Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations. Microsoft adheres to a set of privacy principles and offers EU Model Clauses to all customers. We believe that the General Data Protection Regulation (GDPR) is an important step forward for clarifying and enabling individual privacy rights.
As the GDPR enforcement date nears, your organization may soon need to demonstrate that it has taken appropriate steps to protect your customers’ personal data in response to regulatory audits and information requests.
Implementing appropriate security controls is a key step to demonstrating accountability. Equally important is putting the right processes in place—such as responding to a Data Subject Request (DSR) and providing a breach notification—to help you be GDPR compliant and gain the trust of your customers.
Today, we are announcing several new resources and capabilities to help you respond to GDPR obligations with the Microsoft Cloud. These updates include:
Read on for more details and several other updates.
To support GDPR, today we are announcing the public preview of new GDPR-related tools and resources—including DSRs and data breach notifications for Office 365, Dynamics 365, Azure, Windows, Intune, and Professional Services on the Service Trust Portal.
The GDPR resources include documentation on data breach notifications, which describes when and how Microsoft will notify you and others about personal data breaches, what information Microsoft will provide, and the tools you can use to help ensure the right people in your organization are notified.
We have centralized all our DSR resources into a single page, which provides tools you can leverage in the Office 365 Security & Compliance Center and the Azure Admin Center—along with documents to guide you through the process of locating, exporting, and erasing data from a Microsoft Cloud service.
Learn more about the new privacy resources in our Tech Community blog and visit Service Trust Portal today.
To support DSRs across Microsoft Cloud services, we are implementing several new capabilities—including a Data Privacy tab in Office 365, an Azure DSR portal, and new DSR search capabilities in Dynamics 365.
The new DSR experience is designed to provide you with the tools to create a case for a data subject request, search and refine relevant data across Office 365 locations—such as Exchange, SharePoint, OneDrive, Groups, and now Microsoft Teams—and export the data.
One DSR scenario an organization may encounter is when a departing employee requests that their data is provided to them. To help with this scenario and others like it, the Event-based retention feature of Advanced Data Governance is now generally available for Office 365 E5 customers.
Learn more about the Data Privacy tab in Office 365 and Event-based retention in Advanced Data Governance on the Tech Community blog.
To see how the DSR experience in Office 365 works, watch the Mechanics video:
Azure DSR portal to help process a DSR.
To learn more, visit the Azure blog.
For GDPR, organizations must meet stricter requirements in the event of a data breach. This includes notifying both regulators and those impacted by a breach—generally within 72 hours of becoming aware of a data breach. Microsoft 365 has a robust set of capabilities that can help protect, detect, and respond to data breaches. For example, Office 365 Advanced Threat Protection (ATP) protects an organization’s Office 365 ecosystem by helping prevent malicious emails or business critical files from compromising a user account. Windows Defender ATP focuses on protecting against malicious web-based files or device malware from corrupting a user account.
ATP Safe Attachments blocking malicious email attachment.
In the event Microsoft identifies a personal data breach as defined by the GDPR, we will notify your tenant administrator. Additionally, we recommend that you also designate a privacy contact alias in Azure Active Directory who will also be notified in addition to notification of admins.
With GDPR, companies now need a way to process consent from a user as well as have audit-ready reporting. With Azure Active Directory terms of use, organizations now have an easy way to collect, process, and review user consent. You can require a user to view and consent to your organization’s terms of use before they’re able access to an application. The terms can be any document relevant to your organization’s business or legal policies.
Example of an Azure Active Directory terms of use with multiple languages.
To learn more, review our Azure Active Directory terms of use documentation.
While organizations look to minimize the risk of data breaches from threats to privileged accounts, they are also finding that they need to respond to regulators and provide a documented trail of privileged access, which outlines the scenario of how a customer’s data is accessed. To help organizations protect their data and respond to these compliance obligations, today we are introducing new privileged access management capabilities in Microsoft 365—which provide audit-ready access controls that are time bound and can limit the scope of data access.
With privileged access management in Office 365, you can better protect your data by tracking or enforcing an approval workflow scoped to your high-risk tasks within Office 365. For example, broad admin privileges enable admins to execute tasks that can provide unfettered access to organizational data, such as a journal rule, which can send emails to an external mailbox and exfiltrate sensitive data undetected. Privileged access management in Office 365 enables you to apply policies that require approval before anyone can execute these high-risk tasks. Requests for access can be automatically or manually approved, and all this activity is logged and auditable. Watch this video to learn more:
We are excited about rolling out the public preview of privileged access management in Office 365. To get started, visit the Office Previews page (enter the code PAM044), and then read the detailed Tech Community blog.
Increasingly, governments, third-party regulators, and corporate compliance requirements are enacting data residency guidelines to address privacy issues. These guidelines restrict the free flow of information across borders and require that an organization’s data is stored within defined geographies. While GDPR does not mandate data residency, many customers tell us they need the flexibility to store their data in chosen geographies to meet regional, industry-specific, or organizational data residency requirements.
Multi-Geo Capabilities enables a single Office 365 tenant to span across multiple Office 365 datacenter geographies and gives customers the ability to store their Office 365 data at-rest, on a per-employee basis, in their chosen geographies. Multi-Geo has been launched for Exchange Online and OneDrive for Business. Read “Get Global data location controls with Multi-Geo Capabilities in Office 365” to learn more.
No matter where you are in your GDPR efforts, we are here to help on your journey to GDPR compliance and have several resources available to help you get started today:
Learn more about how Microsoft can help you prepare for the GDPR.
—Alym Rayani, director of Microsoft 365
The post Preparing for a new era in privacy regulation with the Microsoft Cloud appeared first on Microsoft 365 Blog.
Source: Office 365 – aggiornamenti