Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Paolo Pialorsi

w: rencore.com | e: info@rencore.com | t: @rencoreab
Manage Customization Risk and
Save on Maintenance Costs!
Customization governance, transformation
and risk prevention for SharePoint & Office365
Understanding EU GDPR
from an Office 365 perspective
October 24th, 2017

rencore.com
Our Guest:
Erwin van Hunen
Microsoft MVP, MCM
SharePoint PnP Core Team
Product Owner - Transformation
Your Host:
Paolo Pialorsi
Microsoft MVP, MCSM
SharePoint PnP Core Team
Founder & CEO of PiaSys

rencore.com
Q&A
Please use the Q&A functionality in Zoom instead of
chat.
We will pick up some questions at the end and answer
the others in the follow-up email.
FAQ:
Recording of this webinar?
Yes, the session is recorded and you will get the
recording later today.

http://www.piasys.com/
Understanding EU GDPR from
an Office 365 perspective
Paolo Pialorsi - @PaoloPia
Senior Consultant – PiaSys.com

Agenda
 Why GDPR compliancy matters?
 From an IT perspective
 Office 365 and GDPR
 GDPR Activity Hub

Why GDPR compliancy matters?

What is GDPR?
 GDPR = General Data Protection Regulation
 Regulation (EU) 2016/679
 It will go LIVE on May 25, 2018
 It’s a regulation not a directive
 Regulation: Immediately applicable and enforceable by law in all Member
States
 Directive: needs to be transposed into national law by Member States
 Scope: protection of data for all individuals in the EU

I’m outside EU, does it matter for me?
 Yes it does!
 If you process, hold, store, manage personal data
of any EU resident …
 … you need to be compliant with GDPR!
 Regardless where you are and where your business is located!

Common definitions
 Data Subject: an identified or identifiable natural person
 Personal Data: any information relating to a Data Subject
 Processing: any operation or set of operations which is performed on
Personal Data or on sets of Personal Data

GDPR Roles
 Data Controller: the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data
 Data Processor: a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller
 Data Protection Officer: provides guidance on the implementation of
appropriate measures and on the demonstration of compliance

Key changes under GDPR
Personal Privacy
•Individuals have the right to:
•Access their personal data
•Correct errors in their personal data
•Erase their personal data
•Object to processing of their personal data
•Export personal data
Controls and notifications
•Organizations will need to:
• Protect personal data using appropriate
security
• Notify authorities of personal data breaches
• Obtain appropriate consents for processing
data
• Keep records detailing data processing
Transparent policies
•Organizations are required to:
• Provide clear notice of data collection
• Outline processing purposes and use cases
• Define data retention and deletion policies
IT and training
•Organizations will need to:
• Train privacy personnel and employees
• Audit and update data policies
• Employ a Data Protection Officer (if required)
• Create and manage compliant vendor
contracts

Some IT requirements
 You need to keep track of events like:
 Data Breaches
 Data Consent
 Data Consent Withdrawal
 Identity Risks/Theft
 Data Processing
 Data Archived
 You need to collect requests for:
 Data Access
 Data Correction
 Data Export
 Data Processing Objection
 Data Erase

Just to make an example …
 As soon as the controller becomes aware that a personal data breach
has occurred, the controller should notify the personal data breach
to the supervisory authority without undue delay and, where feasible,
not later than 72 hours after having become aware of it
 A supervisor authority can be a data protection authority (DPA)
 Thus, you will need a workflow process for Data Breaches!

Office 365 and GDPR

In February 2017, Microsoft
announced that its cloud
services will comply with GDPR
by May 25, 2018

Main capabilities of Office 365 for GDPR
compliancy
• Tooling
• Office 365 Secure Score
• Data Loss Prevention (DLP)
• Office 365 eDiscovery
• Customer Lockbox
• Monitoring & Logging
• Advanced Threat Protection
• Threat Intelligence
• Cloud App Security
• Office 365 Unified Audit Logs
• Governance
• Advanced Data Governance (ADG)
• SharePoint Online Site
Classification
• Reporting
• Security & Compliance Reports
• Risk & Compliance Dashboard

Office 365 Secure Score
 Accessible to all admins
 Based on the services you are using
 Compares your services settings with a baseline provided by
Microsoft
 Gives you an “actions” queue to accomplish to improve your score
 Provides detailed instructions about what to do
 Whatever will be your score …
 … there is no guarantee that you will not be breached …

Demo
Office 365 Secure Score

Data Loss Prevention
 Enable you to identify sensitive/personal data as it travels through
Exchange Online, SharePoint Online, and OneDrive for Business
 You can use it to
 Identify sensitive information across many locations (SharePoint Online,
Exchange Online, OneDrive for Business)
 Prevent accidental sharing of such sensitive information
 Monitor and protect from sharing sensitive data inside client applications
 Excel 2016, Word 2016, PowerPoint 2016
 Help user stay compliant
 Collect data and view DLP reports about content matching policies

Anatomy of DLP Policies
 Locations: SPO, EXO,OD4B
 Rules
 One or more for each policy
 Conditions and Actions
 Conditions
 Content: Classification
 Labels / Sensitive Information Types
 Context: inside/outside tenant
 Actions
 Restrict access to content

DLP Reporting
 Various reports available out of the box
 Top DLP policy matches for mail
 Top DLP rule matches for mail
 DLP policy matches by severity for mail
 DLP policy matches, overrides, and false positives for mail

Demo
Data Loss Prevention (DLP)

Office 365 eDiscovery
 In-place eDiscovery for investigating cases and search for related content
 Provides hold, analyze, and export capabilities
 Targets almost every content in your organization
 Email
 Documents
 Skype for Business conversations
 Teams data
 Etc.
 Advanced eDiscovery leverages
 Machine learning
 Predictive coding
 Text analytics

Customer Lockbox
 Ensures that Microsoft engineer does not get access to the
customer’s content without customer’s explicit approval
 All access is obtained through a rigorous access control technology
 Administrators can approve or reject the request
 Customer Lockbox requests have a default lifetime of 12 hours
 You need Office 365 E5 or you have to buy the functionality
separately

Demo
Customer Lockbox

Advanced Threat Protection
 Cloud-based email filtering service
 Helps protect email against unknown, sophisticated malware attacks
 Main functionalities
 Anti-malware
 Safe links
 Safe attachments
 Spoof intelligence
 Quarantine
 Advanced anti-phishing capabilities
 DKIM (DomainKeys Identified Mail)
 Provides reach reporting and tracking

Threat Intelligence
 Helps you proactively uncover and protect against advanced threats in Office 365
 Office 365 Threat Intelligence monitors signals from sources
 User activity
 Authentication
 Email
 Compromised PCs
 Security incidents
 Provides tools like
 Threat dashboard
 Threat explorer
 Incidents
 Threat Intelligence Feeds
 Integration with Windows Defender

Cloud App Security
 AKA “Advanced Security Management”
 Gives you insights into suspicious activity in Office 365
 See how your organization's data in Office 365 is accessed and used
 Define policies that trigger alerts for atypical or suspicious activities
 Suspend user accounts exhibiting suspicious activity
 Require users to log back in to Office 365 apps after an alert has been
triggered
 Lets you identify high-risk and abnormal usage

Office 365 Unified Audit Logs
 Allows you to search logs for activities related to almost “everything”
 You can search by
 Target user(s)
 Date interval
 Files, Folders, Sites
 You can search online or you can export a CSV file for further analysis
 Provides information like
 Date, Client IP, User, Activity, Item, Details (JSON, depends on the service)

Office 365 Unified Log Activities
• Files
• Folders
• Sharing and Access Requests
• Synchronizations
• Site Administration
• Exchange Mailboxes
• Sway
• User Administration
• Azure AD Group Administration
• Application Administration
• Role Administration
• Directory Administration
• eDiscovery
• Power BI
• Microsoft Teams
• Dynamic 365
• Microsoft Flow

Demo
Office 365 Unified Logs

Advanced Data Governance (ADG)
 Machine learning help customers find and retain important data
while eliminating trivial, redundant and obsolete data that could
cause risk if compromised
 Provides capabilities like:
 Proactive policy recommendations and automatic data classifications that
allow you take actions on data—such as retention and deletion—throughout
its lifecycle
 System default alerts to identify data governance risks, such as “Unusual
volume of file deletion,” as well as the ability to create custom alerts by
specifying alert matching conditions and threshold
 The ability to apply compliance controls to on-premises data by intelligently
filtering and migrating that data to Office 365

SharePoint Online Site Classification
 Allows you to define site classification at Azure AD tenant level
 You need PowerShell to enable it
 While creating “modern” sites you can apply a classification
 Becomes a property (.Classification) of the Site Collection
 Can be used later on for governance purposes
 You can read it through CSOM, or REST
 You can use the Microsoft Graph for “modern” team sites, too

Demo
SharePoint Online Site Classification

GDPR Activity Hub

What is the GDPR Activity Hub?
 Reference solution for Partners and Customers
 Ready to go portal
 Open source, related to the SharePoint PnP Project
 https://github.com/SharePoint/sp-dev-gdpr-activity-hub
 Based on tools, techniques, and patterns promoted by PnP
 Allows easy management of GDPR tasks and phases
 Based on Office 365 and SharePoint Online
 Showcase of Microsoft technologies’ capabilities

Involved Technologies
 SharePoint Online modern sites
 SharePoint Framework client-side web parts
 Office 365 Groups/Microsoft Teams
 Remote provisioning
 Power BI

Main Functionalities
 GDPR Dashboard
 Data repository based on SharePoint Online
 Custom pages for data management
 Insert Request client-side web part
 Insert Event/Incident client-side web part
 Basic sample flows for tasks management
 Tasks Management client-side web part
 GDPR Hierarchy client-side web part
 General capabilities

General Capabilities
 Automated setup and provisioning
 General documentation
 Customizable model
 Open for community contribution
 It’s open source!

Demo
Lap around GDPR Activity Hub

Wrap up!
 Be prepared for GDPR
 Almost every business is impacted!
 Start the assessment of your IT infrastructure
 Think about moving to the cloud, if you are not there, yet …
 Give an eye to the GDPR Activity Hub
 Play with the FREE assessment tool:
 https://assets.microsoft.com/en-us/gdpr-detailed-assessment.zip
 Keep an eye on the GDPR section for Microsoft Partners
 http://aka.ms/gdprpartners

Governance and Risk Prevention for SharePoint
Customizing SharePoint lets you tailor the platform right to
your needs but it also opens up the potential for threats
What SharePoint customizations can technically do:
• Access your data
• Process your data
• Open the platform to external services
• Open the platform to external users
Rencore’s AnalysisCloud helps you to identify
data at risk.
rencore.com

Governance and Risk Prevention for SharePoint
AnalysisCloud brings governance and risk prevention to
SharePoint Online customizations.
AnalysisCloud:
• Discovers all customizations live in your SharePoint
• Analyzes customizations for potential and actual threats
• Continuously tracks and monitors existing and new
Learn more about AnalysisCloud:
https://try.rencore.cloud
rencore.com

rencore.com
Questions & Answers
Feel free to post your questions in the Q&A section

rencore.com
Thank you for attending!
The webinar recording will be sent to you later today.

Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Paolo Pialorsi

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Paolo Pialorsi

Similar to Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Paolo Pialorsi (20)

More from Rencore

More from Rencore (11)

Recently uploaded

Recently uploaded (20)

Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Paolo Pialorsi