A Simple Journey to GDPR Compliance: Data Governance
Many companies such as yours are wondering where to begin making efforts towards GDPR compliance. In our last blog, we discussed how data discovery is the first step to GDPR compliance. Now we’ll discuss the second step in your journey to GDPR compliance, which is data governance. The goal of an effective data governance program is to adopt proactive and automated measures that help ensure your employees remain productive while company data remains secure.
In order to comply with the GDPR, you must prioritize process controls and data lifecycle management of personal data gathered by your organization. Understanding threats and data classification is key to helping prevent a data breach and maintain GDPR compliance. Knowing how employees access applications with sensitive data is necessary to comply with these regulations.
A data governance plan can help you define policies, roles, and responsibilities within your organization for the access, management, and use of personal data. This will help you ensure your handling practices comply with the GDPR.
Four Key Steps to Compliance
In this blog we’ll discuss the second step, Manage. The second step involves governing how personal data is used and accessed within your company. We’ve previously covered the Discover step. In future blogs, we will cover the other steps.
What Questions Should you be Asking for Data Governance?
During the Manage step, you should be asking five questions:
- Do you know how your company’s personal data is captured and used?
- Have you defined and implemented a data governance plan?
- Do you know what sensitive data your employees are transferring?
- Have you trained your employees to become aware of GDPR compliance obligations?
Here is a flowchart to help you better understand the actions needed to ensure that you’ve successfully completed the second step of becoming GDPR compliant:
Data Governance Scenario
Usually, it can be difficult to conceptualize what it would look like to follow steps such as this. Here is an interactive video that Microsoft created to help you understand what data governance would look like in an organization that is taking steps to become GDPR compliant. Take a look at this data governance scenario:
How can you utilize the features and tools provided in Microsoft 365 for Data Governance?
Below are tools and features offered in Microsoft 365 that will help you achieve your GDPR compliance goals. Along with our extensive GDPR courses, we also provide comprehensive courses outlining the details of all the features available in Microsoft 365 that you can utilize for security and compliance.
Microsoft has designed a toolkit to assist you in assessing where you are on the journey to GDPR readiness. By utilizing this toolkit you will identify and understand the compliance gaps within your organization, and recommendations from Microsoft to consider for closing those gaps. We offer a course designed with detailed tips and guidance on how to leverage this toolkit to assess your company’s over GDPR compliance maturity.
Advanced Data Governance (ADG)
To help with your company’s data lifecycle management and to reduce your personal data footprint, utilize insights provided by Office 365 Advanced Data Governance (ADG) to classify all files in your business and apply appropriate data retention policies, reducing risk by only retaining personal data for the purpose for which it is collected and only for as long as required.
Azure Information Protection (AIP)
Deploy Azure Information Protection policies to help classify company data, protecting personal data even when employees share it outside the company.
Data Loss Prevention (DLP)
By working with your DPO and Compliance team and leveraging over 80 pre-defined Data Types now available in Microsoft 365 Enterprise E5, you can create several Data Loss Prevention (DLP) policies to prevent accidental sharing of personal data.
Data Loss Prevention (DLP)
You can configure User Notification and User Override components of DLP policies as an organizational control, ensuring that only the staff with legitimate business reasons to share data can do so after providing appropriate justification.
Cloud App Security (CAS)
To capture potential data access risks, use Cloud App Security (CAS) to track specific activities, such as multiple failed sign-in attempts, sign-ins from a risky IP address, unauthorized data access attempts and abnormally large data downloads.
You can also configure CAS to automatically suspend accounts and notify your security team when anomalies occur. Also, leverage the CAS Productivity App Discovery feature to track employee use of both Microsoft and non-Microsoft cloud applications to reduce risk by discovering and assessing any ‘Shadow IT’ used across the business.
With CAS you can access many logging and reporting features from Microsoft 365 Enterprise E5 that enable you to contribute to data breach investigations. Employ CAS features to determine if a breach occurred on the network. Behaviour Analytics and Anomaly Detection surfaces several irregularities that can be missed during a manual investigation.
By using the Cloud App Security investigate feature, you can review user and administration activities across cloud application workloads including Office 365. Save time by refining your search for activities that specifically involve access to HR Personal Data folders and files. Conduct searches in a manner that does not access personal data, avoiding additional privacy issues. Also, capture the logging activity details in reports, without including or revealing any personal data.
Next, review the Cloud Discovery report in CAS. Identify all third-party productivity applications that may have access to modify cloud data and could therefore potentially present a risk to personal data security.
Data Loss Prevention Report
Finally, generate a Data Loss Prevention report to show all staff members who have overridden policies that protect personal data, providing a list of company employees who sent personal data outside the company in the past 90 days.
Using Microsoft 365 Enterprise E5, you can quickly submit reports to your DPO, outlining critical information for breach investigations including:
- A list of any anomalies that the Threat Management engines have identified in the past three months.
- An activity report on which staff has recently accessed the relevant files and folders that contained personal data specified in the breach.
- A list of potentially risky applications in use and the staff that are using them.
- And a list of staff who have overridden DLP policies.
Next Steps of GDPR Compliance
In our next blog, we’ll teach you how to navigate the third step in this four-step compliance journey. You’ll learn what you need to be asking in the Protect step and what tools and features you can utilize from Microsoft 365 so that your team can easily manage data protection and mitigate information security risks.
If you’re interested in gaining deeper insights into GDPR, or would like to learn how to leverage these tools and more from Microsoft 365, you can take our in-depth courses outlining how to lead your company to become compliant.
We have many courses that teach you the details of becoming GDPR compliant, including ones that outline these four key steps utilizing Microsoft 365 tools.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.