You Trust ITПуть к безопасности бизнеса

GDPR - What doesthis mean for you?

Accelerate GDPR compliancewith the Microsoft Services

Konstantin Sviridov

Andrey Ivanov

06 September 2017

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

What is the EU General Data Protection Regulation (GDPR)

New comprehensive European privacy lawreplacing the 1995 Data Protection Directive

Regulation already in placeEU starts enforcement 25 May 2018

Applies to all organizations that processpersonal data of EU residents

How does GDPR affect organizations?

Enhanced personal privacy rights.

Increased duty for protecting data.

Mandatory breach reporting.

Significant penalties for non-compliance.

The General Data ProtectionRegulation (GDPR) imposes newrules on organizations that offer goodsand services to people in the EuropeanUnion (EU), or that collect and analyzedata tied to EU residents, no matter wherethey are located.

Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights

“Year 2000” - once upon a time…17 years ago…

GDPR - 26 million EU organizations impacted

26 million EU organizations effected

Likely a “panic” zone GDPR requirementsdon’t go away

What are the key changes to address the GDPR?

Personalprivacy

Controls andnotifications

Transparentpolicies

IT and training

Organizations will need:• Train privacy personnel &

employee

• Audit and update datapolicies

• Employ a Data ProtectionOfficer (if required)

• Create & managecompliant vendorcontracts

Organizations will need to:

• Protect personal data usingappropriate security

• Notify authorities ofpersonal data breaches

• Obtain appropriate consentsfor processing data

• Keep records detailing dataprocessing

Individuals have the right to:• Access their personal

data• Correct errors in their

personal data• Erase their personal data

• Object to processing oftheir personal data

• Export personal data

Organizations are requiredto:

• Provide clear notice ofdata collection

• Outline processingpurposes and use cases

• Define data retentionand deletion policies

• Article 8 of the EuropeanConvention on Human Rightsprovides a right to respect forone's "private and family life, hishome and his correspondence",subject to certain restrictionsthat are "in accordance with law"and "necessary in a democraticsociety".

4 Nov 1950 3 Sep 1953 13 Dec 199528 Jan 1981 24 Oct 1998 25 May 20181 Oct 1985 27 Apr 2016

• The treaty regarding theprotection of individuals withregard to automatic processingof personal data was signed asCouncil of Europe Convention108.

• All 47 members of the Councilof Europe have ratified thetreaty, except Turkey.

• Data Protection Directive95/46/EC created to regulate theprocessing of personal data.

• The directive agrees to a new,advanced standard in theprotection of individuals withregards to the processing of theirpersonal data and its freemovement.

• The directive is brought into forceafter a three-year grace period.

• The GDPR imposes new rules oncompanies, governmentagencies, non-profits, and otherorganizations that offer goodsand services to people in the EU,or that collect and analyze datatied to EU residents. The GDPRapplies no matter where you arelocated.

EuropeanConvention onHuman Rights

EuropeanConvention 108

Directive95/46/EC

REGULATION(EU) 2016/679

1981 1995 20181953

Secure digital environment helps building trust, enables digital transformation andincreases prosperity in the EU and globally:

ApprovedApplied from 25.5.2018onwards

ApprovedNationalimplementation by9 May 2018

COM proposal January2017

COM guidelines January2017

ApprovedNationalimplementation by23 September 2018

All organizations Critical sectors All organizations All organizations Public sectororganizations

ISO/IEC 27018 Code of Practice forProtecting Personal Data in the Cloud

In 2014, the ISO adopted ISO/IEC27018:2014, an addendum to ISO/IEC27001, the first international code ofpractice for cloud privacy.Based on EU data-protection laws, itgives specific guidance to cloud serviceproviders (CSPs) acting as processors ofpersonally identifiable information (PII)on assessing risks and implementingstate-of-the-art controls for protectingPII.At least once a year, Microsoft Azureand Azure Germany are audited forcompliance with ISO/IEC 27001 andISO/IEC 27018 by an accredited thirdparty certification body, providingindependent validation that applicablesecurity controls are in place andoperating effectively.By following the standards of ISO/IEC27001 and the code of practiceembodied in ISO/IEC 27018, Microsoft—the first major cloud provider toincorporate this code of practice

SSAE 16/ISAE 3402

SSAE 16 (Statement on Standards forAttestation Engagements No. 16), thesuccessor to SAS 70, and ISAE 3402(International Standards for AttestationEngagement No. 3402), are auditstandards established by the AmericanInstitute of Certified Public Accountants(AICPA) and the International Auditingand Assurance Standards Board of theInternational Federation of Accountants,respectively, and are geared towardsservice organizations. Serviceorganizations are typically entities thatprovide outsourcing services that impactthe control environment of theircustomers. Examples of serviceorganizations are insurance and medicalclaims processors, hosted data centers,application service providers (ASPs), andmanaged security providers. SSAE 16 andISAE 3402 audits are independentverifications of compliance with securitycontrols and effectiveness of securitycontrols.

European Union Model Clauses

European Union (EU) data protectionlaw regulates the transfer of EU customerpersonal data to countries outside theEuropean Economic Area (EEA), whichincludes all EU countries and Iceland,Liechtenstein, and Norway. The EUModel Clauses are standardizedcontractual clauses used in agreementsbetween service providers (such asMicrosoft) and their customers to ensurethat any personal data leaving the EEAwill be transferred in compliance with EUdata-protection law and meet therequirements of the EU DataProtection Directive 95/46/EC.

Microsoft provided its StandardContractual Clauses to the EU's Article 29Working Party for review and approval.The Article 29 Working Party includesrepresentatives from the European DataProtection Supervisor, the EuropeanCommission, and each of the 28 EU dataprotection authorities (DPAs).

ISO/IEC 27001 is an information securitymanagement system (ISMS) standard,part of the ISO/IEC 27000 family ofstandards that address privacy,confidentiality and technical securityissues and have "established guidelinesand general principles for initiating,implementing, maintaining, andimproving information securitymanagement within an organization."The standards outline hundreds ofpotential controls and controlmechanisms. ISO/IEC 27001 in particularis one of the most widely recognizedcertifications for a cloud service, and thusone of the most valued by ourcustomers. ISO 27001 defines how toimplement, monitor, maintain, andcontinually improve the ISMS. TheMicrosoft Online Services InformationSecurity Policy aligns with ISO 27002,augmented with requirements specific toonline services.

ISO/IEC 27001

Unique insights, informed bytrillions of signals. This signal isleveraged across all of Microsoft’ssecurity services

INTELLIGENTSECURITY GRAPH

450Bmonthly

authentications

18+BBing web pages

scanned750M+Azure useraccounts

Enterprisesecurity for

90%of Fortune 500

Malware datafrom Windows

Defender

Shared threatdata from partners,researchers and law

Enforcementworldwide

Botnet data fromMicrosoft Digital

Crimes Unit

1.2Bdevices scanned

each month

400Bemails analyzed

200+global cloud

consumer andCommercial services

Apps and Data

SaaS

Malware Protection Center Cyber Hunting Teams Security Response Center

DeviceInfrastructure

CERTs

Identity

INTELLIGENT SECURITY GRAPH

Cyber DefenseOperations Center

Digital Crimes Unit

Antivirus NetworkIndustry Partners

PaaS IaaS

SECURITY MANAGEMENT IMPERATIVES

VISIBILITYUnderstand the securitystate and risks across

resources

CONTROLDefine consistent security

policies and enablecontrols

GUIDANCEElevate security throughbuilt-in intelligence and

recommendations

INFRASTRUCTUREAPPS / DATADEVICESIDENTITY

IDENTITY

DEFINE CONSISTENT SECURITY POLICIES ANDENABLE CONTROLS FOR USERS

Information Protection – lifecycle example

File is created(via multiple sources)

User opens the filefor editing

Collaborate throughSharePoint Online

User opens thefile on mobile

Upload to other cloudservice for external sharing

WindowsInformation Protection

Azure InformationProtection client

Office 365Data Governance

Intune Microsoft CloudApp Security (MCAS)

Persistent labels enable a unified information protection language

How do I get started

Identify what personal data you have andwhere it residesDiscover1

Govern how personal data is usedand accessedManage2

Establish security controls to prevent, detect,and respond to vulnerabilities & data breachesProtect3

Keep required documentation, manage datarequests and breach notificationsReport4

GDPR Workshopsà ETA Q1 FY18Microsoft (and optional with Partner) workshops on GDPR awareness and scoping establishment.

Secure Productive Enterprise PoCà ETA Q1 FY18Customer seeking guidance and support from Advisory Firm(s) + Microsoft to assess their current environment towards the GDPR controls.

Deliverables: Gap analysis and reports. Advice/Roadmap how to address and become compliant.

Fast Start | Enterprise Mobility + SecurityGuided small implementation of EM+S to enable the capabilities in the environment

DiscoverRight to Erasure

Right to Data Portability

ManageDocumentation

Privacy by Design

ProtectData SecurityData Transfer

ReportDocumentation

Breach Response and Notification

Foundation Capabilities | Consulting Services Mapping

Data Insights | GDPR Data Discovery àpilot

Known data sources/files are uploaded to Azure after whichinventory is done on PII (NOT PUBLISHED YET)

Microsoft Data Classification ToolkitDownloadable toolkit intended to help organizations simplify the

ability to search, identify, and apply rules to data you specify.

Secure Modern Enterprise(Security Foundation)

OMS Log Analyticsunlock the power of your own data and understand the valuable

operational insights through the Hybrid Cloud Monitoringengagement

RAP as A Service | Microsoft SecurityThis service is available for any organization that is seeking to evaluate

and improve their Security Program Management.

Azure Information ProtectionImplementation Services

Initial configuration of Azure Information Protection tenant andoptionally integrated with on-premises services. Formulate and

execute on a classification and DLP strategy.

Advanced Threat AnalyticsImplementation Service

Implements ATA in a production environment, including IncidentManagement Process

Advanced Analytics EssentialsPredictive Solutions, such as Predictive Maintenance, Demand

Forecasting, Attrition, and Personalization for qualified customeropportunities. Measure and demonstrate the business value using a

performance dashboard

Dynamic Identity Framework Assessment+ Online Assessment Active Directory

Service (OAADS)Assessments that cover the current posture and risks on your identity

management processes and services, together with a thoroughassessment of your Active Directory Services

Windows 10 SecurityImplementation Service

Includes Windows 10 Security Foundation (BitLocker, CredentialGuard, Defender, SmartScreen, Security Baseline) and Windows

Information Protection

Privileged Access WorkstationSecurity hardened administrative workstation for cloud tenantmanagement, Tier 0 (Active Directory), Tier 1 (Servers), Tier 2

(Workstations) zone management to prevent breach of administrativeaccounts.

POP-Security Incident ManagementCreate or revise your Security Incident Management processes to

enable the 72 hour breach notification requirement

Persistent Adversary Detection Service(PADS)

Productivity Governance and Compliancedelivers a governance plan that will help organizations control,

administer, and manage their SharePoint Online investments to secureapplications and data when users are located remotely, and ensure

compliance requirements are met.

SQL Server Data Protection PlanMaintain a healthy business by preventing Data loss and having a

reliable and AlwaysOn SQL Server infrastructure

More foundational, medium and longer term offerings à see overview in appendix

GDPR Workshop

Partner with Microsoft Services

Risk & DataManagementFoundation

GDPR Program

Education, Awareness,Discovery:

Microsoft Roadmap

Modernize yourIT Environment

(Partner) Discover, Manage, Protect, Report(projects based on gap analysis outcomes,

and roadmap alignment)

Partner

Security Data Platform CloudModern

WorkplacePrivacy Controls

NotificationsPolicies Training

Microsoft does not provide legal advice.

Data Discovery Offering

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Global enterprises are mandated to comply with new EU regulations and non compliance will result in fines equaling 2-4% of globalrevenues. Most enterprises are using this requirement to establish systematic IT Asset Management Service and reporting capabilities.

Objectives of the engagement:Drive a centralized data store to host the asset data from various sources.Drive data consistency and data quality.Drive centralized reporting capability to provide insights for Legal, Business and Technical Decision Makers.

Benefits & outcomesSolution built on Azure – IaaS or PaaS with Power BI for data visualization needs.Drive focused workshop and quick proof of value.Assist the customer to meet their regulatory compliance needs.

Components

Data Subject

Rights depend on the relationship with thecustomerØ ConsumersØ EmployeesØ Vendors (Suppliers, Commercial Customers)Ø Shareholders

EU Authorities

3rd Parties

Audit andCompliance

Application

Data Transfer

GDPR webpage on the Microsoft Trust Center

Customer whitepaper: Beginning your GDPR journey

Video of Brendon Lynch Sharing his Perspective on the GDPR

Microsoft FAQ on the GDPR

Blog Post: Earning your trust with contractual commitmentsto the General Data Protection Regulation

Blog Post: Get GDPR compliant with the Microsoft cloud

You Trust ITПуть к безопасности бизнеса

Thank You!