Starting from May 25, 2018 all European businesses and all worldwide businesses that are trading partners of European businesses will have to adhere to the new General Data Protection Regulation (GDPR). In this session, learn what are the main requirements of GDPR, from an IT perspective, and what are the out-of-the-box capabilities of Microsoft Office 365 and of SharePoint Online that can help you to be compliant with the GDPR rules.
Moreover, see a sample project, based on SharePoint Online, that you can use as a starter kit to satisfy the GDPR basic requirements.
Paolo Pialorsi, Microsoft Certified Master in SharePoint, MVP and SharePoint PnP Core Team Member, joined us in this webinar to talk about how GDPR is affecting your Office 365.
Rencore Webinar: Understanding EU GDPR from an Office 365 perspective with Paolo Pialorsi
1. w: rencore.com | e: info@rencore.com | t: @rencoreab
Manage Customization Risk and
Save on Maintenance Costs!
Customization governance, transformation
and risk prevention for SharePoint & Office365
Understanding EU GDPR
from an Office 365 perspective
October 24th, 2017
2. rencore.com
Our Guest:
Erwin van Hunen
Microsoft MVP, MCM
SharePoint PnP Core Team
Product Owner - Transformation
Your Host:
Paolo Pialorsi
Microsoft MVP, MCSM
SharePoint PnP Core Team
Founder & CEO of PiaSys
3. rencore.com
Q&A
Please use the Q&A functionality in Zoom instead of
chat.
We will pick up some questions at the end and answer
the others in the follow-up email.
FAQ:
Recording of this webinar?
Yes, the session is recorded and you will get the
recording later today.
7. http://www.piasys.com/
What is GDPR?
GDPR = General Data Protection Regulation
Regulation (EU) 2016/679
It will go LIVE on May 25, 2018
It’s a regulation not a directive
Regulation: Immediately applicable and enforceable by law in all Member
States
Directive: needs to be transposed into national law by Member States
Scope: protection of data for all individuals in the EU
8. http://www.piasys.com/
I’m outside EU, does it matter for me?
Yes it does!
If you process, hold, store, manage personal data
of any EU resident …
… you need to be compliant with GDPR!
Regardless where you are and where your business is located!
9. http://www.piasys.com/
Common definitions
Data Subject: an identified or identifiable natural person
Personal Data: any information relating to a Data Subject
Processing: any operation or set of operations which is performed on
Personal Data or on sets of Personal Data
10. http://www.piasys.com/
GDPR Roles
Data Controller: the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data
Data Processor: a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller
Data Protection Officer: provides guidance on the implementation of
appropriate measures and on the demonstration of compliance
11. http://www.piasys.com/
Key changes under GDPR
Personal Privacy
•Individuals have the right to:
•Access their personal data
•Correct errors in their personal data
•Erase their personal data
•Object to processing of their personal data
•Export personal data
Controls and notifications
•Organizations will need to:
• Protect personal data using appropriate
security
• Notify authorities of personal data breaches
• Obtain appropriate consents for processing
data
• Keep records detailing data processing
Transparent policies
•Organizations are required to:
• Provide clear notice of data collection
• Outline processing purposes and use cases
• Define data retention and deletion policies
IT and training
•Organizations will need to:
• Train privacy personnel and employees
• Audit and update data policies
• Employ a Data Protection Officer (if required)
• Create and manage compliant vendor
contracts
12. http://www.piasys.com/
Some IT requirements
You need to keep track of events like:
Data Breaches
Data Consent
Data Consent Withdrawal
Identity Risks/Theft
Data Processing
Data Archived
You need to collect requests for:
Data Access
Data Correction
Data Export
Data Processing Objection
Data Erase
13. http://www.piasys.com/
Just to make an example …
As soon as the controller becomes aware that a personal data breach
has occurred, the controller should notify the personal data breach
to the supervisory authority without undue delay and, where feasible,
not later than 72 hours after having become aware of it
A supervisor authority can be a data protection authority (DPA)
Thus, you will need a workflow process for Data Breaches!
17. http://www.piasys.com/
Office 365 Secure Score
Accessible to all admins
Based on the services you are using
Compares your services settings with a baseline provided by
Microsoft
Gives you an “actions” queue to accomplish to improve your score
Provides detailed instructions about what to do
Whatever will be your score …
… there is no guarantee that you will not be breached …
19. http://www.piasys.com/
Data Loss Prevention
Enable you to identify sensitive/personal data as it travels through
Exchange Online, SharePoint Online, and OneDrive for Business
You can use it to
Identify sensitive information across many locations (SharePoint Online,
Exchange Online, OneDrive for Business)
Prevent accidental sharing of such sensitive information
Monitor and protect from sharing sensitive data inside client applications
Excel 2016, Word 2016, PowerPoint 2016
Help user stay compliant
Collect data and view DLP reports about content matching policies
20. http://www.piasys.com/
Anatomy of DLP Policies
Locations: SPO, EXO,OD4B
Rules
One or more for each policy
Conditions and Actions
Conditions
Content: Classification
Labels / Sensitive Information Types
Context: inside/outside tenant
Actions
Restrict access to content
22. http://www.piasys.com/
DLP Reporting
Various reports available out of the box
Top DLP policy matches for mail
Top DLP rule matches for mail
DLP policy matches by severity for mail
DLP policy matches, overrides, and false positives for mail
24. http://www.piasys.com/
Office 365 eDiscovery
In-place eDiscovery for investigating cases and search for related content
Provides hold, analyze, and export capabilities
Targets almost every content in your organization
Email
Documents
Skype for Business conversations
Teams data
Etc.
Advanced eDiscovery leverages
Machine learning
Predictive coding
Text analytics
25. http://www.piasys.com/
Customer Lockbox
Ensures that Microsoft engineer does not get access to the
customer’s content without customer’s explicit approval
All access is obtained through a rigorous access control technology
Administrators can approve or reject the request
Customer Lockbox requests have a default lifetime of 12 hours
You need Office 365 E5 or you have to buy the functionality
separately
28. http://www.piasys.com/
Threat Intelligence
Helps you proactively uncover and protect against advanced threats in Office 365
Office 365 Threat Intelligence monitors signals from sources
User activity
Authentication
Email
Compromised PCs
Security incidents
Provides tools like
Threat dashboard
Threat explorer
Incidents
Threat Intelligence Feeds
Integration with Windows Defender
29. http://www.piasys.com/
Cloud App Security
AKA “Advanced Security Management”
Gives you insights into suspicious activity in Office 365
See how your organization's data in Office 365 is accessed and used
Define policies that trigger alerts for atypical or suspicious activities
Suspend user accounts exhibiting suspicious activity
Require users to log back in to Office 365 apps after an alert has been
triggered
Lets you identify high-risk and abnormal usage
30. http://www.piasys.com/
Office 365 Unified Audit Logs
Allows you to search logs for activities related to almost “everything”
You can search by
Target user(s)
Date interval
Files, Folders, Sites
You can search online or you can export a CSV file for further analysis
Provides information like
Date, Client IP, User, Activity, Item, Details (JSON, depends on the service)
31. http://www.piasys.com/
Office 365 Unified Log Activities
• Files
• Folders
• Sharing and Access Requests
• Synchronizations
• Site Administration
• Exchange Mailboxes
• Sway
• User Administration
• Azure AD Group Administration
• Application Administration
• Role Administration
• Directory Administration
• eDiscovery
• Power BI
• Microsoft Teams
• Dynamic 365
• Microsoft Flow
33. http://www.piasys.com/
Advanced Data Governance (ADG)
Machine learning help customers find and retain important data
while eliminating trivial, redundant and obsolete data that could
cause risk if compromised
Provides capabilities like:
Proactive policy recommendations and automatic data classifications that
allow you take actions on data—such as retention and deletion—throughout
its lifecycle
System default alerts to identify data governance risks, such as “Unusual
volume of file deletion,” as well as the ability to create custom alerts by
specifying alert matching conditions and threshold
The ability to apply compliance controls to on-premises data by intelligently
filtering and migrating that data to Office 365
34. http://www.piasys.com/
SharePoint Online Site Classification
Allows you to define site classification at Azure AD tenant level
You need PowerShell to enable it
While creating “modern” sites you can apply a classification
Becomes a property (.Classification) of the Site Collection
Can be used later on for governance purposes
You can read it through CSOM, or REST
You can use the Microsoft Graph for “modern” team sites, too
37. http://www.piasys.com/
What is the GDPR Activity Hub?
Reference solution for Partners and Customers
Ready to go portal
Open source, related to the SharePoint PnP Project
https://github.com/SharePoint/sp-dev-gdpr-activity-hub
Based on tools, techniques, and patterns promoted by PnP
Allows easy management of GDPR tasks and phases
Based on Office 365 and SharePoint Online
Showcase of Microsoft technologies’ capabilities
39. http://www.piasys.com/
Main Functionalities
GDPR Dashboard
Data repository based on SharePoint Online
Custom pages for data management
Insert Request client-side web part
Insert Event/Incident client-side web part
Basic sample flows for tasks management
Tasks Management client-side web part
GDPR Hierarchy client-side web part
General capabilities
42. http://www.piasys.com/
Wrap up!
Be prepared for GDPR
Almost every business is impacted!
Start the assessment of your IT infrastructure
Think about moving to the cloud, if you are not there, yet …
Give an eye to the GDPR Activity Hub
Play with the FREE assessment tool:
https://assets.microsoft.com/en-us/gdpr-detailed-assessment.zip
Keep an eye on the GDPR section for Microsoft Partners
http://aka.ms/gdprpartners
43. Governance and Risk Prevention for SharePoint
Customizing SharePoint lets you tailor the platform right to
your needs but it also opens up the potential for threats
What SharePoint customizations can technically do:
• Access your data
• Process your data
• Open the platform to external services
• Open the platform to external users
Rencore’s AnalysisCloud helps you to identify
data at risk.
rencore.com
44. Governance and Risk Prevention for SharePoint
AnalysisCloud brings governance and risk prevention to
SharePoint Online customizations.
AnalysisCloud:
• Discovers all customizations live in your SharePoint
• Analyzes customizations for potential and actual threats
• Continuously tracks and monitors existing and new
Learn more about AnalysisCloud:
https://try.rencore.cloud
rencore.com