U susret GDPR regulativi Dočekajmo spremni Maj 2018 Dragan Tasić Technology Solutions Professional This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
Make no mistake, the GDPR sets a new and higher bar for privacy rights, for security, and for compliance. And while your journey to GDPR may seem challenging, Microsoft is here to help all of our customers around the world. Brad Smith President & Chief Legal Officer Microsoft Corporation
Providing clarity and consistency for the protection of personal data The General Data Protection Regulation (GDPR) imposes new rules on organizations in the European Union (EU) and those that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents, no matter where they are located. Enhanced personal privacy rights Increased duty for protecting data Mandatory breach reporting Significant penalties for non-compliance Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
What is the GDPR? TODAY: May 25 th 2018: 28 Interpretations of the Data Protection Directive One Data Protection Regulation Harmonized across all EU member states
Who s Who in the Protection of Personal Data? DATA CONTROLLER DATA PROCESSOR DATA SUBJECT DATA PROTECTION OFFICER Data Protection Officers are designated persons responsible for making sure the organization follows the new regulations. DATA PROTECTION AUTHORITY
Protecting customer privacy with GDPR
Our commitment to you To simplify your path to compliance, we are committing to GDPR compliance across our cloud services when enforcement begins on May 25, 2018. We will share our experience in complying with complex regulations such as the GDPR. Together with our partners, we are prepared to help you meet your policy, people, process, and technology goals on your journey to GDPR.
We will stand behind you with contractual commitments for our cloud services that: Meet stringent security requirements Support customers in managing data subject requests Provide documentation that enables customers to demonstrate compliance for all the other requirements of the GDPR applicable to processors and more Microsoft was the first major cloud services provider to make these commitments to its customers. Our goal is to simplify compliance for our customers with both the GDPR and other major regulations.
GDPR Compliance Simplify your privacy journey Uncover risk & take action Leverage guidance from experts
Centralize, Protect, Comply with the Cloud Process all in one place Centralize processing in a single system, simplifying data management, governance, classification, and oversight. Maximize your protections Protect data with industry leading encryption and security technology that s always up-to-date and assessed by experts. Streamline your compliance Utilize services that already comply with complex, internationallyrecognized standards to more easily meet new requirements, such as facilitating the requests of data subjects.
01 10 10 01 0 0 0 0 0 0 0 0 1 0 1 0 1 0 1 1 01 0 0 1 1 0 Discover data across systems Govern access and processing Protect through the entire lifecycle Easily discover and catalog data sources Increase visibility with auditing capabilities Identify where personal info resides across devices, apps and platforms Enforce use policies and access controls across your systems Classify data for simplified compliance Easily respond to data requests and transparency requirements Protect user credentials with risk-based conditional access Safeguard data with built-in encryption technologies Rapidly respond to intrusions with built-in controls to detect and respond to data breaches
+ + Learn from our experience Leverage our GDPR preparation resources Engage our global partner ecosystem
How do I get started? 1 Discover Identify what personal data you have and where it resides 2 Manage Govern how personal data is used and accessed 3 Protect Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches 4 Report Keep required documentation, manage data requests and breach notifications
1 Discover: GDPR ARTICLES: 15, 30 Example solutions Microsoft Azure Microsoft Azure Data Catalog In-scope: Inventory: Enterprise Mobility + Security (EMS) Microsoft Cloud App Security Dynamics 365 Audit Data & User Activity Reporting & Analytics Office & Office 365 Data Loss Prevention Advanced Data Governance Office 365 ediscovery SQL Server and Azure SQL Database SQL Query Language Windows & Windows Server Windows Search
2 Manage: GDPR ARTICLES: 5, 6, 9, 10, 24, 18, 30, 32 Data governance: Data classification: Example solutions Microsoft Azure Azure Active Directory Azure Information Protection Azure Role-Based Access Control (RBAC) Enterprise Mobility + Security (EMS) Azure Information Protection Dynamics 365 Security Concepts Office & Office 365 Advanced Data Governance Journaling (Exchange Online) Windows & Windows Server Microsoft Data Classification Toolkit
3 Protect: GDPR ARTICLES: 25, 29, 32, 46, 47 Preventing data attacks: Detecting & responding to breaches: Example solutions Microsoft Azure Azure Key Vault Azure Security Center Azure Storage Services Encryption Enterprise Mobility + Security (EMS) Azure Active Directory Premium Microsoft Intune Office & Office 365 Advanced Threat Protection Threat Intelligence SQL Server and Azure SQL Database Transparent data encryption Always Encrypted Windows & Windows Server Windows Defender Advanced Threat Protection Windows Hello Device Guard
4 Report: Example solutions GDPR ARTICLES: 12, 13, 14, 24, 30, 32, 33, 34, 45, 46 Microsoft Trust Center Service Trust Portal Record-keeping: Reporting tools: Microsoft Azure Azure Auditing & Logging Azure Data Lake Azure Monitor OMS4ARMS - ISV Enterprise Mobility + Security (EMS) Azure Information Protection Dynamics 365 Reporting & Analytics Office & Office 365 Service Assurance Office 365 Audit Logs Customer Lockbox Windows & Windows Server Windows Defender Advanced Threat Protection
Microsoft.com/GDPR
SHARED RESPONSIBILITY REQUIRES A PARTNER YOU CAN TRUST
HOLISTIC APPROACH TO SECURITY LEADERSHIP IN COMPLIANCE COMMITMENT TO TRANSPARENCY & PRIVACY
Platform Intelligence Partners
USING OUR INTELLIGENCE TO FIGHT CYBERTHREATS Improved defenses Sort and analyze telemetry data for suspicious behavior Intelligence from billions of end points 300B user authentications each month CYBER DEFENSE OPERATIONS CENTER Secure Enterprise environment 1B Windows devices updated 200B emails analyzed for spam and malware Defend & respond to attacks Insights drive intelligent tools and health dashboards
Global requirements Local & regional compliance requirements Infrastructure investments Highly-regulated industries Future requirements
38 Cloud regions worldwide North Central US United Kingdom South West US 2 West Central US West US US Gov Arizona 3 US Gov Texas 3 Central US US Gov Iowa US DoD West South Central US Canada Central US Gov Virginia Canada East US DoD East United Kingdom West East US East US 2 North Europe France 3 France 3 West Europe Germany Northeast 2 Germany Central 2 West India Central India China West 1 China East 1 South India Korea Central 3 East Asia Korea South 3 Japan East Japan West 100+ datacenters One of 3 largest networks in the world Southeast Asia 1 China datacenters operated by 21 Vianet 2 German data trustee services provided by T-systems 3 France, South Korea and US Gov datacenter regions have been announced but are not currently operational Brazil South Australia Southeast Australia East Global datacenters Sovereign datacenters
REGIONAL INDUSTRY US GOV GLOBAL Azure has the deepest and most comprehensive compliance coverage in the industry ISO 27001 ISO 27018 ISO 27017 ISO 22301 ISO 9001 SOC 1 Type 2 SOC 2 Type 2 SOC 3 CSA STAR Self-Assessment CSA STAR Certification CSA STAR Attestation Moderate JAB P-ATO High JAB P-ATO DoD DISA SRG Level 2 DoD DISA SRG Level 4 DoD DISA SRG Level 5 SP 800-171 FIPS 140-2 Section 508 VPAT ITAR CJIS IRS 1075 PCI DSS Level 1 CDSA MPAA FACT UK Shared Assessments FISC Japan HIPAA / HITECH Act HITRUST GxP 21 CFR Part 11 MARS-E IG Toolkit UK FERPA GLBA FFIEC Argentina PDPA EU Model Clauses UK G-Cloud China DJCP China GB 18030 China TRUCS Singapore MTCS Australia IRAP/CCSL New Zealand GCIO Japan My Number Act ENISA IAF Japan CS Mark Gold Spain ENS Spain DPA India MeitY Canada Privacy Laws Privacy Shield Germany IT Grundschutz workbook
Discover Manage Protect Report Search & identify personal data Control access Classify data Protect data in the cloud Detect & Remediate threats Recordkeeping Integrate Azure search for hosted applications to locate personal data across user-defined indexes Trace and identify personal data stored in different data sources Securely manage access to your data, applications and other resources Enforce separation of duties Easily determine and assign relative values to your data Employ advanced encryption, cryptography, and monitoring Restore data availability with a variety of recovery and Georedundant storage options Proactively prevent, detect and respond quickly to threats Deliver verifiable transparency and delivers tamper-resistant insights with activity log Leverage comprehensive compliance and privacy documentation for Azure
Discover Manage Protect Report Identify personal data Classify & label data Protect data, identities, devices & apps Detect threats & remediate Gain rich logging & reporting Quickly identify sensitive data across your environment with Azure Information Protection Discover cloud apps in your environment Gain deeper visibility into user activity Define a classification scheme for better data manageability Use Azure Information Protection to configure policies for classifying, labeling and protecting personal data Deliver consistent data protection with Azure Information Protection Protect personal data with risk-based conditional access and Privileged Identity Management Protect data in mobile devices and mobile apps with Microsoft Intune Detect data breaches with behavioral analytics and anomaly detection technologies Gain rich logging and reporting to analyze how sensitive data is distributed Monitor activities on shared data and revoke access in unexpected events with Azure Information Protection