Privacy, Trust, and the General Data Protection Regulation ... GDPR... · Providing clarity and...
Transcript of Privacy, Trust, and the General Data Protection Regulation ... GDPR... · Providing clarity and...
Privacy, Trust, and the GeneralData Protection Regulation (GDPR)Robertas TamosaitisMicrosoft Business Solution Sales SpecialistE-mail: [email protected]
This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.
“Businesses and users are going to embrace technology only if they can trust it.”
Satya Nadella
Chief Executive OfficerMicrosoft Corporation
• We take a principled approach with strong commitments to
privacy, security, compliance and transparency.
• Moving to the cloud makes it easier for you to become
compliant with privacy regulations by managing and
protecting personal data in a centralized location.
• Microsoft is the industry leader in privacy and security with
extensive expertise complying with complex regulations.
Providing clarity and consistency for the protection of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations that offer goods
and services to people in the European
Union (EU), or that collect and analyze
data tied to EU residents, no matter
where they are located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
Personal
privacy
What are the key changes with the GDPR?
Controls and
notifications
Transparent
policies
IT and training
Processors will need:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data
Protection Officer (for
larger organizations)
• Create & manage
processor/vendor
contracts
Processors will need to:
• Protect personal data
using appropriate security
practices
• Notify authorities within
72 hours of breaches
• Receive consent before
processing personal data
• Keep records detailing
data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Processors are required to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention
and deletion policies
Our commitment to you
• To simplify your path to compliance, we are committing to GDPR compliance
across our cloud services when enforcement begins on May 25, 2018.
• We will share our experience in complying with complex regulations such as
the GDPR.
• Together with our partners, we are prepared to help you meet your policy,
people, process, and technology goals on your journey to GDPR.
• We are making contractual commitments available to our customers that
provide key GDPR-related assurances about our services.
United States______ CJIS
CSA CCM
DISA
FDA CFR Title 21 Part 11
FEDRAMP
FERPA
FIPS 140-2
FISMA
HIPAA/HITECH
HITRUST
IRS 1075
ISO/IEC 27001, 27018
MARS-E
NIST 800-171
Section 508 VPATs
SOC 1, 2
United Kingdom___ CSA CCM
ENISA IAF
EU Model Clauses
ISO/IEC 27001, 27018
NIST 800-171
SOC 1, 2, 3
UK G-CloudSpain___ CSA CCM
ENISA IAF
EU Model Clauses
EU-U.S. Privacy Shield
ISO/IEC 27001, 27018
SOC 1, 2
Spain ENS
Spain LOPD Auth.
Singapore____CSA CCM
ISO/IEC 27001, 27018
MTCS
SOC 1, 2
New Zealand____CSA CCM
ISO/IEC 27001, 27018
NZCC Framework
SOC 1, 2,
Japan____CSA CCM
CS Mark (Gold)
FISC
ISO/IEC 27001, 27018
Japan My Number Act
SOC 1, 2
European Union___ CSA CCM
ENISA IAF
EU Model Clauses
EU-U.S. Privacy Shield
ISO/IEC 27001, 27018
SOC 1, 2,
China____China GB 18030
China MLPS
China TRUCS
Austrailia____CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
Argentina____Argentina PDPA
CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
Key CertificationsCommitment to meeting industry standards
Over 900 controls in the Office 365 compliance
framework enable us to stay up to date with the ever-
evolving industry standards across geographies
Microsoft is regularly audited, submits self-assessments
to independent 3rd party auditors and holds key certifications
New Zealand____CSA CCM
ISO/IEC 27001, 27018
NZCC Framework
SOC 1, 2,
Japan____CSA CCM
CS Mark (Gold)
FISC
ISO/IEC 27001, 27018
Japan My Number Act
SOC 1, 2
Austrailia____CSA CCM
IRAP (CCSL)
ISO/IEC 27001, 27018
SOC 1, 2
How do I get started?
Identify what personal data you have and
where it residesDiscover1
Govern how personal data is used
and accessedManage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breachesProtect3
Keep required documentation, manage data
requests and breach notificationsReport4
Discover:
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft AzureMicrosoft Azure Data Catalog
Enterprise Mobility + Security (EMS)Microsoft Cloud App Security
Dynamics 365Audit Data & User Activity
Reporting & Analytics
Office & Office 365 Advanced Data Governance
Office 365 eDiscovery
Example solutions
1
2
Example solutions
Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft AzureAzure Active Directory
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)Azure Information Protection
Office & Office 365 Advanced Data Governance
Office 365 eDiscovery
Windows & Windows ServerMicrosoft Identity Manager
Auditing and logging
Microsoft Data Classification Toolkit
3
Example solutions
Protect:
Preventing data attacks:
•
•
•
•
•
•
•
•
Detecting & responding to breaches:
•
•
•
•
•
•
Enterprise Mobility + Security (EMS)Microsoft Intune
Azure Information Protection
Multi-Factor Authentication (Azure Active Directory
Premium)
Microsoft Advanced Threat Analytics
Office & Office 365 Data Loss Prevention
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL DatabaseTransparent data encryption
Always Encrypted
Windows & Windows ServerWindows HelloCredential Guard
4
Example solutions
Report:
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Azure
Azure Auditing & Logging
Log Analytics
Enterprise Mobility + Security (EMS)
Azure Information Protection
Microsoft Advanced Threat Analytics
Office & Office 365
Office 365 Audit Logs
Office 365 eDiscovery
Windows & Windows Server
Microsoft Identity Manager
Auditing and logging
Windows Defender Advanced Threat
Protection
Enterprise Mobility + Security
Protect customer data both in the cloud, and on-premises, with
industry-leading security capabilities
Office 365
Secure your IT environment and achieve compliance with enterprise-
grade user and administrative controls
Windows 10 Enterprise
Protect devices with industry-leading encryption, anti-malware
technologies, and identity and access solutions
Microsoft’s goal is to streamline your
GDPR compliance through smart
technology, innovation, and
collaboration. Together we’ll help you
build a more secure environment,
simplify your compliance with the GDPR,
and give you the tools and resources
you need to be successful.
Partnering with you to prepare for GDPR
Preparing
for GDPR
HIPAA /
HITECH ActFERPA
GxP
21 CFR Part 11
Singapore
MTCS
UK
G-Cloud
Australia
IRAP/CCSL
FISC Japan
New Zealand
GCIO
China
GB 18030
EU
Model Clauses
ENISA
IAF
Argentina
PDPA
Japan CS
Mark Gold
CDSAShared
Assessments
Japan My
Number Act
FACT UK GLBA
Spain
ENS
PCI DSS
Level 1MARS-E FFIEC
China
TRUCS
Canada
Privacy Laws
MPAA
Privacy
Shield
India
MeitY
Germany IT
Grundschutz
workbook
Spain
DPA
HITRUST IG Toolkit UK
China
DJCP
ITARSection 508
VPATSP 800-171 FIPS 140-2
High
JAB P-ATOCJIS
DoD DISA
SRG Level 2
DoD DISA
SRG Level 4IRS 1075
DoD DISA
SRG Level 5
Moderate
JAB P-ATO
GLO
BA
LU
S G
OV
IND
US
TR
YR
EG
ION
AL
ISO 27001
SOC 1
Type 2ISO 27018CSA STAR
Self-AssessmentISO 27017SOC 2
Type 2SOC 3ISO 22301
CSA STAR
Certification
CSA STAR
AttestationISO 9001
Azure has the deepest and most comprehensive compliance coverage in the industry