#AllAccessIT#AllAccessIT
Tackling GDPR with Microsoft 365 and Office 365
Andrew Bettany, MVP, Author
#AllAccessIT#AllAccessIT
Live life without regret, believe in your potential, don’t stop!
Andrew Bettany
• IT Masterclasses Ltd – bespoke technical training• Microsoft Most Valuable Professional since 2012• Windows User Group• Microsoft Press Windows Author• Freelance Trainer / Course Author• Microsoft Learning Regional Lead for UK• LinkedIn & Pluralsight Video Author
Specialties: Microsoft 365 | Windows Client | Windows Server | Deployment
[email protected] @andrew_bettany
Providing clarity and consistency for the protection of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods
and services to people in the EU, or that
collect and analyze data tied to EU
residents, no matter where they are
located.
Providing clarity and consistency for the protection of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods
and services to people in the EU, or that
collect and analyze data tied to EU
residents, no matter where they are
located.
#AllAccessIT
#AllAccessIT
m
Providing clarity and consistency for the protection of personal data
BREXIT has no impact on GDPR
Information Commissioner will be the authority in charge in the UK
May 2018 GDPR becomes effective
Data Protection Bill will replace theData Protection Act 1998GDPR has direct effect across
all EU member states
UK Data Protection Bill
implements the General Data
Protection Regulation plus
additional National Security
provisions
Personal dataAny information related to an
identified or identifiable natural
person including direct and
indirect identification.
Examples include:
• Name
• Identification number (e.g., N.I
numbers)
• Location data (e.g., home
address)
• Online identifier (e.g., e-mail
address, screen names, IP
addresses, device IDs)
How GDPR defines personal data
Sensitive personal dataPersonal data afforded enhanced
protections:
• Genetic data (e.g., an individual’s gene
sequence)
• Biometric Data (e.g., fingerprints, facial
recognition, retinal scans)
• Sub categories of personal data
including:
• Racial or ethnic origin
• Political opinions, religious or
philosophical beliefs
• Trade union membership
• Data concerning health
• Data concerning a person’s sex life or
sexual orientation
How GDPR defines personal data
Key changes needed to address GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (if
required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing
data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required
to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
Protecting customer
privacy with GDPR
Improved data policies to provide control to data subjects and ensure
lawful processing
Stricter control on where personal data
is stored and how it is used
Better data governance
tools for better transparency,
recordkeeping and reporting
What does this mean for my data?
GDPR Compliance
• Data Classification
and Labeling
• Data Protection
• Data Retention
• Audit
• Disposal
• User and
Device
Protection
Classification and labellingDiscover personal data and apply persistent labels
Labels are persistent and
readable by other systems
e.g. DLP engine
Labels are metadata
written to dataSensitive data is
automatically detected
Information Protection is ALL about Labelling
Payroll
No Personal Identifiable Information
Consumer
Do not delete
Ex Employee
Contains PII
Employee
Bank Details
#AllAccessIT#AllAccessIT
Azure Information Protection DemoAndrew Bettany
PCs, tablets, mobile
Office 365 Data Loss PreventionWindows Information Protection & BitLocker for Windows 10
Azure Information Protection
Exchange Online, SharePoint Online,
Skype for Business & OneDrive for Business
Highly regulated
Microsoft Intune MDM & MAM for Windows, iOS & Android Microsoft Cloud App Security
Office 365 Advanced Data Governance
Azure Information Protection
Comprehensive protection of sensitive data across devices, cloud services, and on-premises
Windows 10 Office 365 EM+S & Cloud
Services
Advanced Device Management
#AllAccessIT
Microsoft 365 Business
Microsoft 365 Education
Microsoft 365 Enterprise
*Offered on a per user/per month
Microsoft 365 Business
Security & Compliance Controls
• The most secure and up-to-date version of Office & Windows
• Threat Protection (Virus, Malware) for emails
• Malware and Spyware Detection and Removal
• Virus Detection and Removal, Boot Time Protection
• Data Always encrypted on devices
• 2 Factor authentication needed to access data on PC/Mobile
• Protect data on Mobile Devices (Copy/Paste/Save operations)
• Benchmark your controls with Secure Score
• Gain visibility with the Security & Compliance Center
Microsoft 365 Business
Office 365 Business Premium
Windows 10 Pro
EM+S*
* Limited Intune and Azure AD
Premium features
Microsoft 365 Business £15.10 per user/per
month
(Compared to Office 365 Business Premium
£9.40 per user/per month)
Small to mid-size
businesses for up to 300
Microsoft 365 Enterprise E3
Identity, Information & Device Protection
• Classification and Labeling
• Multi-Factor Authentication
• Message Encryption and Rights Management
• Tracking, Reporting, and Revoking Privileges
• Advanced Threat Protection: Safe Links, Safe Attachments
• Cloud App Security
Microsoft 365 Enterprise E3
Office 365 Enterprise E3*
Windows 10 Enterprise E3
EM+S E3
* + On-premises server rights
for SharePoint, Exchange, Skype
for Business
Microsoft 365 Enterprise E3
£28.00 per user/per month
Microsoft 365 Enterprise E5
Advanced Compliance & Protection
• Automatically classify, protect & preserve sensitive data
• Shadow IT Detection with Microsoft Cloud App Security
• Real Time Risk based access to corporate network
• Anomalous Attack Detection and Reporting
• Single Sign On to 2700+ non-Microsoft Cloud Apps
• Additional customer access controls for Microsoft support
• Windows Defender Advanced Threat Protection
Microsoft 365Enterprise E5
Office 365 Enterprise E5*
Windows 10 Enterprise E5
EM+S E5
Microsoft 365 Enterprise E5
£51.90 per user/per month
* + On-premises server rights
for SharePoint, Exchange, Skype
for Business
Microsoft Cloud App Security
Discover and
assess risks
Control access
in real time
Detect
threats
Protect your
information
Identify cloud apps on your network, gain visibility into
shadow IT, and get risk assessments and ongoing
analytics
Manage and limit cloud
app access based on
conditions and session
context, including user
identity, device, and
location
Identify high-risk usage and detect unusual
behavior using Microsoft threat intelligence and
research
Get granular control over data and use built-in or custom policies for data
sharing and data loss prevention
#AllAccessIT#AllAccessIT
Cloud App Security DemoAndrew Bettany
Microsoft 365 Enterprise Technology Benefit E3 E5
Azure Active Directory
Premium P1
Secure single sign-on to cloud and on-premises app
MFA, conditional access, and advanced security
reporting● ●
Azure Active Directory
Premium P2
Identity and access management with advanced
protection for users and privileged identities ●
Microsoft IntuneMobile device and app management to protect
corporate apps and data on any device ● ●
Azure Information
Protection P1
Encryption for all files and storage locations
Cloud-based file tracking● ●
Azure Information
Protection P2
Intelligent classification and encryption for files
shared inside and outside your organization ●
Microsoft Cloud App
Security
Enterprise-grade visibility, control, and protection
for your cloud applications ●
Microsoft Advanced
Threat Analytics
Protection from advanced targeted attacks
leveraging user and entity behavioral analytics ● ●
Identity and access management
Managed mobileproductivity
Information protection
Threat Detection
#AllAccessIT#AllAccessIT
Resourceshttps://www.microsoft.com/TrustCenter/Privacy/gdpr/default.aspx
https://www.microsoft.com/microsoft-365/business
https://docs.microsoft.com/microsoft-365/business
https://www.microsoft.com/microsoft-365/enterprise
https://www.microsoft.com/cloud-platform/enterprise-mobility-security
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr