A Simple Journey to GDPR Compliance: Data Protection
Welcome back to our blog series explaining how to achieve effective GDPR compliance through four simple steps. The main objective of GDPR legislation is to protect and empower all EU citizens with stringent information rights. After you have discovered the data that your company inventories and have built an effective data governance plan, you must implement processes to ensure full data protection for both customers, as well as employees, of your company.
In order to achieve proper data protection, you must establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. The implementation of new compliance and security processes with Microsoft 365 ensures your organization will remain protected while also empowering employees to perform their jobs effectively.
Four Key Steps to Compliance
Microsoft suggests four key steps that will help guide you through the process of GDPR compliance:
In this blog, we’ll discuss the third step, which is Protect. The third step involves implementing a risk management and risk mitigation plan in order to protect the personal data within your company’s data inventory. We’ve previously covered the Discover and Manage steps. In our last blog, we will cover the Report step.
What Questions Should you be Asking for Data Protection?
During the Protect step, you should be asking five questions:
- Do you understand your company’s data security risks?
- Does your organization have a risk management and mitigation plan?
- Do you have a system for monitoring and detecting system intrusions?
- Have you appointed a Data Protection Officer?
- Have you trained your team to be fully aware of protection practices?
Here is a flowchart to help you better understand the actions needed to ensure that you’ve successfully completed the third step of becoming GDPR compliant:
Data Governance Scenario
Usually, it can be difficult to conceptualize what it would look like to follow steps such as this. Here is an interactive video that Microsoft created to help you understand what data protection would look like in an organization that is taking steps to become GDPR compliant. Take a look at this data protection scenario:
How Can you Utilize the Features and Tools Provided in Microsoft 365 for Data Protection?
Below are tools and features offered in Microsoft 365 that will help you achieve your GDPR compliance goals. Along with our extensive GDPR courses, we also provide comprehensive courses outlining the details of all the features available in Microsoft 365 that you can utilize for security and compliance.
Intune Mobile Device Management (MDM)
Staff members often access sensitive data through personal devices. To ensure their access is secured. Enroll their devices in your company portal via Intune Mobile Device Management (MDM).
By setting up a secure mobile device policy for employees, that enforces password protection and device lock policies, the IT support team can reduce the risk of personal data being stolen or copied from mobile devices.
To find out how to set various device security policies and access rules through MDM you can take our course.
Multi-Factor Authentication (MFA) helps secure access to Productivity Applications by allowing your staff to use their phone as a second means of authentication when signing in.
Configuring and enabling MFA for employees can be done quickly and easily through the Office 365 Admin console.
Advanced Threat Protection
Your employees receive hundreds of emails every day. Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection reduces the risk of opening and executing malicious content by working in the background to prevent employees from executing malware in file attachments as well as protecting them from malicious hyperlinks in email messages.
ATP Safe Attachments policy detects threats that are unknown by anti-virus programs. With Safe Attachments; messages containing attachments are routed through what is effectively a detonation chamber, where they are analyzed for potentially malicious behavior.
The email link can then be rewritten so that, when clicked, employees are redirected to a protective shell and notified that the original URL has been classified as malicious.
Azure Information Protection
Azure Information Protection (AIP) ensures only the intended document and email recipients inside and outside your business have access. AIP also allows employees to check on when and where their protected data has been accessed and by whom.
AIP allows for labeling and security policies to be applied to data that may be sensitive, ensuring only the intended recipients of the data, both inside and outside your organization, have appropriate access. AIP also allows checks on when and where protected data has been accessed and by whom.
Data Loss Prevention ensures that employees cannot accidentally email sensitive data by alerting them with Policy Tips each time an email message or attachment contains personal data.
Intune Device Wipe
When an employee’s personal device is lost or stolen, your IT Security team can remotely wipe it via Intune to help ensure sensitive data on the device is not exposed.
Cloud App Discovery
Cloud App Discovery analyses for and reports the use of any unsanctioned cloud applications.
DLP Override Justification
Data Loss Prevention (DLP) policies help to ensure that employees cannot accidentally email sensitive data outside of the organization.
DLP Policy Tips alert employees when trying to access, or email sensitive data outside of the organization each time their email message or attachment contains text containing personal data.
Also, eDiscovery reports show when employees send Personal Data to any addresses outside your business and DLP can recall any data sent if the employees override justification does not justify the data transfer.
Next Steps of GDPR Compliance
So now you’ve learned about how to properly manage and mitigate risk for data protection. In our next blog, we’ll teach you how to navigate the last step in this four-step compliance journey. You’ll learn what you need to be asking in the Report step and what tools and features you can utilize from Microsoft 365 so that your team can easily manage required documentation and execute on data requests and report data breaches.
If you’re interested in gaining deeper insights into GDPR, or would like to learn how to leverage these tools and more from Microsoft 365, you can take our in-depth courses outlining how to lead your company to become compliant.
We have many courses that teach you the details of becoming GDPR compliant, including ones that outline these four key steps utilizing Microsoft 365 tools.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.