Skip to main content
Industry

Manage: Govern how personal data is used and accessed

The GDPR provides data subjects—individuals to whom data relates—with more control of how their personal data is captured and used. Data subjects can, for example, request that your organisation shares data that relates to them, transfer their data to other services, correct mistakes in their data, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.

Data governance

In order to satisfy your obligations to data subjects, you will need to understand what types of personal data your organisation processes, how, and for what purposes. The data inventory discussed previously is a first step to achieving this understanding. Once that inventory is complete, it is also important to develop and implement a data governance plan. A data governance plan can help you define policies, roles, and responsibilities for the access, management, and use of personal data, and can help you ensure your data handling practices comply with the GDPR. For example, a data governance plan can give your organisation confidence that it effectively respects data subject demands to delete or transfer data.

Microsoft Cloud Services

To support your data governance strategy, the Microsoft cloud services are developed using the Microsoft Privacy-by-Design and Privacy-by-Default methodology. When you entrust your data to Azure, Office 365 or Dynamics 365, you remain the sole owner: you retain the rights, title and interest in the data you store in the services.

Microsoft cloud services take strong measures to help protect your customer data from inappropriate access or use by unauthorised persons, as detailed in the Microsoft Trust Center. These measures include restricting access by Microsoft personnel and subcontractors and carefully defining requirements for responding to government requests for customer data. However, you can access your own customer data at any time and for any reason.

In addition, we redirect government requests for your data so that they are made directly to you, unless legally prohibited, and we have challenged government attempts to prohibit disclosure of such requests in court.

To help ensure Microsoft cloud services are managed correctly and to provide assurances to our customers, the cloud services are audited at least annually against several global data privacy standards, including HIPAA and HITECH, CSA Star Registry and several ISO standards. These reports are accessible here. Beyond these commitments, we provide you with the necessary control to ensure you know how data is managed and who has access to what data within your organisation.

Azure

Azure Active Directory is an identity and access management solution in the cloud. It manages identities and controls access to Azure, on-premises and other cloud resources, data and applications. With Azure Active Directory Privileged Identity Management, you can assign temporary, Just-In-Time (JIT) administrative rights to eligible users to manage Azure resources.

Azure Role-Based Access Control (RBAC) helps you manage access to your Azure resources. This enables you to grant access based on the user’s assigned role, making it easier to grant only the required permissions that users need to perform their jobs. You can customise RBAC per your organisation’s business model and risk tolerance.

Read more: Download the white paper on how Microsoft Azure can help your organisation become compliant with the GDPR

Office 365

Office 365 solutions have several features that can help you manage personal data:

  • Data governance features in the Office 365 Security & Compliance Center help you archive and preserve content in Exchange Online mailboxes, SharePoint Online sites and OneDrive for Business locations, and import data into your Office 365 organisation.
  • The Retention feature in Office 365 can help you manage the lifecycle of email and documents by keeping the content you need and removing content after it’s no longer required.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on and take action to manage the lifecycle of the data that is most important to your organisation.
  • Information management policies in SharePoint Online enable you to control how long to retain content, to audit what people do with content and to add barcodes or labels to documents.
  • Journaling in Exchange Online can help you respond to legal, regulatory and organisational compliance requirements by recording inbound and outbound email communications.

Data classification

Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your organisation can be particularly helpful for responding to data subject requests, because it enables you to identify more readily and process personal data requests.

Today, we provide guidance and tools to help you work through the complexities of data classification.

Azure

The Data Classification whitepaper provides specific guidance for data classification for Azure and walks you through the principles behind data classification techniques, the process, terminology and implementation. The documentation contains a wealth of other information and links.

Dynamics 365

The Dynamics 365 (online) security and compliance planning guide provides comprehensive guidance on understanding the key compliance and security considerations associated with planning for a deployment of Dynamics 365 (online) in environments that include enterprise directory integration services such as directory synchronisation and single sign-on. It includes information on data privacy and confidentiality policies, data classification and impact.

Enterprise Mobility + Security (EMS)

Azure Information Protection can help you classify and label your data at the time of creation or modification. Protection (encryption plus authentication plus use rights) or visual markings can then be applied to sensitive data. Classification labels and protection are persistent, travelling with the data so that it’s identifiable and protected at all times—regardless of where it’s stored or with whom it’s shared.

Read more: Download the white paper on supporting your EU GDPR compliance journey with Microsoft EMS

Office and Office 365

  • Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows organisations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on and take action to manage the lifecycle of the data that is most important to your organisation. Classify data based on automatic analysis and policy recommendations, then apply actions to preserve data in-place or purge what’s necessary. In-place data as well as third-party data sources can be ingested into Office 365 and classified by message type. Message type classification allows for the search, sort and export of the various data sources, which eases the process of performing ediscovery reviews.

Windows and Windows Server

The Microsoft Data Classification Toolkit for Windows Server 2012 R2 provides sample search expressions and rules that you can use to assist compliance activities conducted by your organisation’s IT professionals, auditors, accountants, attorneys and other compliance professionals.

Next step: Protect
Find out more at a GDPR cloud workshop

Microsoft logo. Square made up of four coloured segments in red, green, blue and yellow
Microsoft

Related posts