GDPR

What is GDPR?

GDPR or General Data Protection Regulation is set to impose new rules on companies, government agencies, non profits and other organisations by May 2018. Designed to give people more control over their personal data, in addition to greater clarity and consistency of rules, it essentially means big changes for company policy and work processes.

Find out who we have already helped.

We can help

Bringing your company inline with the new GDPR regulations can be a challenging process, we can help guide you through the necessary steps. Get in touch to find out how the Microsoft Enterprise Mobility and Security (EMS) suite can help your business.

Get in touch

Visit Microsoft to find out more.

Key Changes under GDPR


Personal Privacy

Individuals have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Erase their personal data
  • Object to processing of their personal data
  • Export personal data

Controls and Notifications

Organisations will need to:

  • Protect personal data using appropriate security
  • Notify authorities of personal data breaches
  • Obtain appropriate consents for processing data
  • Keep records detailing data processing

Transparent policies

Organisations are required to:

  • Proivde clear notice of data collection
  • Outline processing purposes and use cases
  • Define data retention and deletion policies

IT and Training

Organisations will need to:

  • Train privacy personnel and employees
  • Audit and update data policies
  • Employ a Data Protection Officer (if required)
  • Create and manage complaint vendor contracts

Getting started with GDPR

Through our partnership with Microsoft, we can recommend the following steps to becoming GDPR compliant:


  1. Discover - Identify which personal data you have and where it resides.
  2. Manage - Govern how personal data is used and accessed.
  3. Protect- Establish security controls to prevent, detect, and respond to vilnerabilities and data breaches.
  4. Report - Keep required documentation and manage data requests and breach notifications.

To find out more about how we can help your organisation reach GDPR compliance, get in touch.

Discover
Manage
Protect
Report

Achieving GDPR compliance with Microsoft EMS

Security was once largely limited to the boundaries of the on-premises world, but with the transition to mobility and the cloud, employees now have increasingly complex interactions with devices, apps and data. In this new world, managing your perimeter does not guarantee the protection of data as it travels outside of corporate boundaries.

When you add the evolving nature, and increasing number, of cybersecurity threats into this new environment, the complexity of protecting data in line with the GDPR is clear: maintaining the balance between providing the best user experience while ensuring compliance with regulations.

“Microsoft EMS is designed with this purpose: providing a holistic solution set to help you apply the latest mobility and cloud innovations; helping to protect your business from threats across your data, identities, devices, and apps; and enabling the types of business and technical controls that you will need as you work toward meeting the requirements of the GDPR.”

Componants of EMS



  • Microsoft Azure Active Directory (AAD)

    Microsoft’s Identity and Access Management Solution

    AAD gives organisations additional capabilities, such as conditional access, user and sign-in risk calculation, multi-factor authentication and privileged identity management. It helps secure and restrict access to personal data, and reduce the risk of data loss.

    Conditional Access policies can be applied based on:

    • Group membership. Control a user's access based on membership in a group.
    • Location. Use the location of the user to trigger multi-factor authentication, and use block controls when a user is not on a trusted network.
    • Device platform. Use the device platform, such as iOS, Android, Windows Mobile, or Windows, as a condition for applying policy.
    • Device. Device state, whether compliant or not, is validated during device policy evaluation. If you disable a lost or stolen device in the directory, it can no longer satisfy policy requirements.
    • Sign-in and user risk. You can use Azure AD Identity Protection for conditional access risk policies. Conditional access risk policies help give your organization advance protection based on risk events and unusual sign-in activities.

    Get in Touch

    In addition to this, EMS can protect your data in real-time from the most advanced threats with identity protection capabilities that calculate the risk of every access request and every user and apply automated remediation actions as needed. Further security is provided through Multi Factor Authentication, a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign ins.

    Azure MFA safeguards data and applications whilst also providing a simple user sign in process, with verification being achieved through either an email, text message or mobile app verification.

    If you are looking to move to the cloud or get the most from your existing Office 365 setup, get in touch.

  • Microsoft Advanced Threat Analytics

    A key area of the GDPR is the timeline and conditions in which companies must provide notice of data breaches. Advanced Threat Analytics (ATA) from Microsoft provides a sophisticated solution to meet this requirement, the service uses behavioural analytics and anomaly detection technologies to uncover suspicious activity, on-premise and in the cloud. ATA helps to identify breaches before they cause damage to the company.

    Advanced Threat Analytics is deployed on-premises and works with your existing Active Directory deployment, whilst remaining non-intrusive. The software analyses individual’s behaviour to create a profile for each user, this can then be used to identify abnormal behaviour, advanced attacks and security risks without the need to create rules, policies, or install desktop and server agents.

    ATA gives admins the ability to run reports in the following ways:

    • Security reports – provides two types of reports, user flagged for risk and risky sign-in (anonymous IP’s, impossible travel, unfamiliar locations and infected devices)
    • User-specific reports – display device/ sign in activity data for a specific user
    • Activity logs – contain a record of all audited events within the last 24 hours, 7 days, or 30 days, as well as group activity changes, and password reset

    Get in Touch

    ATA provides an attack timeline – clear, efficient, and convenient feed that surfaces the right the things on admin timelines. In addition to this, the software provides recommendations for investigation and remediation for each suspicious activity. ATA works in perfect synchronization with AAD, Intune, Cloud App Security and AIP, to provide a complete security package for use all devices and platforms.

  • Microsoft Cloud App Security

    Helps you discover all the cloud apps in your environment, identify users and usage, and get a risk score for each app. You can then decide if you would like your users to access these apps. Cloud app security provides visibility, control and threat protection for the data stored in these cloud apps. You can shape your cloud security posture by setting policies and enforcing them on Microsoft and third-party cloud applications. If Cloud App security discovers an anomaly, its sends admins an alert.

    Cloud App Security considers the risk of individual apps based on 60 parameters: evaluating the service provider, security mechanisms, and compliance certificates. The service then compares this risk score to usage to complete a total risk assessment. Based on this risk assessment, admins can make a decision on whether to allow individuals to use certain applications, or even regulate who can use an app. The Cloud App Security includes powerful reporting and analytics with ongoing risk detection, usage patterns, upload/ download traffic and transactions so that anomalies can be identified as soon as possible.


    Get in Touch

    Once cloud apps containing personal data are discovered, they must be managed with the appropriate policies and controls. Cloud App Security provides companies with data control policy settings and enforcement. Policies can be used straight out-of-the-box from Microsoft, or custom built. Some potential policies are:

    When there are violations against company policies, admins receive an alert. Once investigated, the relevant actions can be taken, and data can be protected in cloud apps in the appropriate way. Actions could be: putting files in quarantine, restrict sharing, or protect the file with Rights Management.

  • Microsoft Intune

    Microsoft’s Mobile Device and Application management solution helps to protect data stored on personal computers and mobile devices. Admins can control access, encrypt devices, selectively wipe data, and control which applications store and share personal data. Intune can help to inform users about management choices by posting a custom privacy statement and terms of use.

    By using Intune an organisation can grant employees access to company applications, data, and resources from virtually anywhere on almost any device, whilst also ensuring that all data is secure. Administrators can set policies to enforce device enrolment, domain join, strong passwords, and encryption. By using compliance settings, Intune evaluates the compliance of employee devices against a set of rules created by admins. If the device does not comply with company policy, the user will be guided through the process of enrolling the device.


    Get in Touch

    Intune provides fine grain control of what employees can do with the data they access in desktop and mobile apps. Working in synchronisation with Azure ID Information Protection, Intune, ensures that users can continue to use personal devices uninterrupted, until company data is involved. As Intune is based upon identity, users can continue to use their personal device to access both corporate and personal data through the same application.

    Intune supports your GDPR compliance by allowing you to:

    • Enable your employees to securely access corporate information using the mobile apps and ensure that your data remains protected after it’s been accessed by restricting actions such as copy/cut/paste/save as.
    • Apply policies to applications that protect data with or without enrolling the device for management, allowing you to protect corporate information without the risk of intruding on a user’s personal life.
    • Apply the same mobile application management policies to your existing line-of-business (LOB) applications using the Intune App Wrapping Tool, without making code changes.
    • Enable users to securely view content on devices within your managed app ecosystem using the Managed Browser and Azure Information Protection Viewer.
    • Encrypt company data within apps with the highest level of device encryption provided by iOS and Android.
    • Protect your company data by enforcing PIN or credential policies.
    • Selectively remove company data (apps, email, data, management policies, networking profiles, and more) from user devices and apps while leaving personal data intact.
  • Microsoft Azure Information Protection (AIP)

    Helps to classify and label data at the time of creation or modification. Protection can then be applied to personal and sensitive data. Classification labels and protection are persistent, travelling with the data so that its identifiable and protected at all times – regardless of where it is shared or with whom it is shared. Whilst providing constant protection, the interface is simple and often automatic.

    Azure Information Protection can query for data marked with a sensitivity label or intelligently identify sensitive data, such as credit card information, when a file or email is created or modified. Once sensitive data is identified, it will be automatically classified depending on company policy. After being labelled, the document or email is then protected through encryption, and access rights are managed with the appropriate policy in line with the GDPR. Depending on the policy, decryption will be conditional to the user being authorized by the access policy – thereby enforcing the intended safeguards around the personal data.


    Get in Touch

    After the content is classified and potentially protected, it can then be monitored to see how it is being used. If any suspicious activity is detected, admins can take the relevant actions, such as revoking access, to prevent any data leakage.


Take a look at who we have helped to achieve GDPR compliance


RWB

RWB

RWB are a Nottingham based firm of Chartered Accountants serving clients throughout the UK. Their highly experienced staff provide a full range of accountancy and business advisory services with every service being tailored to client's specific needs.



Read More
Kimble Apps

Kimble Apps

Kimble Apps provide assistance to Professional Service businesses through their Salesforce augmentation platform. They are based in London but have offices worldwide.



Read More

WANT TO KNOW MORE?

Please type your full name. Invalid email address. Please tell us how big is your company.