytics
SQL Server and Azure SQL
Database SQL Query Language
Windows & Windows Server
Microsoft Data Classification Toolkit
SQL Database
Transparent data encryption
Always Encrypted
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows & Windows Server
Windows SearchExample Solutions 1
  Windows & Windows Server
Windows Defender
Advanced Threat Protection
Windows Hello
Device Guard
Windows & Windows Server
Windows Defender
Advanced Threat Protection

Table 1 – Microsoft Security Platform

Quick win with Data Loss Prevention (DLP)

To start with the discover phase in your organization simply apply a DLP rule to see which user data is being processed in your environment. This case is using the Dutch Citizen Service Number policy to prevent employees sending this kind of data or prevent employees from sharing it with other users.

01 – Login in to your Office 365 environment and go directly to Security & Compliance. Or go to the admin portal via Admin -> Admin Center -> Security & Compliance. (https://portal.office.com)

02 – Click on Data loss prevention and click on Policy. The list with current policies is shown or is empty when you don’t have policies in place yet. Use the button + Create a policy. See figure 1

Figure 1 – Office 365 Security & Compliance

03 – Select a default policy template or create a custom and you’re able to select default sensitive information types to form your custom policy. Click here for the complete policy template list and here for the complete list with default sensitive information types. See figure 2 – Create a custom policy

Figure 2 – Create a custom policy

04 – Provide your policy with a name and description and choose the location where you want to apply your custom rule. In this case all locations are selected so the rule will apply to your Exchange email, OneDrive and your SharePoint environment. See Figure 5 - Choose locations

Figure 3 – Choose locations

05 – In the next step you complete the policy settings wizard by defining your sensitive information types and configure a rule when your policy will detect the sensitive information. In this user story the classification type BSN is selected and specific content will be detected when the content is shared with external users. Click edit to select your classification type.

Figure 4 – Define classification type to find specific content

06 – Click on “Sensitive Types” (figure 7) within the dropdown menu and use the + Add button (figure 8) to add the sensitive information type “Netherlands Citizen’s Service (BSN) Number”. Click on Add, Done and Save your sensitive type within your policy. You will return to the configuration wizard and click on next where the rule configuration will show up.

Figure 5 – Add Sensitive Type as classification type

Figure 6 –Add Sensitive Information Type

Figure 7 – Select the sensitive information type “Netherlands Citizen’s Service (BSN) Number”

07 – Click “Customize the tip and email” (figure 8 and figure 9) and define your incident report where you can add more people who need the notification for instance your privacy officer or data protection specialist. There is an option within the configuration to let users override the policy or let them request to override the policy. However in this user story the policy block people from sharing the content and restrict access to the shared content.

Figure 8 – Edit your notification and define the rule specifications

Figure 9 – Edit the email notification and policy tip

08 - Always run a policy in test mode first before you roll out the policy to the entire organization. Then you’re sure to check the policy by yourself and able to assess if the policy is suitable for your organization.

Figure 10 – Run the policy in test mode

09 – Review your settings and save the policy and try to send an email to a colleague with a citizen service number. Find out if your policy tip will show up and the administrator account is notified.

Figure 11 – Review your settings and create the policy

Find more background information about the GDPR.

”Accelerate GDPR compliance with the Microsoft Cloud”, Microsoft.com
”Get GDPR compliant with the Microsoft Cloud”, Brendon Lynch, February 15, 2017. Blogs.microsoft.com
GDPR Key Changes”, Eugdpr.org.

“Voldoet jouw organisatie al aan de spelregels van GDPR”, Karel ekyvere, 24 februari 2017. Microsoft.com.

Webinar | Klaar voor de GDPR/AVG?

Would you like to know more about GDPR and would you like to know how Portiva can assist you with reaching your GDPR targets and implementing the Microsoft security controls? Check here our webinar in Dutch.

Submit a comment