fast track your gdpr compliance with the microsoft cloud ......• salesforce + sharepoint •...

Internal Audit, Risk, Business & Technology Consulting

Fast Track Your GDPR Compliance

with the Microsoft Cloud & Protiviti

• Location: Doubletree by Hilton | McLean, VA

• *Pricing: General: $399, Ass./Non/Edu/Gov: $349, Workshops: $299

• Audience: SharePoint & Office 365 Business & Technical Users

• Goal: 135-150 Attendees, 8 Sponsors

• Session Topics Include:

• Office 365• Salesforce + SharePoint

• SharePoint for GRC• GDPR

REGISTER BY FEB 16TH, GET AN AMAZON ECHO DOT!

ProCollabCon.com

ProCollabCon 2018 Full AgendaMonday, April 30, 2018

10:00 am – 4:00 pm Office 365 Business User Workshop

10:00 am – 4:00 pm Nintex Workflow Workshop

Tuesday, May 1, 2018

8:00 am – 9:00 am Registration & Breakfast

8:00 am – 5:30 pm Sponsor Booths Open

9:00 am – 10:30 am Keynote Presentation

10:45 am – 12:00 pm Educational Breakout Sessions

12:00 pm – 1:00 pm Networking Lunch

1:15 pm – 2:30 pm Educational Breakout Sessions



5:30 pm – 7:30 pm Conference Happy Hour

Wednesday, May 2, 2018

10:00 am – 4:00 pm Office 365 Admin Workshop

10:00 am – 4:00 pm Nintex Forms, Hawkeye & Mobile Workshop

• Business Process Automation

• Usability & Accessibility

• Office 365 Security

• Public Facing Websites

4 Microsoft MVPs!

Keynote Speaker: Dux Raymond Sy

ONLY $399!!! Workshops ONLY $299!!

13 Sessions! Food, Parking &

Wireless Included!

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

BEFORE WE START…

3

Today’s program is an open discussion. We encourage participation & questions. 1

Attendees will receive a workshop recap following today's session.

Please attempt to minimize disruptions, and remember to mute your cellphones.

2

3


AGENDA

4

Who We Are

What are the GDPR Regulations?

Personal Data

Compliance with the Microsoft Cloud

Microsoft’s Commitment to GDPR

Microsoft Cloud & Office 365 Solutions to support GDPR

GDPR Compliance Program

Resources


3,500professionals

Over 20 countriesin the Americas, Europe,

the Middle East and

Asia-Pacific

70+offices

Our revenue*:

$743 millionin 2015

Protiviti (www.protiviti.com) is a global consulting firm that helps

companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60

percent of Fortune 1000® and 35 percent of Fortune Global 500®

companies. Protiviti and our independently owned Member Firms

serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including

those looking to go public, as well as with government agencies.

Ranked 57 on the 2016 Fortune 100 Best Companies to Work For®

list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI).

Founded in 1948, Robert Half is a member of the S&P 500 index.

WHO WE ARE

http://www.protiviti.com/

http://fortune.com/best-companies/protiviti-57/


PROTIVITI’S SOLUTION OFFERINGS


WHAT ARE THE GDPR REGULATIONS?


WHAT ARE THE GDPR REGULATIONS?

8

The General Data Protection Regulation (GDPR) imposes new rules

on organizations in the European Union (EU) and those that offer goods and services

to people in the EU, or that collect and analyze data tied to EU residents, no matter

where they are located.

New data privacy regulation designed to bring clarity & strengthen privacy rights for EU residents

GDPR is a regulation, not a directive - Takes effect immediately on May 25, 2018

(does not require EU member states to enact their own laws)

Replaces existing 95/46/EC Directive, which resulted in a patch work of laws across the EU (ex. Data Protection Act, UK)(covers European Economic Area, EEA, including 28 member states + 3 EEA member states)

Applies to organizations globally who do business with, market products to & gather behavioral data on EU residents

Applies to both data processors and data controllers


KEY GDPR REQUIREMENTS

9

Data Breach

Notification

Requirement to report Privacy breaches to the EU regulator (DPA) within 72 hours and potentially

to the data subject

Privacy by Design &

by Default

Firms must minimize the collection of personal data and ensure that the right security controls are in place

Required to perform a Data Protection Impact Assessment (DPIA) for high risk data processing, or if transfer data outside of the EU

Data Subject Rights New rights include the right to access & correct personal data (data portability); Right to erasure

Consent Requirement to gain unambiguous consent (i.e. explicit); Opt-out is not permitted

Global Mandate Applies to all organizations globally who collect, store and process personal data for EU residents

Data Protection

Officer (DPO)

DPO required for organizations that conduct regular and systematic monitoring of data subjects on

a large scale or process Special Categories of data (e.g., healthcare/medical) on a large scale

Evidence of Risk

Mitigation

Per GDPR rules, organizations must demonstrate that they have implemented appropriate measures

to mitigate privacy risks



10

Privacy by Design &

by Default

Firms must minimize the collection of personal data and ensure that the right security controls are in place

Required to perform a Data Protection Impact Assessment (DPIA) for high risk data processing, or if transfer data outside of the EU

• Data privacy is protected by design, and by default

• Minimize the types of personal data collected from data subjects, and the storage of that data

• Be capable of legally justifying collection of specific types of personal data

• Controller must conduct Data Protection Impact Assessment (DPIA) for high-risk processing

(As well as in connection with many other GDPR requirements, including data security, privacy by design, breach notifications, legitimate interest, purpose limitation and fair processing.)

• Controller must keep records of data processing activities



11

Consent Requirement to gain unambiguous consent (i.e. explicit); Opt-out is not permitted

• Presumption against consent, if there is a clear imbalance of power between company and consumer

• “Opt out” consent is not permitted

• Consent must be freely given, specific, informed, unambiguous, and given through a clear action

• Explicit consent is required for sensitive data

• Must be an option for data subjects to withdraw (as easy as it was to give consent)

• Specific consent required for each new data processing operation (unless substantially similar to

previous operation)

• Any child under 16 will require parental consent (member state may opt to reduce age to 13)



12

Data Subject Rights New rights include the right to access & correct personal data (data portability); Right to erasure

• Data subjects may request a copy of their personal data

• Data subjects may request that their personal data be corrected

• Data subjects may request that their personal data be deleted (“right to be forgotten”)

• Controller may specify under which conditions that personal data is shared, corrected and deleted

based on data subject requests

• Consider when a data subject’s data is co-mingled with another data subject’s personal data

• Consider when a data subject’s data is part of a record that must be retained for tax purposes (invoices, contracts, etc.)

• How data subject rights are dealt with is a legal question, not an information security question



13

Data Breach

Notification

Requirement to report Privacy breaches to the EU regulator (DPA) within 72 hours and potentially

to the data subject

• EU regulator, or the Data Protection Authority (DPA), must be notified of a data breach within 72 hours

(unless the breach is unlikely to impact the rights and freedoms of the individuals)

• Data controllers/processors may be required to also notify data subjects within 72 hours(unless the breach is unlikely to impact the rights and freedoms of the individuals)

• Includes a duty for data processors to report a data breach to the company that collected and

controlled the data



14

Global Mandate Applies to all organizations globally who collect, store and process personal data for EU residents

• Affects all organizations world wide, no matter where in the world personal data is collected, stored or

processed



15

Evidence of Risk

Mitigation

Per GDPR rules, organizations must demonstrate that they have implemented appropriate measures

to mitigate privacy risks

• Maintain and potentially provide to regulators documentation regarding data protections implemented,

test procedures and audit results



16

Data Protection

Officer (DPO)

DPO required for organizations that conduct regular and systematic monitoring of data subjects on

a large scale or process Special Categories of data (e.g., healthcare/medical) on a large scale


RISK BASED APPROACH & PENALTIES

17

A key objective of GDPR is to take a risk based approach to data privacy, to help organizations prioritize compliance

while maximizing privacy and effective use of personal data.

Effective method for ensuring a high level of protection of the

rights and freedoms of individuals

Ultimately, creates better outcomes and more effective protection

for individuals

Enables stakeholders to dedicate resources to the areas where

risks and potential harms for individuals are most significant and to

mitigate these risks

Up to 20M € or 4% of organization’s annual global

revenue, whichever is higher

(data subjects can claim compensation for

damages from data breaches )


RISK BASED APPROACH TO DATA PRIVACY

18

The risk to the rights and freedoms of individuals of “varying likelihood and severity” may result from personal data processing, which could lead to “physical, material, or non-material damage”.

• Identity theft/fraud, financial loss

• Discrimination, reputational damage, and any other significant economic or

social disadvantage

• Unauthorized reversal of pseudonymization

• Preventing individuals from exercising control over their data

• Processing special categories of personal data (Article 9)

• Profiling individuals

• Processing children’s and vulnerable persons’ data

• Processing large amounts of personal data

• Accidental or unlawful destruction, loss, alteration, unauthorized disclosure

of or access to personal data

Risk Definition(Recital 75)

Examples of “physical, material or non-material damage”(Recital 75)


HOW DO WE DEFINE PERSONAL DATA?


IS THIS “PERSONAL DATA” UNDER GDPR?

20

Vehicle Identification Number (VIN)

Yes“…the vehicle identification is directly related to the identity of the owner of the car

who is in several cases identical with the driver”

Opinion of the European Data Protection Supervisor (EDPS) on the proposal for a Regulation of

the European Parliament and of the Council concerning type-approval requirements for the deployment of the eCall system and amending Directive 2007/46/EC



21

Employee ID Number

Yes

“…Accordingly, in the business context, a photo of someone on an identification

badge or on a video monitor is “personal data,” as is a listing of employee

salaries designated either by employee name or some identification number

(company ID number, social security system/tax ID number)

- Proskauer on Int’l Litigation and Arbitration



22

Meal Preference on Commercial Air Travel

NoNot listed as one of the 19 elements that makes up personal data on Annex I of

DIRECTIVE (EU) 2016/681:

DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27

April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime


PERSONAL DATA DEFINED IN ANNEX 1 EU, DIRECTIVE 2016/681

23

• PNR record locator

• Date of reservation/issue of ticket

• Date of travel

• Name

• Address/Contact info

• All forms of payment

• Complete itinerary

• Frequent flyer info

• Travel Agent info

• Travel status of passenger

• Split PNR info.

• General remarks

• Ticketing field info

• Seat number

• Code share

• All baggage info

• Number and order names

• Advance info

• All historical changes to the PNR

listed in the above 18.



24

Photo (assume no other information)

Yes

“The processing of photographs should not systematically be considered to be

processing of special categories of personal data as they are covered by the

definition of biometric data only when processed through a specific technical

means allowing the unique identification or authentication of a natural person.”

- Implied by Recital 51 of the GDPR



25

Opinions About Others (typically in an employment environment)

Yes“The definition [of personal data] also specifically includes opinions about the

individual, or what is intended for them.”

- U.K. Information Commissioners Office, Key definitions of the Data Protection Act


HOW DO WE DEFINE PERSONAL DATA?

26

Any Information

Identified or identifiable natural person (“data subject”)

relating to an…

directly or indirectly

who is and/or can be identified…

one or more identifiers (“types of subject data”)

in particular by reference to…

Personal Data (Article 4)

Online Identifiers (Recital 30)

Special Category Personal Data (Article 9)

such as…


CATEGORIES OF PERSONAL DATA

27

IDENTIFIERArt. 4

(Personal Data about the Data Subject)

Name

Address

Email Address

Passport Number

Financial & Bank Info.

Data of Birth

Health Care Data

Biometric Data

Employee ID

Phone Number

Online IDENTIFIER Rec. 30

(“…online identif iers [Personal Data] provided by

their [Data Subject’s] devices, applications, tools

and protocols…”)

IP Address (static, dynamic)

MAC Address

Cookies

International Mobile Equip. ID (IMEI)

Advertising IDs

GPS, other location data

Log Files

Browser Fingerprints

Special Category IDENTIFIERArt. 9

(Special Categories of Personal Data about the

Data Subject)

Biometric Data

Religious & Philosophical Beliefs

Trade Union Membership

Processing of Genetic Data

Race

Ethnic Origin

Health/Medical

Sex Life

Sexual Orientation

GDPR COMPLIANCE WITH THE

MICROSOFT CLOUD


“MAKE NO MISTAKE, THE GDPR SETS A NEW

AND HIGHER BAR FOR PRIVACY RIGHTS, FOR

SECURITY, AND FOR COMPLIANCE.

AND WHILE YOUR JOURNEY TO GDPR MAY

SEEM CHALLENGING, MICROSOFT IS HERE TO

HELP ALL OF OUR CUSTOMERS AROUND THE

WORLD.”

BRAD SMITH

PRESIDENT & CHIEF LEGAL OFFICERMICROSOFT CORPORATION


PROVIDING CLARITY AND CONSISTENCY FOR THE

PROTECTION OF PERSONAL DATA

Enhanced personal privacy rights

Increased duty for protecting data

Mandatory breach reporting

Significant penalties for non-compliance

The General Data Protection

Regulation (GDPR) imposes new rules

on organizations in the European Union (EU)

and those that offer goods and services to

people in the EU, or that collect and analyze

data tied to EU residents, no matter where

they are located.

Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights


WHAT ARE THE KEY CHANGES TO ADDRESS THE GDPR?

Personal

privacy

Controls and

notifications

Transparent

policies

IT and training

Organizations will need to:

• Train privacy personnel

& employee

• Audit and update data

policies

• Employ a Data Protection Officer (if

required)

• Create & manage compliant vendor contracts

Organizations will need to:

• Protect personal data

using appropriate security

• Notify authorities of

personal data breaches

• Obtain appropriate

consents for processing data

• Keep records detailing data processing

Individuals have the right to:

• Access their personal

data

• Correct errors in their

personal data

• Erase their personal

data

• Object to processing of their personal data

• Export personal data

Organizations are required to:

• Provide clear notice of data collection

• Outline processing purposes and use

cases

• Define data retention

and deletion policies


WHAT DOES THIS MEAN FOR MY DATA?


MICROSOFT’S COMMITMENT

To simplify your path to compliance, we are committing to

GDPR compliance across our cloud services when

enforcement begins on May 25, 2018.

We will share our experience in complying with complex

regulations such as the GDPR.

Together with our partners, we are prepared to help you

meet your policy, people, process, and technology goals on

your journey to GDPR.


SIMPLIFY YOUR PRIVACY JOURNEY

Centralize, Protect, Comply with the Cloud

Centralize processing in a single system, simplifying data management,

governance, classification, and oversight.

Protect data with industry leading encryption and security technology

that’s always up-to-date and assessed by experts.

Utilize services that already comply with complex, internationally-

recognized standards to more easily meet new requirements, such as

facilitating the requests of data subjects.

Maximize your protections

Process all in one place

Streamline your compliance


UNCOVER RISK AND TAKE ACTION

Protect through the entire lifecycle

Discover data across systems

Govern access and processing

• Protect user credentials with risk-based conditional access

• Safeguard data with built-in encryption technologies

• Rapidly respond to intrusions with built-in controls to detect and respond to data breaches

• Enforce use policies and access controls across your systems

• Classify data for simplified compliance

• Easily respond to data requests and transparency requirements

• Easily discover and catalog data sources

• Increase visibility with auditing capabilities

• Identify where personal info resides across devices, apps and platforms

00

1

1

0

0

1

00

1

100

00

101

00

1

100

1

00

1

100

DEMONSTRATION

MICROSOFT GUIDANCE ON CLOUD SOLUTIONS FOR GDPRHTTPS://DOCS.MICROSOFT.COM/EN-US/OFFICE365/ENTERPRISE/OFFICE-365-INFORMATION-PROTECTION-FOR-GDPR

OFFICE 365 COMPLIANCE MANAGERHTTPS://AKA.MS/STP

GDPR COMPLIANCE PROGRAM


WHERE DO YOU START?

39

11 Chapters

99Articles

173Recitals


APPROACH TO GDPR COMPLIANCE

40

Requires a comprehensive effort and strong program management to implement legally-driven policies,

processes, and practices to drive the formalization and efficiency of GDPR programs

• Compliance assessments, gap analysis, monitoring and

remediation of GDPR data protection regimes

• Implementation of Data Discovery and Classif ication (DDC)

programs

• Implementation of “Right to be Forgotten” and related programs in

advance of GDPR

• Privacy impact assessments/data protection impact assessments

• Augmentation, training and deployment of GDPR cross-functional

teams including legal, business and IT, to promote communication

and collaboration

• Defining team member roles and responsibilities

• Developing and executing training and aw areness programs

Discovery &

Inventory

• Inventory of EU personal data,

including classif ication level,

data controller, processor and

exchanges

• Formal inventory of processing

activities

Identify high risk areas to ensure a focused approach.

Risk Assessment/

Gap Analysis

• Assess data collection,

processing, storage and

protection measures,

assignment of a DPO, transfers

to 3rd parties, risk assessment

practices and security policies

Determine exposure and prioritize compliance activities

Data Protection &

Compliance

Remediation

• Obtain executive management

support and funding

• Establish compliance program

structure and governance

• Identify compliance strategies

• Implement remediation plans

Implement changes to achieve compliance

Report

for Ongoing

Compliance

• Testing and validation

• Implementation of reporting

and monitoring tools/processes

Provide evidence of accountability & compliance


KEY CONSIDERATIONS FOR RISK ASSESSMENT

41

What about the data transfer?

Special considerations?(Employee data, works councils, information security, etc.)

What’s the basis for processing?

With whom are you sharing the information?

Privacy policy vs. privacy notice


GDPR COMPLIANCE ROADMAP

42

3. Privacy Notice

Help to ev aluate and remediate internal priv acy

policies and external priv acy notif ications and

the process f or training and communications.

2. Consent

Help to ev aluate and remediate consent

practices, when rely ing on data subject’s

consent f or processing personal data.

1. Legal Basis for Processing

Help to ev aluate and remediate the legal basis

on which personal data is collected and

processed.

5. Privacy by Design & Default

Implement controls to help ensure appropriate

priv acy saf eguards are in place and are

considered prior to new implementations.

6. Third Party Due Diligence

Help to ev aluate and remediate third party

contracts f or v endors who process personal

data on behalf of the client.

.

7. Records of Processing

Help to ev aluate records of processing

activ ities, establish data processing inv entories,

and the process to maintain such records.

8. Data Security

Help to ev aluate and remediate data security

and access controls employ ed to protect

personal data.

9. Breach Notification

Implement newly established breach notif ication

requirements and incorporate with client’s

Incident Response plans.

11. Data Protection Officer

Ev aluate requirements and the need f or a Data

Protection Of f icer (DPO). If required, act as the

DPO on behalf of the client.

10. Data Protection Impact Analysis

Ev aluate processing activ ities and conduct

DPIA if processing is likely to result in high risk

to data subjects’ rights and f reedoms.

4. Data Subject Rights 12. Cross-Border Data Transfers

Help to ev aluate and remediate legal methods

in place f or transf erring personal data outside of

the EU.

Implement processes that address the rights

of data subjects (e.g., access, rectif ication,

erasure, and portability of personal data).

Required Capabilities: Legal Business IT Information Security


GDPR COMPLIANCE WITH THE MICROSOFT CLOUD & PROTIVITI

43

Protiviti has partnered with Microsoft to assist them with building some of the GDPR tools & guidance for their customers

Protiviti has deep expertise with Microsoft Cloud solutions and in conducting GDPR assessments for F500 Organizations

1Microsoft is the first major cloud services provider to pledge GDPR compliance by May 25, 2018

Microsoft has been an industry leader on Model Clauses, HIPAA, ISO 27018, and are taking a similar lead on GDPR compliance

Microsoft offers the most comprehensive set of compliance capabilities of any major cloud service provider

Microsoft’s speed of solution innovation is high – Continual innovation to enable partners and customers to meet their compliance needs

2

3


REFERENCES

• http://www.microsoft.com/GDPR

• GDPR Assessment Tools

• Microsoft GDPR Assessment (online version)

• Microsoft GDPR Detailed Assessment

• Microsoft 365 Trust Center

• Office 365 Secure Score (login to Office 365 required)

• Compliance Manager in Office 365 – PREVIEW

44

http://www.microsoft.com/GDPR

https://www.microsoftpartnercommunity.com/t5/Security-and-Compliance/GDPR-Assessment-Tools/m-p/2137

https://www.gdprbenchmark.com/questions

https://www.gdprbenchmark.com/

https://www.microsoft.com/en-us/trustcenter/default.aspx

https://securescore.office.com/

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Manage-Your-Compliance-from-One-Place-Announcing-Compliance/ba-p/106493

© 2016 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or

of f er attestation services. All registered trademarks are the property of their respective owners.

fast track your gdpr compliance with the microsoft cloud ......• salesforce + sharepoint •...

Documents