Privacy, Trust, and the GeneralData Protection Regulation (GDPR)Robertas TamosaitisMicrosoft Business Solution Sales SpecialistE-mail: rtamosa@microsoft.com

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

“Businesses and users are going to embrace technology only if they can trust it.”

Satya Nadella

Chief Executive OfficerMicrosoft Corporation

• We take a principled approach with strong commitments to

privacy, security, compliance and transparency.

• Moving to the cloud makes it easier for you to become

compliant with privacy regulations by managing and

protecting personal data in a centralized location.

• Microsoft is the industry leader in privacy and security with

extensive expertise complying with complex regulations.

Providing clarity and consistency for the protection of personal data

Enhanced personal privacy rights

Increased duty for protecting data

Mandatory breach reporting

Significant penalties for non-compliance

The General Data Protection

Regulation (GDPR) imposes new

rules on organizations that offer goods

and services to people in the European

Union (EU), or that collect and analyze

data tied to EU residents, no matter

where they are located.

Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights

Personal

privacy

What are the key changes with the GDPR?

Controls and

notifications

Transparent

policies

IT and training

Processors will need:

• Train privacy personnel

& employee

• Audit and update data

policies

• Employ a Data

Protection Officer (for

larger organizations)

• Create & manage

processor/vendor

contracts

Processors will need to:

• Protect personal data

using appropriate security

practices

• Notify authorities within

72 hours of breaches

• Receive consent before

processing personal data

• Keep records detailing

data processing

Individuals have the right to:

• Access their personal

data

• Correct errors in their

personal data

• Erase their personal data

• Object to processing of

their personal data

• Export personal data

Processors are required to:

• Provide clear notice of

data collection

• Outline processing

purposes and use cases

• Define data retention

and deletion policies

Our commitment to you

• To simplify your path to compliance, we are committing to GDPR compliance

across our cloud services when enforcement begins on May 25, 2018.

• We will share our experience in complying with complex regulations such as

the GDPR.

• Together with our partners, we are prepared to help you meet your policy,

people, process, and technology goals on your journey to GDPR.

• We are making contractual commitments available to our customers that

provide key GDPR-related assurances about our services.

United States______ CJIS

CSA CCM

DISA

FDA CFR Title 21 Part 11

FEDRAMP

FERPA

FIPS 140-2

FISMA

HIPAA/HITECH

HITRUST

IRS 1075

ISO/IEC 27001, 27018

MARS-E

NIST 800-171

Section 508 VPATs

SOC 1, 2

United Kingdom___ CSA CCM

ENISA IAF

EU Model Clauses

ISO/IEC 27001, 27018

NIST 800-171

SOC 1, 2, 3

UK G-CloudSpain___ CSA CCM

ENISA IAF

EU Model Clauses

EU-U.S. Privacy Shield

ISO/IEC 27001, 27018

SOC 1, 2

Spain ENS

Spain LOPD Auth.

Singapore____CSA CCM

ISO/IEC 27001, 27018

MTCS

SOC 1, 2

New Zealand____CSA CCM

ISO/IEC 27001, 27018

NZCC Framework

SOC 1, 2,

Japan____CSA CCM

CS Mark (Gold)

FISC

ISO/IEC 27001, 27018

Japan My Number Act

SOC 1, 2

European Union___ CSA CCM

ENISA IAF

EU Model Clauses

EU-U.S. Privacy Shield

ISO/IEC 27001, 27018

SOC 1, 2,

China____China GB 18030

China MLPS

China TRUCS

Austrailia____CSA CCM

IRAP (CCSL)

ISO/IEC 27001, 27018

SOC 1, 2

Argentina____Argentina PDPA

CSA CCM

IRAP (CCSL)

ISO/IEC 27001, 27018

SOC 1, 2

Key CertificationsCommitment to meeting industry standards

Over 900 controls in the Office 365 compliance

framework enable us to stay up to date with the ever-

evolving industry standards across geographies

Microsoft is regularly audited, submits self-assessments

to independent 3rd party auditors and holds key certifications

New Zealand____CSA CCM

ISO/IEC 27001, 27018

NZCC Framework

SOC 1, 2,

Japan____CSA CCM

CS Mark (Gold)

FISC

ISO/IEC 27001, 27018

Japan My Number Act

SOC 1, 2

Austrailia____CSA CCM

IRAP (CCSL)

ISO/IEC 27001, 27018

SOC 1, 2

How do I get started?

Identify what personal data you have and

where it residesDiscover1

Govern how personal data is used

and accessedManage2

Establish security controls to prevent, detect,

and respond to vulnerabilities & data breachesProtect3

Keep required documentation, manage data

requests and breach notificationsReport4

Discover:

In-scope:

•

•

•

•

•

•

•

•

•

•

Inventory:

•

•

•

•

•

•

•

Microsoft AzureMicrosoft Azure Data Catalog

Enterprise Mobility + Security (EMS)Microsoft Cloud App Security

Dynamics 365Audit Data & User Activity

Reporting & Analytics

Office & Office 365 Advanced Data Governance

Office 365 eDiscovery

Example solutions

1

2

Example solutions

Manage:

Data governance:

•

•

•

•

•

•

•

•

Data classification:

•

•

•

•

•

•

•

Microsoft AzureAzure Active Directory

Azure Role-Based Access Control (RBAC)

Enterprise Mobility + Security (EMS)Azure Information Protection

Office & Office 365 Advanced Data Governance

Office 365 eDiscovery

Windows & Windows ServerMicrosoft Identity Manager

Auditing and logging

Microsoft Data Classification Toolkit

3

Example solutions

Protect:

Preventing data attacks:

•

•

•

•

•

•

•

•

Detecting & responding to breaches:

•

•

•

•

•

•

Enterprise Mobility + Security (EMS)Microsoft Intune

Azure Information Protection

Multi-Factor Authentication (Azure Active Directory

Premium)

Microsoft Advanced Threat Analytics

Office & Office 365 Data Loss Prevention

Advanced Threat Protection

Threat Intelligence

SQL Server and Azure SQL DatabaseTransparent data encryption

Always Encrypted

Windows & Windows ServerWindows HelloCredential Guard

4

Example solutions

Report:

Record-keeping:

•

•

•

•

•

Reporting tools:

•

•

•

•

•

•

Microsoft Azure

Azure Auditing & Logging

Log Analytics

Enterprise Mobility + Security (EMS)

Azure Information Protection

Microsoft Advanced Threat Analytics

Office & Office 365

Office 365 Audit Logs

Office 365 eDiscovery

Windows & Windows Server

Microsoft Identity Manager

Auditing and logging

Windows Defender Advanced Threat

Protection

Enterprise Mobility + Security

Protect customer data both in the cloud, and on-premises, with

industry-leading security capabilities

Office 365

Secure your IT environment and achieve compliance with enterprise-

grade user and administrative controls

Windows 10 Enterprise

Protect devices with industry-leading encryption, anti-malware

technologies, and identity and access solutions

Microsoft’s goal is to streamline your

GDPR compliance through smart

technology, innovation, and

collaboration. Together we’ll help you

build a more secure environment,

simplify your compliance with the GDPR,

and give you the tools and resources

you need to be successful.

Partnering with you to prepare for GDPR

Preparing

for GDPR

HIPAA /

HITECH ActFERPA

GxP

21 CFR Part 11

Singapore

MTCS

UK

G-Cloud

Australia

IRAP/CCSL

FISC Japan

New Zealand

GCIO

China

GB 18030

EU

Model Clauses

ENISA

IAF

Argentina

PDPA

Japan CS

Mark Gold

CDSAShared

Assessments

Japan My

Number Act

FACT UK GLBA

Spain

ENS

PCI DSS

Level 1MARS-E FFIEC

China

TRUCS

Canada

Privacy Laws

MPAA

Privacy

Shield

India

MeitY

Germany IT

Grundschutz

workbook

Spain

DPA

HITRUST IG Toolkit UK

China

DJCP

ITARSection 508

VPATSP 800-171 FIPS 140-2

High

JAB P-ATOCJIS

DoD DISA

SRG Level 2

DoD DISA

SRG Level 4IRS 1075

DoD DISA

SRG Level 5

Moderate

JAB P-ATO

GLO

BA

LU

S G

OV

IND

US

TR

YR

EG

ION

AL

ISO 27001

SOC 1

Type 2ISO 27018CSA STAR

Self-AssessmentISO 27017SOC 2

Type 2SOC 3ISO 22301

CSA STAR

Certification

CSA STAR

AttestationISO 9001

Azure has the deepest and most comprehensive compliance coverage in the industry