The issue of data protection was back in the news recently following the end of the Brexit transition period.
Now that the UK has officially left the EU and its relationship with the bloc has changed, new rules have come into force for UK organisations that process the personal information of EU residents.
It means firms which do need to:
- Appoint an EU representative
- Identify a lead supervisory authority in the EU (i.e., an EU member state’s equivalent of the UK’s Information Commissioner’s Office)
- Update contracts governing EU–UK data transfers to incorporate standard contractual clauses, and/or
- Update their policies, procedures and documentation in light of these changes.
Failure to comply can result in fines of up to €10m or two per cent of annual global turnover – whichever is greater – and suspension of data processing activities.
Because GDPR was implemented in UK law under the Data Protection Act 2018, UK organisations are still bound by its provisions even though the UK has left the EU.
In light of the changes, and regardless of whether your organisation processes the personal data of EU residents or not, it’s an opportune time to revisit the General Data Protection Regulation (GDPR) to refresh yourself on its aims and objectives, and also on the obligations it places on your organisation.
What is GDPR?
GDPR is a European Union regulation that came into force in May 2018 in the UK as the Data Protection Act 2018. It mandates how organisations should handle personal data and affects any business that sells or provides services to, or employs, European Union citizens.
GDPR’s primary purpose is to ensure the privacy of an individual’s data, whether they are a client or customer, employee, service user or other stakeholder.
It aims to strengthen personal data protection for EU citizens wherever they reside, and sets out the expectations on affected organisations in achieving this.
It has placed increased data security and privacy responsibilities on organisations across the globe.
Microsoft 365 security and compliance features
Microsoft 365 offers organisations a wide arrange of tools and services to ensure their initial and ongoing compliance with GDPR, including advanced data governance, data loss prevention, advanced threat protection and customer lockbox.
GDPR includes a concept known as ‘Privacy by Design and Default’, which basically means that data protection should be ‘baked in’ to a system or product to ensure it satisfies privacy concerns automatically.
For organisations of all sizes, Microsoft 365 has built-in security measures and device management tools to help you identify and manage personal data access in your Microsoft 365 environment. These tools, which are crucial for assuring your ongoing GDPR compliance, include:
Data Loss Prevention
Create and apply policies within the Office 365 Security and Compliance Centre that identify, monitor and protect your sensitive information across your Microsoft 365 environment. This can help ensure appropriate security is applied to personal data, per clause 5.1f of GDPR.
Advanced Data Governance
Manage the entire lifecycle of essential and sensitive data through automated, machine-assisted insights which help you find, classify, set policies on, and take action on your chosen data. This feature helps you meet the requirements of GDPR clauses 25(1) and 25(2) to ‘ensure data protection by design and by default’.
Search content across your entire Microsoft 365 environment through text and metadata. eDiscovery enables you to easily search across mailboxes, public folders, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and One Drive for Business sites, to find personal data of EU citizens. This helps you understand what data your organisation holds, so you can respond appropriately to GDPR Subject Access Requests.
Set explicit data access rules which allow your users to approve or reject access requests made by Microsoft support engineers to access your Microsoft 365 environment to resolve an issue, for greater control and peace of mind. This helps you meet your obligations under GDPR clauses 13 and 14 (the ‘Right to be Informed’), which require you to tell data subjects who is processing their data.
Auto-Apply Sensitivity & Retention Labels
Identify what data you hold by using AI-assisted matching in order to apply sensitivity and retention labels to your data. This will help ensure you keep data only for as long as it is required, in line with GDPR Clause 5.1e.
Next steps to ensure your organisation’s ongoing GDPR compliance
While Microsoft 365’s data governance and compliance features can safeguard your organisation if implemented correctly, they don’t automatically result in GDPR compliance.
Your ongoing compliance is more about ensuring your policies remain up-to-date and effective, and also ensuring your users handle your data correctly in their day-to-day roles.
Like we said earlier, even though GDPR has been with us for almost three years the recent changes to the rules following Brexit present an opportune moment to take stock of your current position to ensure your data is remains protected, its privacy is assured, and you are still complying with GDPR.
To achieve this, here are some simple steps to take:
Assess your current position
If you haven’t done so already, then recognising where your organisation currently stands in relation to the GDPR regulations, and what you need to do to continue meeting them, is key.
A GDPR compliance assessment will enable you to understand any current gaps in your approach. It will also outline the changes you’ll need to make to ensure your organisation remains within the new rules… and avoid the hefty fines and reputational damage that an inadvertent breach can bring.
Create a data security roadmap
Once you have identified and assessed any potential compliance gaps, you need to work on closing them. This should be part of your ongoing data governance strategy. Making the best use of your existing Azure and Microsoft 365 platform or upgrading to them if you haven’t done so already, will stand you in good stead and help you align your technology with your GDPR obligations.
Assess and review
Just like with every other business-critical process, you need to regularly review and assess your GDPR procedures to ensure they remain fit for purpose and keep you compliant.
The main challenge with this is understanding what data is held, in order to know how long you need to keep it for and how to effectively search it when someone makes an FoI or Subject Access Request.
Manually cataloguing large volumes of data is impossible and automated tooling is required, something which Microsoft 365 can provide. If you don’t have the in-house expertise to do this, an external ICT consultant with Microsoft Cloud Security and GDPR experience can help.
If you enjoyed this blog and want to find out more about how we can help your organisation protect its data, remain GDPR compliant and achieve improvement through technology, give us a call on 01332 322588. And if you would like to stay up to date with the latest news, views and insight on everything going on in the ICT and technology sector, subscribe to our FREE email newsletter.