2. INTRODUCTION
• General Data Protection Regulation (GDPR) regulates the collection, storage, processing &
sharing of personal data Effective May, 25th 2018
– Identifying what personal data you have and where it resides
– Governing how it is used and accessed
– Establishing strict security controls
– Preparing to respond to data subject requests
• Failing to comply becomes expensive
• It isn’t over after 25 May
3. INTRODUCTION
• How to protect sensitive data stored in Office 365?
• Discovering, managing, protecting & reporting personal data
• Can also be used to comply with other regulations
• What about non Office 365 data?
• It is not a GDPR compliance attestation
4. HOW DO I GET STARTED?
WHAT IS MY GDPR MATURITY LEVEL?
6. • Use assessments as the basis for managing compliance activities
• Track organization progress towards each assessment
• Office 365 GDPR assessments already completed
• Recommended actions & controls for your organization
• Including tools & reporting
• English only
• DEMO
COMPLIANCE MANAGER
7. • Does GDPR apply to your organization and to what extend?
• Understanding the data and where it resides
• Use Content Search to:
– Find & report Personal Data
– Specific information such as credit cards
– Optimize sensitive data types
– Sensitive information types for EU citizen data (NIN)
– Custom sensitive information types
– Analyze results with advanced eDiscovery
• DEMO
CONTENT SEARCH
8. • Add parameters to a sensitive information type query to hone the results
– Count range
– Confidence range
• Modify a sensitive information type to improve accuracy
– Example: modify the ‘EU Debit Card Number’ sensitive information type
• Create custom KQL queries to find additional data in your environment
– Example—Using Content Search to identify email addresses
• (^|b)([a-zA-Z0-9_-.]+)@([a-zA-Z0-9_-.]+).([a-zA-Z]{2,5})($|b)
– Metadata search — attachmentnames:annual*
• Create new custom sensitive information types
– Additional example of using KQL
ENHANCING SEARCH RESULTS
10. • Keywords: customer number, customer no, customer #, Telenor, invoice
• Patterns (customer numbers, product numbers, invoice numbers)
– [0-1][0-9][0-9]{3}[A-Za-z][0-9]{4}
• Confidence range
• Count range
• Metadata: sender, cc, author, filename
IN SEARCH OF CUSTOMER DATA
11. • Regular Expression (RegEx) pattern to identify EU dates in the formats used by the various
subsidiaries
(0?[1-9]|[12][0-9]|3[0-1])[/-](0?[1-9]|1[0-
2]|jx00e4n(uar)?|jan(uary|uari|uar|eiro|vier|v)?|ene(ro)?|genn(aio)?|
feb(ruary|ruari|rero|braio|ruar|br)?|fx00e9vr(ier)?|fev(ereiro)?|mar(zo|o|ch|s)?|mx00e4rz|
maart|apr(ile|il)?|abr(il)?|avril|may(o)?|magg(io)?|mai|mei|mai(o)?|jun(io|i|e|ho)?|giugno|j
uin|jul(y|io|i|ho)?|lu(glio)?|juil(let)?|ag(o|osto)?|aug(ustus|ust)?|aox00fbt|sep|sept(ember|i
embre|embre)?|sett(embre)?|set(embro)?|oct(ober|ubre|obre)?|ott(obre)?|okt(ober)?|out(u
bro)?|nov(ember|iembre|embre|embro)?|dec(ember)?|dic(iembre|embre)?|dez(ember|embr
o)?|dx00e9c(embre)?)[ /-](19|20)?[0-9]{2}
REGEX EXAMPLE
13. • Create labels and policies in Security and Compliance Center
– Create Office labels
– Create auto-apply policies for labels
• Prioritize auto-apply label policies
• Apply protection to labeled data
• Labeling personal/customer data for GDPR
• DEMO
LABELS
14. • “Individuals have the right to erase their personal data”
• Retaining or Deleting
• How a retention policy works with content in place
• Combine retention with:
– Labels
– Search
– Data Loss Prevention
• DEMO
RETENTION
15. • Create a case & assign members
• Place content locations on hold
• Create and run a Content Search associated with a case
• Export the results of a Content Search associated with a case
• Prepare search results for Advanced eDiscovery
– Include non-Office 365 data
– Advanced analysis
• DEMO
EDISCOVERY
17. • Identify sensitive information across many locations
• Prevent accidental sharing of sensitive information
• Help users learn how to stay compliant without interrupting their workflow
• View DLP reports showing content that matches your organization’s DLP policies
• DEMO
DATA LOSS PROTECTION (DLP)
18. • Site and library level protection
– Permissions for SharePoint Online & OneDrive for Business
– External sharing policies for SharePoint Online & OneDrive for Business
• Service access protection
– Enterprise Mobility and Security (EMS) suite
ADDITIONAL PROTECTION
21. • Cloud App Security
– Alert when sensitive data is shared from an approved App
– Alert when “GDPR” labeled file is uploaded to Google Drive or OneDrive
• Data Loss Preventions reports
• Audit log search & alert policies
• GUI (Office 365 Admin Center) or PowerShell
• Workflows
• DEMO
TOOLS & REPORTS
23. • Moving data into Office 365 has significant advantages
• Let us help you leveraging the tools you already have
• Or: let us help you getting the tools you need
• License upgrade may be required
• GDPR is a continuous process. Office 365 ROI is significant
• Quick results = quick benefits = avoid penalties
CONCLUSION