A Simple Journey to GDPR Compliance: Data Reporting
So, you’re trying to make sense of these new data protection regulations being implemented by the European Union. Breaking down your compliance process into steps can help make the task a little easier. By now you should have discovered the data within your inventory, created a plan for data governance, and built a protection process. Data reporting is the last step to implement your compliance process. You must execute on data requests, report data breaches, and keep required documentation to ensure that your company is not liable for fines and penalties.
Ensuring adequate process controls and appropriate reporting of data on hand must be top of mind for GDPR compliance within your organization. This includes delegating an employee who is responsible for conducting interviews with staff members in the event of a breach investigation.
Four Key Steps to Compliance
Microsoft suggests four key steps that will help guide you through the process of GDPR compliance:
In this blog, we’ll discuss the last step, Report. The second step involves documenting and reporting how data is used or if it is exposed under your control.
What Questions Should you be Asking for Data Governance?
During the Manage step, you should be asking five questions:
- Does your organization keep transparent records?
- Do you have a breach notification plan?
- Do you have a governance plan for handling data subject requests?
- Have you completed a Data Protection Compliance Review?
- Have you trained your employees for best practices in reporting?
Here is a flowchart to help you better understand the actions needed to ensure that you’ve successfully completed the fourth step of becoming GDPR compliant:
Data Reporting Scenario
Usually, it can be difficult to conceptualize what it would look like to follow steps such as this. Here is an interactive video that Microsoft created to help you understand what data reporting would look like in an organization that is taking steps to become GDPR compliant. Take a look at this data reporting scenario:
How Can you Utilize the Features and Tools Provided in Microsoft 365 for Data Reporting?
Below are tools and features offered in Microsoft 365 that will help you achieve your GDPR compliance goals. Along with our extensive GDPR courses, we also provide comprehensive courses outlining the details of all the features available in Microsoft 365 that you can utilize for security and compliance.
To ensure your legal and compliance team always has appropriate reporting of data available, work with your DPO and IT and Security teams to quickly deliver security reports that consist of:
Cloud Discovery Dashboard
A Cloud Discovery Dashboard overview from CAS to give your legal and compliance team quick insights into what cloud applications are in use across your business as well as a corresponding risk rating for each application.
The Productivity App Discovery Dashboard provides you with a quick insight into what cloud applications are in use across your business as well as a corresponding risk rating for each application. It gives a high-level snapshot of pertinent information regarding your company’s Office 365 and other productivity cloud services usage, such as the total number of apps being used (Office 365 or 3rd party), the total number of users and total traffic (upload/download).
The Office 365 Category section presents a breakdown of the actual amount of traffic being transmitted through Office 365 and other 3rd party apps, by clicking on the category bar. For example, if you click on the Cloud Storage bar, you can see that of the 1.3 GBs of usage, there is 645 MBs being stored within Office 365.
The Discovered apps section breaks down application usage even further. To help Security teams provide detailed reporting to you, they can open the Discovered apps section and filter on cloud storage application traffic as well as Collaboration, Online meetings, Social Network, Webmail and other categories.
To find out more about the security and reporting features in Office 365 you can take our Office 365 Security Overview course
In Office 365 Security and Compliance Center, Service Assurance provides compliance reports and trust documents that describes Microsoft Office 365 audit controls that are relevant to both your company’s geography as well as industry.
Azure Active Directory
An Azure Active Directory report of any risky sign-in behavior and users flagged for other risks.
Still feeling a lack of confidence in your compliance procedures? Check out these toolkits that are built to assist in your GDPR compliance efforts.
For your weekly reporting you will always receive an output of your company’s current Secure Score, to help track your security progress, as well as give the DPO and others in the compliance team a quick view of how your company is performing in relation to overall data security. The Secure Score output analyzes your Office 365 environment and assigns a score based on security settings and regular activities.
Secure Score figures out what Office 365 services you are using (like OneDrive, SharePoint, and Exchange) then looks at the organization’s settings and activities and compares them to a baseline established by Microsoft. From there your IT security team can get a score based on how aligned your company is with best security practices.
By having a process in place that tracks and reports on security actions that directly impact your company’s exposure to a data breach, you are able to show that your organization is actively looking to report and improve the security of its personal data. You are also able to export your Secure Score over time into your reports.
Through a simple click, you can cover your company with Customer Lockbox and benefit from strengthening GDPR compliance with further controls over access to data.
From this point on, access to customer content during service operations by Microsoft personnel will require approval from a tenant admin in your organization.
Regularly reviewing the weekly report helps your compliance team document the state of data security and process controls and governance in your company.
In addition to the weekly report, you can review the investigative reports submitted by the HR and IT Security teams during a data breach investigation.
Next Steps of GDPR Compliance
GDPR compliance is not a journey with a clear ending. You must continuously assess your data inventories and practices to make sure your company is staying up-to-date with protection systems. Start back at step 1 to make sure your information is properly classified
If you’re interested in gaining deeper insights into GDPR, or would like to learn how to leverage these tools and more from Microsoft 365, you can take our in-depth courses outlining how to lead your company to become compliant.
We have many courses that teach you the details of becoming GDPR compliant, including ones that outline these four key steps utilizing Microsoft 365 tools.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology that ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.