You Trust ITПуть к безопасности бизнеса
GDPR - What doesthis mean for you?
Accelerate GDPR compliancewith the Microsoft Services
Konstantin Sviridov
Andrey Ivanov
06 September 2017
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
What is the EU General Data Protection Regulation (GDPR)
New comprehensive European privacy lawreplacing the 1995 Data Protection Directive
Regulation already in placeEU starts enforcement 25 May 2018
Applies to all organizations that processpersonal data of EU residents
How does GDPR affect organizations?
Enhanced personal privacy rights.
Increased duty for protecting data.
Mandatory breach reporting.
Significant penalties for non-compliance.
The General Data ProtectionRegulation (GDPR) imposes newrules on organizations that offer goodsand services to people in the EuropeanUnion (EU), or that collect and analyzedata tied to EU residents, no matter wherethey are located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
“Year 2000” - once upon a time…17 years ago…
GDPR - 26 million EU organizations impacted
26 million EU organizations effected
Likely a “panic” zone GDPR requirementsdon’t go away
What are the key changes to address the GDPR?
Personalprivacy
Controls andnotifications
Transparentpolicies
IT and training
Organizations will need:• Train privacy personnel &
employee
• Audit and update datapolicies
• Employ a Data ProtectionOfficer (if required)
• Create & managecompliant vendorcontracts
Organizations will need to:
• Protect personal data usingappropriate security
• Notify authorities ofpersonal data breaches
• Obtain appropriate consentsfor processing data
• Keep records detailing dataprocessing
Individuals have the right to:• Access their personal
data• Correct errors in their
personal data• Erase their personal data
• Object to processing oftheir personal data
• Export personal data
Organizations are requiredto:
• Provide clear notice ofdata collection
• Outline processingpurposes and use cases
• Define data retentionand deletion policies
• Article 8 of the EuropeanConvention on Human Rightsprovides a right to respect forone's "private and family life, hishome and his correspondence",subject to certain restrictionsthat are "in accordance with law"and "necessary in a democraticsociety".
4 Nov 1950 3 Sep 1953 13 Dec 199528 Jan 1981 24 Oct 1998 25 May 20181 Oct 1985 27 Apr 2016
• The treaty regarding theprotection of individuals withregard to automatic processingof personal data was signed asCouncil of Europe Convention108.
• All 47 members of the Councilof Europe have ratified thetreaty, except Turkey.
• Data Protection Directive95/46/EC created to regulate theprocessing of personal data.
• The directive agrees to a new,advanced standard in theprotection of individuals withregards to the processing of theirpersonal data and its freemovement.
• The directive is brought into forceafter a three-year grace period.
• The GDPR imposes new rules oncompanies, governmentagencies, non-profits, and otherorganizations that offer goodsand services to people in the EU,or that collect and analyze datatied to EU residents. The GDPRapplies no matter where you arelocated.
EuropeanConvention onHuman Rights
EuropeanConvention 108
Directive95/46/EC
REGULATION(EU) 2016/679
1981 1995 20181953
Secure digital environment helps building trust, enables digital transformation andincreases prosperity in the EU and globally:
ApprovedApplied from 25.5.2018onwards
ApprovedNationalimplementation by9 May 2018
COM proposal January2017
COM guidelines January2017
ApprovedNationalimplementation by23 September 2018
All organizations Critical sectors All organizations All organizations Public sectororganizations
ISO/IEC 27018 Code of Practice forProtecting Personal Data in the Cloud
In 2014, the ISO adopted ISO/IEC27018:2014, an addendum to ISO/IEC27001, the first international code ofpractice for cloud privacy.Based on EU data-protection laws, itgives specific guidance to cloud serviceproviders (CSPs) acting as processors ofpersonally identifiable information (PII)on assessing risks and implementingstate-of-the-art controls for protectingPII.At least once a year, Microsoft Azureand Azure Germany are audited forcompliance with ISO/IEC 27001 andISO/IEC 27018 by an accredited thirdparty certification body, providingindependent validation that applicablesecurity controls are in place andoperating effectively.By following the standards of ISO/IEC27001 and the code of practiceembodied in ISO/IEC 27018, Microsoft—the first major cloud provider toincorporate this code of practice
SSAE 16/ISAE 3402
SSAE 16 (Statement on Standards forAttestation Engagements No. 16), thesuccessor to SAS 70, and ISAE 3402(International Standards for AttestationEngagement No. 3402), are auditstandards established by the AmericanInstitute of Certified Public Accountants(AICPA) and the International Auditingand Assurance Standards Board of theInternational Federation of Accountants,respectively, and are geared towardsservice organizations. Serviceorganizations are typically entities thatprovide outsourcing services that impactthe control environment of theircustomers. Examples of serviceorganizations are insurance and medicalclaims processors, hosted data centers,application service providers (ASPs), andmanaged security providers. SSAE 16 andISAE 3402 audits are independentverifications of compliance with securitycontrols and effectiveness of securitycontrols.
European Union Model Clauses
European Union (EU) data protectionlaw regulates the transfer of EU customerpersonal data to countries outside theEuropean Economic Area (EEA), whichincludes all EU countries and Iceland,Liechtenstein, and Norway. The EUModel Clauses are standardizedcontractual clauses used in agreementsbetween service providers (such asMicrosoft) and their customers to ensurethat any personal data leaving the EEAwill be transferred in compliance with EUdata-protection law and meet therequirements of the EU DataProtection Directive 95/46/EC.
Microsoft provided its StandardContractual Clauses to the EU's Article 29Working Party for review and approval.The Article 29 Working Party includesrepresentatives from the European DataProtection Supervisor, the EuropeanCommission, and each of the 28 EU dataprotection authorities (DPAs).
ISO/IEC 27001 is an information securitymanagement system (ISMS) standard,part of the ISO/IEC 27000 family ofstandards that address privacy,confidentiality and technical securityissues and have "established guidelinesand general principles for initiating,implementing, maintaining, andimproving information securitymanagement within an organization."The standards outline hundreds ofpotential controls and controlmechanisms. ISO/IEC 27001 in particularis one of the most widely recognizedcertifications for a cloud service, and thusone of the most valued by ourcustomers. ISO 27001 defines how toimplement, monitor, maintain, andcontinually improve the ISMS. TheMicrosoft Online Services InformationSecurity Policy aligns with ISO 27002,augmented with requirements specific toonline services.
ISO/IEC 27001
Unique insights, informed bytrillions of signals. This signal isleveraged across all of Microsoft’ssecurity services
INTELLIGENTSECURITY GRAPH
450Bmonthly
authentications
18+BBing web pages
scanned750M+Azure useraccounts
Enterprisesecurity for
90%of Fortune 500
Malware datafrom Windows
Defender
Shared threatdata from partners,researchers and law
Enforcementworldwide
Botnet data fromMicrosoft Digital
Crimes Unit
1.2Bdevices scanned
each month
400Bemails analyzed
200+global cloud
consumer andCommercial services
Apps and Data
SaaS
Malware Protection Center Cyber Hunting Teams Security Response Center
DeviceInfrastructure
CERTs
Identity
INTELLIGENT SECURITY GRAPH
Cyber DefenseOperations Center
Digital Crimes Unit
Antivirus NetworkIndustry Partners
PaaS IaaS
SECURITY MANAGEMENT IMPERATIVES
VISIBILITYUnderstand the securitystate and risks across
resources
CONTROLDefine consistent security
policies and enablecontrols
GUIDANCEElevate security throughbuilt-in intelligence and
recommendations
INFRASTRUCTUREAPPS / DATADEVICESIDENTITY
IDENTITY
DEFINE CONSISTENT SECURITY POLICIES ANDENABLE CONTROLS FOR USERS
Information Protection – lifecycle example
File is created(via multiple sources)
User opens the filefor editing
Collaborate throughSharePoint Online
User opens thefile on mobile
Upload to other cloudservice for external sharing
WindowsInformation Protection
Azure InformationProtection client
Office 365Data Governance
Intune Microsoft CloudApp Security (MCAS)
Persistent labels enable a unified information protection language
How do I get started
Identify what personal data you have andwhere it residesDiscover1
Govern how personal data is usedand accessedManage2
Establish security controls to prevent, detect,and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage datarequests and breach notificationsReport4
GDPR Workshopsà ETA Q1 FY18Microsoft (and optional with Partner) workshops on GDPR awareness and scoping establishment.
Secure Productive Enterprise PoCà ETA Q1 FY18Customer seeking guidance and support from Advisory Firm(s) + Microsoft to assess their current environment towards the GDPR controls.
Deliverables: Gap analysis and reports. Advice/Roadmap how to address and become compliant.
Fast Start | Enterprise Mobility + SecurityGuided small implementation of EM+S to enable the capabilities in the environment
DiscoverRight to Erasure
Right to Data Portability
ManageDocumentation
Privacy by Design
ProtectData SecurityData Transfer
ReportDocumentation
Breach Response and Notification
Foundation Capabilities | Consulting Services Mapping
Data Insights | GDPR Data Discovery àpilot
Known data sources/files are uploaded to Azure after whichinventory is done on PII (NOT PUBLISHED YET)
Microsoft Data Classification ToolkitDownloadable toolkit intended to help organizations simplify the
ability to search, identify, and apply rules to data you specify.
Secure Modern Enterprise(Security Foundation)
OMS Log Analyticsunlock the power of your own data and understand the valuable
operational insights through the Hybrid Cloud Monitoringengagement
RAP as A Service | Microsoft SecurityThis service is available for any organization that is seeking to evaluate
and improve their Security Program Management.
Azure Information ProtectionImplementation Services
Initial configuration of Azure Information Protection tenant andoptionally integrated with on-premises services. Formulate and
execute on a classification and DLP strategy.
Advanced Threat AnalyticsImplementation Service
Implements ATA in a production environment, including IncidentManagement Process
Advanced Analytics EssentialsPredictive Solutions, such as Predictive Maintenance, Demand
Forecasting, Attrition, and Personalization for qualified customeropportunities. Measure and demonstrate the business value using a
performance dashboard
Dynamic Identity Framework Assessment+ Online Assessment Active Directory
Service (OAADS)Assessments that cover the current posture and risks on your identity
management processes and services, together with a thoroughassessment of your Active Directory Services
Windows 10 SecurityImplementation Service
Includes Windows 10 Security Foundation (BitLocker, CredentialGuard, Defender, SmartScreen, Security Baseline) and Windows
Information Protection
Privileged Access WorkstationSecurity hardened administrative workstation for cloud tenantmanagement, Tier 0 (Active Directory), Tier 1 (Servers), Tier 2
(Workstations) zone management to prevent breach of administrativeaccounts.
POP-Security Incident ManagementCreate or revise your Security Incident Management processes to
enable the 72 hour breach notification requirement
Persistent Adversary Detection Service(PADS)
Productivity Governance and Compliancedelivers a governance plan that will help organizations control,
administer, and manage their SharePoint Online investments to secureapplications and data when users are located remotely, and ensure
compliance requirements are met.
SQL Server Data Protection PlanMaintain a healthy business by preventing Data loss and having a
reliable and AlwaysOn SQL Server infrastructure
More foundational, medium and longer term offerings à see overview in appendix
GDPR Workshop
Partner with Microsoft Services
Risk & DataManagementFoundation
GDPR Program
Education, Awareness,Discovery:
Microsoft Roadmap
Modernize yourIT Environment
(Partner) Discover, Manage, Protect, Report(projects based on gap analysis outcomes,
and roadmap alignment)
Partner
Security Data Platform CloudModern
WorkplacePrivacy Controls
NotificationsPolicies Training
Microsoft does not provide legal advice.
Data Discovery Offering
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
Global enterprises are mandated to comply with new EU regulations and non compliance will result in fines equaling 2-4% of globalrevenues. Most enterprises are using this requirement to establish systematic IT Asset Management Service and reporting capabilities.
Objectives of the engagement:Drive a centralized data store to host the asset data from various sources.Drive data consistency and data quality.Drive centralized reporting capability to provide insights for Legal, Business and Technical Decision Makers.
Benefits & outcomesSolution built on Azure – IaaS or PaaS with Power BI for data visualization needs.Drive focused workshop and quick proof of value.Assist the customer to meet their regulatory compliance needs.
Components
Data Subject
Rights depend on the relationship with thecustomerØ ConsumersØ EmployeesØ Vendors (Suppliers, Commercial Customers)Ø Shareholders
EU Authorities
3rd Parties
Audit andCompliance
Application
Data Transfer
GDPR webpage on the Microsoft Trust Center
Customer whitepaper: Beginning your GDPR journey
Video of Brendon Lynch Sharing his Perspective on the GDPR
Microsoft FAQ on the GDPR
Blog Post: Earning your trust with contractual commitmentsto the General Data Protection Regulation
Blog Post: Get GDPR compliant with the Microsoft cloud
You Trust ITПуть к безопасности бизнеса
Thank You!