Privacy, Trust, and the General Data Protection Regulation (GDPR) Robertas Tamosaitis Microsoft Business Solution Sales Specialist E-mail: rtamosa@microsoft.com This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
Businesses and users are going to embrace technology only if they can trust it. Satya Nadella Chief Executive Officer Microsoft Corporation We take a principled approach with strong commitments to privacy, security, compliance and transparency. Moving to the cloud makes it easier for you to become compliant with privacy regulations by managing and protecting personal data in a centralized location. Microsoft is the industry leader in privacy and security with extensive expertise complying with complex regulations.
Providing clarity and consistency for the protection of personal data The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located. Enhanced personal privacy rights Increased duty for protecting data Mandatory breach reporting Significant penalties for non-compliance Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
What are the key changes with the GDPR? Personal privacy Controls and notifications Transparent policies IT and training Individuals have the right to: Processors will need to: Processors are required to: Processors will need: Access their personal data Correct errors in their personal data Erase their personal data Object to processing of their personal data Export personal data Protect personal data using appropriate security practices Notify authorities within 72 hours of breaches Receive consent before processing personal data Keep records detailing data processing Provide clear notice of data collection Outline processing purposes and use cases Define data retention and deletion policies Train privacy personnel & employee Audit and update data policies Employ a Data Protection Officer (for larger organizations) Create & manage processor/vendor contracts
Our commitment to you To simplify your path to compliance, we are committing to GDPR compliance across our cloud services when enforcement begins on May 25, 2018. We will share our experience in complying with complex regulations such as the GDPR. Together with our partners, we are prepared to help you meet your policy, people, process, and technology goals on your journey to GDPR. We are making contractual commitments available to our customers that provide key GDPR-related assurances about our services.
Key Certifications Commitment to meeting industry standards Over 900 controls in the Office 365 compliance framework enable us to stay up to date with the everevolving industry standards across geographies Microsoft is regularly audited, submits self-assessments to independent 3 rd party auditors and holds key certifications Spain CSA CCM ENISA IAF EU Model Clauses EU-U.S. Privacy Shield ISO/IEC 27001, 27018 SOC 1, 2 Spain ENS Spain LOPD Auth. United Kingdom CSA CCM ENISA IAF EU Model Clauses ISO/IEC 27001, 27018 NIST 800-171 SOC 1, 2, 3 UK G-Cloud Singapore CSA CCM ISO/IEC 27001, 27018 MTCS SOC 1, 2 Japan CSA CCM CS Mark (Gold) FISC ISO/IEC 27001, 27018 Japan My Number Act SOC 1, 2 United States CJIS CSA CCM DISA FDA CFR Title 21 Part 11 FEDRAMP FERPA FIPS 140-2 FISMA HIPAA/HITECH HITRUST IRS 1075 ISO/IEC 27001, 27018 MARS-E NIST 800-171 Section 508 VPATs SOC 1, 2 Argentina Argentina PDPA CSA CCM IRAP (CCSL) ISO/IEC 27001, 27018 SOC 1, 2 European Union CSA CCM ENISA IAF EU Model Clauses EU-U.S. Privacy Shield ISO/IEC 27001, 27018 SOC 1, 2, China China GB 18030 China MLPS China TRUCS Austrailia CSA CCM IRAP (CCSL) ISO/IEC 27001, 27018 SOC 1, 2 New Zealand CSA CCM ISO/IEC 27001, 27018 NZCC Framework SOC 1, 2,
How do I get started? 1 Discover Identify what personal data you have and where it resides 2 Manage Govern how personal data is used and accessed 3 Protect Establish security controls to prevent, detect, and respond to vulnerabilities & data breaches 4 Report Keep required documentation, manage data requests and breach notifications
1 Discover: Example solutions In-scope: Inventory: Microsoft Azure Microsoft Azure Data Catalog Enterprise Mobility + Security (EMS) Microsoft Cloud App Security Dynamics 365 Audit Data & User Activity Reporting & Analytics Office & Office 365 Advanced Data Governance Office 365 ediscovery
2 Manage: Example solutions Data governance: Data classification: Microsoft Azure Azure Active Directory Azure Role-Based Access Control (RBAC) Enterprise Mobility + Security (EMS) Azure Information Protection Office & Office 365 Advanced Data Governance Office 365 ediscovery Windows & Windows Server Microsoft Identity Manager Auditing and logging Microsoft Data Classification Toolkit
3 Protect: Example solutions Preventing data attacks: Detecting & responding to breaches: Enterprise Mobility + Security (EMS) Microsoft Intune Azure Information Protection Multi-Factor Authentication (Azure Active Directory Premium) Microsoft Advanced Threat Analytics Office & Office 365 Data Loss Prevention Advanced Threat Protection Threat Intelligence SQL Server and Azure SQL Database Transparent data encryption Always Encrypted Windows & Windows Server Windows Hello Credential Guard
4 Report: Example solutions Record-keeping: Reporting tools: Microsoft Azure Azure Auditing & Logging Log Analytics Enterprise Mobility + Security (EMS) Azure Information Protection Microsoft Advanced Threat Analytics Office & Office 365 Office 365 Audit Logs Office 365 ediscovery Windows & Windows Server Microsoft Identity Manager Auditing and logging Windows Defender Advanced Threat Protection
Enterprise Mobility + Security Protect customer data both in the cloud, and on-premises, with industry-leading security capabilities Office 365 Secure your IT environment and achieve compliance with enterprisegrade user and administrative controls Windows 10 Enterprise Protect devices with industry-leading encryption, anti-malware technologies, and identity and access solutions
Partnering with you to prepare for GDPR Microsoft s goal is to streamline your GDPR compliance through smart technology, innovation, and collaboration. Together we ll help you build a more secure environment, simplify your compliance with the GDPR, and give you the tools and resources you need to be successful. Preparing for GDPR
REGIONAL INDUSTRY US GOV GLOBAL Azure has the deepest and most comprehensive compliance coverage in the industry ISO 27001 ISO 27018 ISO 27017 ISO 22301 ISO 9001 SOC 1 Type 2 SOC 2 Type 2 SOC 3 CSA STAR Self-Assessment CSA STAR Certification CSA STAR Attestation Moderate JAB P-ATO High JAB P-ATO DoD DISA SRG Level 2 DoD DISA SRG Level 4 DoD DISA SRG Level 5 SP 800-171 FIPS 140-2 Section 508 VPAT ITAR CJIS IRS 1075 PCI DSS Level 1 CDSA MPAA FACT UK Shared Assessments FISC Japan HIPAA / HITECH Act HITRUST GxP 21 CFR Part 11 MARS-E IG Toolkit UK FERPA GLBA FFIEC Argentina PDPA EU Model Clauses UK G-Cloud China DJCP China GB 18030 China TRUCS Singapore MTCS Australia IRAP/CCSL New Zealand GCIO Japan My Number Act ENISA IAF Japan CS Mark Gold Spain ENS Spain DPA India MeitY Canada Privacy Laws Privacy Shield Germany IT Grundschutz workbook