With the General Data Protection Regulation (GDPR) deadline fast approaching, organisations within, and those who trade with, the European Union, are busy working to ensure compliance. To support these efforts, Microsoft has been updating the capabilities provided within Office 365, making it easier to abide by the core GDPR tenets – let’s take a look at some of these features to understand how can be used within your organisation.
Compliance Manager is a tool that has just been made generally available to Office 365 Business and Enterprise subscribers – it’s designed to help your organisation assess on-going compliance risks across many of the complex legislations that apply, including, GDPR, ISO 27001 and NIST 800-53
One of the key premises behind the tool is to separate responsibility between platform and client – so that you can clearly identify actions that Microsoft own, and those areas that you need to act on. This helps to make it really clear that compliance is a shared responsibility.
Compliance Manager not only helps you to identify the various compliance activities you need to be aware of, it also allows you to assign them to responsible owners. Each activity is then tracked, providing you with a record that you can refer back to. The status of each compliance activity is used to calculate a score for each piece legislation that you need to comply with, making it simple to focus effort on any compliance gaps that need to be addressed.
Currently, Compliance Manager, assesses most of the core services within Office 365 (including, SharePoint Online, Exchange, Groups, Teams and StaffHub amongst others), with more services being added over time.
I can certainly see us using the Compliance Manager to oversee our own regulatory compliance here at Intelogy.
Azure Information Protection
Available for the past 18 months or so, Azure Information Protection has been continuously improved with features that help organisations comply with legislation such as GDPR.
The core premise of Azure Information Protection is to ensure that content is appropriately secured within your organisation. This is achieved by through labels being applied to documents and emails. These labels can be applied manually, or automatically set by administrators based upon centrally defined rules. These rules can look for specific patterns within content (for example a credit card number), and label content that contains sensitive information.
Labels can be used to apply visual marking to content, for example by applying a watermarks and footer text after the classification has been applied.
Importantly, the label can then be used by underpinning Azure Rights Management, to encrypt the content, and apply authorisation rules. This can, for example, be used to stop a document from being viewed, or printed by an unauthorised user, or prevent restricted information from leaving the organisation altogether.
One of the latest functional updates sees the release of the Azure Information Protection scanner, which extends the ability to classify and protect files that reside in on-premises file shares. The benefits are substantial, you can automatically assess existing unstructured files for personal data, allowing you to easily identify and protect content that is definitely subject to GDPR.
This new tool complements Microsoft’s Cloud App Security, which provides similar regulatory risk assessment across 15,000 of the most frequently used cloud applications. Not only does this allow you to scan content stored in multiple external cloud-hosted apps, it also allows you to monitor usage activity, and identify potential threats. For example, the AI that underpins Cloud App Security can automatically alert your administrators to unusual activity, such as the same account being used in different geographical locations.
GDPR – Detailed Assessment
Microsoft has put together a useful GDPR Detailed Assessment pack, which provides useful GDPR delivery guidance material, and a question-driven assessment tool to provide organisations with the confidence that they are fully compliant. It’s worth using this tool to identify any remaining gaps in your organisation’s GDPR strategy.
As leading experts in the compliance space, Intelogy can help advice your organisation’s GDPR strategy within Office 365. Do get in touch if you have any questions.