Understanding EU GDPR from an Office 365 perspective 5/29/2018 9:54 AM THR2180 Understanding EU GDPR from an Office 365 perspective Paolo Pialorsi Senior Consultant – PiaSys.com © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Why GDPR compliancy matters? Office 365 and GDPR From an IT perspective Office 365 and GDPR GDPR Activity Hub
Why GDPR compliancy matters?
What is GDPR? GDPR = General Data Protection Regulation Regulation (EU) 2016/679 It’s a regulation not a directive Regulation: Immediately applicable and enforceable by law in all Member States Directive: needs to be transposed into national law by Member States Scope: protection of data for all individuals in the EU
I’m outside EU, does it matter for me? Yes it does! If you process, hold, store, manage personal data of any EU resident … … you need to be compliant with GDPR! Regardless where you are and where your business is located!
Common definitions Data Subject: an identified or identifiable natural person Personal Data: any information relating to a Data Subject Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data
GDPR Roles Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller Data Protection Officer: provides guidance on the implementation of appropriate measures and on the demonstration of compliance
Key changes under GDPR Personal Privacy Controls and notifications Individuals have the right to: Access their personal data Correct errors in their personal data Erase their personal data Object to processing of their personal data Export personal data Controls and notifications Organizations will need to: Protect personal data using appropriate security Notify authorities of personal data breaches Obtain appropriate consents for processing data Keep records detailing data processing Transparent policies Organizations are required to: Provide clear notice of data collection Outline processing purposes and use cases Define data retention and deletion policies IT and training Train privacy personnel and employees Audit and update data policies Employ a Data Protection Officer (if required) Create and manage compliant vendor contracts
Some IT requirements You need to keep track of events like: Data Breaches Data Consent Data Consent Withdrawal Identity Risks/Theft Data Processing Data Archived You need to collect requests for: Data Access Data Correction Data Export Data Processing Objection Data Erase
Just to make an example … As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it A supervisor authority can be a data protection authority (DPA) Thus, you will need a workflow process for Data Breaches!
Office 365 and GDPR
In February 2017, Microsoft announced that its cloud services will comply with GDPR by May 25, 2018
Main capabilities of Office 365 for GDPR compliancy 5/29/2018 9:54 AM Main capabilities of Office 365 for GDPR compliancy Tooling Data Loss Prevention (DLP) Advanced Data Governance Office 365 eDiscovery Customer Lockbox Logging Advanced Threat Protection Threat Intelligence Advanced Security Management Office 365 audit logs Reporting Security & Compliance Reports Risk & Compliance Dashboard © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
GDPR Activity Hub
What is the GDPR Activity Hub? Reference solution for Partners and Customers Ready to go portal Open source, related to the SharePoint PnP Project https://github.com/SharePoint/sp-dev-gdpr-activity-hub Based on tools, techniques, and patterns promoted by PnP Allows easy management of GDPR tasks and phases Based on Office 365 and SharePoint Online Showcase of Microsoft technologies’ capabilities
Involved Technologies SharePoint Online modern sites SharePoint Framework client-side web parts Office 365 Groups/Microsoft Teams Remote provisioning Power BI
Main Functionalities GDPR Dashboard Data repository based on SharePoint Online Custom pages for data management Insert Request client-side web part Insert Event/Incident client-side web part Basic sample flows for tasks management Tasks Management client-side web part GDPR Hierarchy client-side web part General capabilities
General Capabilities Automated setup and provisioning General documentation Customizable model Open for community contribution It’s open source!
Demo Lap around GDPR Activity Hub
Wrap up! Be prepared for GDPR Almost every business is impacted! Start the assessment of your IT infrastructure Give an eye to the GDPR Activity Hub
Thank you!
Please evaluate this session Tech Ready 15 5/29/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5/29/2018 9:54 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.