Need more help with GDPR preparations? We’ll give you an overview of Microsoft’s, and a few others’, GDPR toolkits, available to you now.
As you should now know, the General Data Protection Regulation (GDPR) will be instated in the EU beginning May 25th, 2018. This new regulation will not only effect EU residents, but also any company that stores or processes EU resident data. Here are just a few of the changes coming with GDPR:
- Individuals have more control over how their data is used, processed and stored under GDPR. One big shift here is “the right to be forgotten”. This right enforces companies’ deletion of personal data upon the request of the individual, but the right to personal privacy under GDPR goes even further. Under GDPR, individuals will have the right to access, erase or export their personal data, as well as correct errors and object to the processing of their data.
- It also holds organizations accountable for the security of EU resident data. GDPR requires companies to gain (with the ability to prove) consent from individuals for processing their data. They also need to use appropriate security measures, keep records detailing their data processing and notify the appropriate authorities of any brief that effects EU residents’ data. Potential penalties for non-compliant organization include being fined up to 4% of annual global turnover or €20 Million (whichever is greater)– which, if nothing else, is undeniable incentive for accountability from organizations.
- GDPR also requires organizations to be much more transparent and articulate with their customers about how, why and what data they are collecting. Organizations are required to clearly define their data retention and deletion policies. Along with policy transparency, organizations must also provide transparency with their customers and their reasoning for collecting individuals’ data. Under GDPR, organizations have to both outline the purposes and use cases for processing individual’s data, as well as provide individual’s clear notices about the collection of their data.
- The final piece, and our favorite piece, is training. The General Data Protection Regulation requires organizations to meet internal compliance standards as well. Along with requirements to train privacy personnel and other employees in data processing policies and compliance, organizations also must employ a data protection officer, create and manage compliant vendor contracts and audit and update data policies.
GDPR Steps to Compliance
Don’t get bogged down with confusion and overwhelm, we’ll be going over some great toolkits to help you understand GDPR, get compliant and stay compliant. We’ll be covering Microsoft GDPR solutions, IT Governance GDPR toolkits and a GDPR toolkit from our partner Rapid7. However, before we start, let’s briefly look at what Microsoft has consolidated as the “four key steps to GDPR compliance”.
Microsoft outlines these four steps like this: discover, manage, protect, and report.
- The discovery step entail identifying what personal data an organization is in their possession and where it is stored. Taking inventory of an organization’s data will allow them to better understand what of their data is personal and how it is processed, stored and shared.
- Once their data has been assessed, putting management systems in place is the next step in ensuring compliance. Microsoft recommends adopting a classification scheme to aid in the identifying and processing personal data requests.
- The next step is one that organizations SHOULD already be doing, but under GDPR will need to ensure they’re doing it right: security. Organizations need to establish security controls to prevent, detect and respond to vulnerabilities and breaches, in congruence with GDPR requirements.
- Finally, reporting. Organizations are required to store relevant documentation, including keeping records about the purposes of processing, categories of personal data processed, identify third-party data being stored, security measures and data retention times. (Now, you see why step one was so important!)
Now, let’s look at the toolkits that can help you accomplish all these steps successfully.
GDPR Toolkits for Easy GDPR Compliance
First, let’s start with Microsoft’s toolkits: the Microsoft Discovery Toolkit, Microsoft Assessment Toolkit, and the Microsoft Partner GDPR Toolkit. We’ll also briefly talk about the Microsoft Compliance Manager, a hugely useful tool for GDPR compliance. After this, we’ll talk about some other GDPR toolkits from IT Governance and Rapid7.
Microsoft Discovery Toolkit
- What sites your users visit most
- What document mode pages load in and document modes are chosen
- On what sites ActiveX controls are being used and how often
- Which sites are crashing for users
- Whether any sites should be removed from the “Trusted Sites” list
- Whether any sites should be removed from the “Enterprise Mode” list
In short, it “enables collecting information from Internet Explorer about sites that are visited by enterprise users.” Per Microsoft. Once the data collection has been enabled, there is no end-user notification that their data is being collected, so it is up to the organization to gain explicit consent from their employees and contractors.
Microsoft Partner GDPR Toolkit
The Microsoft Partner GDPR Toolkit essentially consolidates downloadable resources to give guidance to partners and ease their journey to GDPR compliance. It gives partners various assessment tools, reference materials, guidance on Trust Center and demos, as well as GitHub code and other technical knowledge for managing GDPR activities. Here’s the full contents:
- GDPR Activity Hub
- GDPR demos
- GDPR on Trust Center
- GDPR partner website
- Microsoft GDPR detailed assessment Toolbox 2.0
- Microsoft GDPR discovery toolkit
- Office 365 Security Assessment IPKit
- Rapid Cyberattack Assessment tool
- Shadow IT Assessment
Microsoft Assessment Toolkit
Microsoft has a number of assessment toolkits, but their new, GDPR Detailed Assessment toolkit was made specifically with Microsoft partners in mind. It was built for partners to use with their customers, while helping them along their journeys to GDPR compliance.
The assessment begins with a questionnaire containing 26 questions about your organization. It starts with questions about the organization’s size, how much you know about how, and where, your data is stored in the organization, how confident you are in your data governance program, etc. Then, it moves on to checklists where you can go down a list and put a check next to listed GDPR requirements. In these checklists, it will ask about your ability to enable subjects to submit data erasure and similar requests, rectify inaccurate or incomplete data, provide subjects their personal data in a common, structured format and other data handling related capabilities. It also asks about security and data protection standards, such as privacy by design and default, encryption, detection and responses to breaches. And finally, it assesses your auditing and reporting standards, policies and capabilities.
Once you complete the assessment, you are given your “benchmark” which indicates how well prepared you are for the GDPR, against your peers. It also identifies which areas of GDPR compliance you should spend more resources addressing. On the benchmark page, you are given a link to an even more detailed GDPR assessment along with relevant follow-on literature to help guide your, and your customers’, journeys to GDPR compliance.
Microsoft Compliance Manager
Compliance Manager 4.0 came out late last year to further help partners and customers achieve GDPR compliance. The Microsoft Compliance Manager helps partners and customers manage end-to-end regulation-to-audit compliance processes. Microsoft has identified three main challenges for businesses, when it comes to compliance:
- A lack of in-house capabilities to both define and implement controls
- A lack of collaboration between departments (compliance and IT)
- Inefficient audit preparation activities
Visibility into an organization’s control implementation across regulations, actionable insights for improving compliance posture, and audit ready reporting tools are at the crux of Microsoft Compliance Manager. Check out their public Compliance Manager demo for more information.
IT Governance USA and IT Governance UK
IT Governance has GDPR toolkits for both American and British companies. Both toolkits contain similar material giving customers professional guidance on compliance obligations under GDPR with templates, worksheets and policies. The toolkits also offer dashboards and project tool for visibility into coverage completeness of GDPR and helps you integrate your GDPR documentation with your Information Security Management System (ISMS). Policies, assessments, checklists, a gap analysis tool and two licenses for a GDPR Staff Awareness Course, here are some of the other valuable materials that they list on their site:
- Data protection policy
- Training policy
- Information security policy
- Data protection impact assessment procedure
- Subject access request form and procedure
- Privacy procedure
- International data transfer procedure
- BS 10012:2017 PIMS Gap Analysis Tool
- Data Protection Impact Assessment (DPIA) Tool
- Includes two licenses for the GDPR Staff Awareness E-learning course
Rapid7 GDPR Toolkit
We use Rapid7’s Nexpose and Metasploit tools in some of our other cyber security course work, so of course we wanted to include this bright company’s contribution to your GDPR readiness. Rapid7 promises a “holistic approach” with their GDPR toolkit, with everything from vulnerability assessments to access to their Metasploit tool for penetration testing. This toolkit is more targeted towards the cyber security aspects, as their informational resources are less comprehensive than those listed above, but your ability to monitor activity on restricted systems, get managed detection and response services and gain better insight into the security of your environment makes this toolkit helpful in ensuring you aren’t hit with the heavy fines a breach could lead to under GDPR.
Of course, to really get GDPR compliance right, you need knowledgeable talent who know how to prepare your organization for compliance, and have the ability to manage the organization’s ongoing compliance. Here, at CyberTraining 365, we have top-notch GDPR training- both foundational as well as for practitioners, so that organizations can best leverage their Microsoft 365 environments for GDPR compliance.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.