A Simple Journey to GDPR Compliance: Data Discovery
The EU’s GDPR imposes requirements on how organizations process both client data and internal company data. In order to comply, you must ensure that your company can easily locate and update personal data while ensuring that the data remains secure. To do this, you must segment specific sensitive data types from the rest of your business data to ensure employee and customer confidentiality. Before you can manage and protect your information you must first go through the process of data discovery for GDPR compliance.
Four Key Steps to Compliance
Microsoft suggests four key steps that will help guide you through the process of GDPR compliance:
The first step involves the segmentation of sensitive data through discovering, classifying, and labeling, which we will discuss in this blog. In future blogs, we will cover the other steps.
What Questions Should you be Asking for Data Discovery?
During the Discover step, you should be asking five questions:
- First, whether the GDPR applies to your data.
- Second, if you know what Personally Identifiable Information (PII) you collect.
- Next, ask whether or not you know where your data is segmented and categorized.
- After that, you should know if your data resides in multiple locations and apps.
- Finally, you should ask what the purpose of collecting data is and how it is retained.
Here is a flowchart to help you better understand the actions needed to ensure that you’ve successfully completed the first step of becoming GDPR compliant:
Data Discovery Scenario
Usually, it can be difficult to conceptualize what it would look like to follow steps such as this. Here is an interactive video that Microsoft created to help you understand what data discovery would like in an organization that is taking steps to become GDPR compliant. Take a look at this data discovery scenario:
How can you utilize the features and tools provided in Microsoft 365 for Data Discovery?
Data Discovery Toolkit-
Microsoft has built you a Toolkit to simplify your compliance efforts. It is built to help you easily discover the data in your inventory to determine whether the GDPR applies to your organization and if so, to what extent. We’ve built a course that guides you through how to use this toolkit so that you can better understand what data your organization processes and where it resides.
Azure Information Protection-
To ensure that personal data is kept confidential, secure it in Microsoft SharePoint libraries that are secured with Azure Information Protection (AIP). AIP allows your team to restrict access to sensitive documents, even after they have been removed from the secure internal SharePoint environment, ensuring they cannot be viewed or changed by unauthorized parties, even if shared accidentally.
Work with your IT team to create a set of Office 365 labels and AIP Labels for staff to use. The labels enable staff to efficiently classify sensitive documents and emails
Additionally, use Office 365 Labels to auto-apply classifications to existing and new content so that your staff isn’t relied on to manually apply the labels.
Access several investigative features that enable you to contribute to data leak investigations.
Security and Compliance Center-
Access this in Office 365 to define and execute a Content Search in order to gather an inventory of emails, instant messaging content, social media postings, SharePoint and OneDrive for Business files, which are sent or received by staff across your company. Quickly export a report detailing email accounts and file locations containing content relevant to your investigation.
Create a new eDiscovery case and assign it to staff members. Perform concentrated searches for relevant information using Sensitive Data Types and custom search words to help define search vectors. Place returned information on hold to prevent relevant data from being changed or deleted during the investigation.
Along with our many GDPR courses, we also offer comprehensive courses that are designed to provide you complete knowledge of tools in Microsoft 365, such as eDiscovery.
Using the powerful text analytics and email thread analysis of Advanced eDiscovery, execute Express Analysis to refine and eliminate redundant records within the returned search results containing an overabundance of unstructured personal data.
Quickly create reports detailing relevant information to investigations, including the express analysis. This report lists all files and emails sent and received containing personal data relevant to the investigation.
Once you identify employees that sent emails containing personal data outside the company, you can narrow your investigation and take remedial actions based on the recommendations that these tools provide you.
Next Steps of GDPR Compliance
In our next blog, we’ll teach you how to navigate the second step in this four-step compliance journey. You’ll learn what you need to be asking in the Manage step and what tools and features you can utilize from Microsoft 365 so that your team can easily govern how personal data is used and accessed in your company.
If you’re interested in gaining deeper insights into GDPR, or would like to learn how to leverage these tools and more from Microsoft 365, you can take our in-depth courses outlining how to lead your company to become compliant.
We have many courses that teach you the details of becoming GDPR compliant, including ones that outline these four key steps utilizing Microsoft 365 tools.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.