Microsoft GDPR Data Discovery Toolkit

– v1.0 Nov 2017

Engagement kick-off
<your name>

This presentation is intended to provide an overview of the Microsoft GDPR Data Discovery Toolkit and is not a definitive statement of the law.
Intended Usage
The intended use for this toolkit is to assist partners in deploying Microsoft technology that supports customers on their journey to prepare for the General Data
Protection Regulation (GDPR) (Regulation (EU) 2016/679).

Disclaimer
This GDPR Discovery Toolkit is intended to assist organizations on their journey towards their GDPR compliance. This GDPR Discovery Toolkit is provided for
general public informational purposes only. Any results or recommendations produced while delivering the GDPR Discovery Toolkit should not be relied upon to
determine how GDPR applies to an organization or an organization’s compliance with GDPR, and they do not constitute legal advice, certifications or guarantees
regarding GDPR compliance. Instead, we hope the GDPR Discovery Toolkit enables technologies and additional steps that organizations can implement to
simplify their GDPR compliance efforts. The application of GDPR is highly fact-specific. We encourage all organizations using this GDPR Discovery Toolkit to work
with a legally qualified professional to discuss GDPR, how it applies specifically to their organization, and how best to ensure compliance.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS GDPR DISCOVERY TOOLKIT. Microsoft disclaims any
conditions, express or implied, or other terms that use of the Microsoft products or services will ensure the organization’s compliance with the GDPR. This GDPR
Discovery Toolkit is provided “as-is.” Information and recommendations expressed in this GDPR Discovery Toolkit may change without notice.

This GDPR Discovery Toolkit does not provide the user with any legal rights to any intellectual property in any Microsoft product or service. Use of the toolkit is
for internal, reference purposes only; however, Microsoft partners may distribute the GDPR Discovery Toolkit to their customers for such customers’ internal,
reference purposes only. Any distribution of the GDPR Discovery Toolkit by a Microsoft partner to its customers must include terms consistent with those set
forth in this disclaimer.

© 2017 Microsoft. All rights reserved

Agenda 1 Team introduction

Privacy, Trust, and the General

2 Data Protection Regulation

3 The Microsoft GDPR Discovery Toolkit

4 Project Governance

5 Time lines & next steps

6 Q&A
Team Introductions
Name
Please share your name and where
are you based?

Role
Please share your role in the company, which business
unit or team you are part of, what other roles have you
had? (Internal/External)

Expertise
What is your expertise, what do you expect to work on?

Expectations
Please share your expectations of the session?
Privacy, Trust, and the General
Data Protection Regulation (GDPR)
Providing clarity and consistency for the protection of
personal data

The General Data Protection Enhanced personal privacy rights

Regulation (GDPR) imposes new

rules on organizations that offer goods and Increased duty for protecting data
services to people in the European Union
(EU), or that collect and analyze data tied Mandatory breach reporting
to EU residents, no matter where they are
located.
Significant penalties for non-compliance

Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
What are the key changes with the GDPR?

Personal Controls and Transparent IT and training

privacy notifications policies
Individuals have the right to: Processors will need to: Processors are required to: Processors will need:
• Access their personal data • Protect personal data using • Provide clear notice of • Train privacy personnel &
• Correct errors in their appropriate security data collection employee
personal data practices • Outline processing • Audit and update data
• Erase their personal data • Notify authorities within 72 purposes and use cases policies
hours of breaches • Define data retention • Employ a Data Protection
• Object to processing of
their personal data • Receive consent before and deletion policies Officer (for larger
processing personal data organizations)
• Export personal data
• Keep records detailing data • Create & manage
processing processor/vendor
contracts
What does this mean for my data?

Protecting customer
privacy with GDPR
Microsoft’s commitment to its customers
• To simplify your path to compliance, Microsoft is
committing to GDPR compliance across her cloud services
when enforcement begins on May 25, 2018.

• Microsoft will share her experience in complying with

complex regulations such as the GDPR.

• Together with her partners, Microsoft is prepared to help

you meet your policy, people, process, and technology
goals on your journey to GDPR.
Preparing for the GDPR

GDPR
Compliance

Simplify your Uncover risk & Leverage guidance

privacy journey take action from experts
How do I get started?
Identify what personal data you have
1 Discover and where it resides

Govern how personal data is used

2 Manage and accessed

Establish security controls to prevent,

3 Protect detect, and respond to vulnerabilities &
data breaches

Keep required documentation, manage

4 Report
data requests and breach notifications
1 Discover
Identify what personal data you have and Example solutions
where it resides
Microsoft Azure
Microsoft Azure Data Catalog
In-scope: Inventory:
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security

•
Dynamics 365
• • Audit Data & User Activity
• • Reporting & Analytics
• •

•
• Office & Office 365
• Data Loss Prevention
•
• Advanced Data Governance
•
• Office 365 eDiscovery
•
•
•
SQL Server and Azure SQL Database
SQL Query Language
2 Manage
Govern how personal data is used and Example solutions
accessed within your organization
Microsoft Azure
Azure Active Directory
Azure Role-Based Access Control (RBAC)
Data governance: Data classification:
Enterprise Mobility + Security (EMS)
Azure Information Protection

Dynamics 365
• • Security Concepts
• •
• • Office & Office 365
• • Advanced Data Governance
• • Journaling (Exchange Online)
• •
• • Windows & Windows Server
• Microsoft Data Classification Toolkit
3 Protect
Establish security controls to prevent, Example solutions
detect, and respond to vulnerabilities and
data breaches Microsoft Azure
Azure Key Vault
Preventing data Detecting &
attacks: responding to Enterprise Mobility + Security (EMS)
breaches: Azure Active Directory Premium
Microsoft Intune
•

•
Office & Office 365
Advanced Threat Protection
• • Threat Intelligence
• •
•
•
• SQL Server and Azure SQL Database
• Transparent data encryption
• • Always Encrypted
• •
Windows & Windows Server
Windows Defender Advanced Threat Protection
Windows Hello
Credential Guard
4 Report
Keep required documentation, manage Example solutions
data requests and breach notifications Microsoft Trust Center
Service Trust Portal
Record-keeping: Reporting tools:
Microsoft Azure
Azure Auditing & Logging
Microsoft Azure Monitor
• •
•
Enterprise Mobility + Security (EMS)
• • Azure Information Protection
•
• • Dynamics 365
•
Reporting & Analytics
•
•
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
The Microsoft GDPR Discovery Engagement
 Why Discovery?

?
How will I be impacted by the GDPR?
How much data with Personal Identifiable Information do I
have?
Where is this data?
Will GDPR impact my organization?

Where do I start?
How do I start?
What do I look for?
How can I identify data relevant to the GDPR?
Are there tools that can help me?
How do I find the right tools that work for me?
Engagement Objectives
Discover data impacted by the GDPR
Find and analyze data with Personal Identifiable Information
Scan existing data sources, online and on premises
Classify and label data for future use

Building a solid foundation

Implement tools & services that can also be used for Manage,
Protect and Report activities

Identify data security and compliance challenges

Determine the current state of personal data security.
Engagement Deliverables
Detailed Inventory
Inventory of discovered files with data classification
suggestions and discovered sensitive data type

Classified data (optional)

Apply data classification labels to discovered data

Solid services foundation

Solid foundation for future service enhancement to address
Manage, Protect and Report scenarios
Engagement overview
 Step 1 - Identify & Assess
Step 1 – Identify & Assess Identify and document all possible data sources
DATA STORES ONLINE
within the organization
Infra Assessment ON PREMISES Online / On premises
Structured / semi-structured / unstructured
File shares
Should we scan the data?
SharePoint Server / Online Can we scan the data?
Is mitigation required
Exchange Server / Online
What do we do with the discovered data?
OneDrive Label, keep or discard

Other Deliverable
Data Source Inventory
 Step 2 - Plan for classification
Step 2 – Plan for classification Gather legal and business requirements
Classification & Agree on classification taxonomy
Labeling Use existing or create new?
Legal requirements Aligned with GDPR scenarios
Meets organizational legal and business requirements
Business processes Design data classification policies and labels
One for all or scoped to groups and departments?
Policies
Define conditions – sensitive data types
Classifications, labels and
Generic sensitive data types
conditions
Specific to the organization
Applications and services
Deliverable
Classification and labeling taxonomy
 Step 3 - Select the right solution
Data locations drive the product selection
Current situation vs. future plans
All in the cloud
Moving to the cloud
Step 3 - Select Staying on premises
Office 365 Labels
on-premises online Integrated with Microsoft cloud based services:
Microsoft Information Protection Scanner
Built on Microsoft Information Protection
Discovery and classification for on premises datastores
 Step 4 - Implement MIP
Step 4 – On premises Microsoft Information Protection
Setup and configure
MIP - IMPLEMENT
Focus on MIP scanner service
Confirm subscription & assign Prepare for automated classification and labeling
Licenses
Configure and deploy labels, policies and conditions
Prepare users & groups Focus on data discovery and MIP scanner
Activate Microsoft Information Leverage previously defined classification taxonomy
Protection
Configure and publish the Azure
Information Protection policy
 Step 5 - Scan existing data sources
Step 5 - On premises Install and configure MIP Scanner
MIP – SCAN File shares Install and test
Discover and Classify SharePoint Server Specify data stores to be scanned
Confirm pre-requisites Discovery cycle
Run MIP Scanner in discovery mode
Install & configure scanner service Validate the findings
Optimize conditions and sensitive data types definitions
Complete discovery cycle
Asses impact of applying MIP labels
Verify and update AIP policies, Classify documents and apply labels
conditions and labels
Enforce mode, update existing data
Apply labels and run consciously
Deliverables
Detailed data inventory
Existing data scanned for PII, classified and labeled
 Step 4 - Configure and Enable
Step 4 – Online Office 365 Labels
OFFICE 365 LABELS Exchange, SharePoint Setup and Configure
OneDrive for Business
Configure and enable Skype for Business Focus on discovery & search
Label Configuration Prepare for automated classification and labeling
Configure and deploy labels, policies and conditions
Policy Configuration Publish configuration to relevant services
Leverage previously defined classification taxonomy
Publish Labels & Policies
 Step 5 - Search and Discover
Step 5 – Online Search Content by label
Exchange SharePoint
Configure search criteria using compliance tag
SEARCH & DISCOVER OneDrive Skype for Business
Execute the search across the Microsoft cloud
Configure search Generate and download the report

Deliverables
Execute search
Detailed data inventory report
Generate report

Download report
In Scope activities

ü
Data source inventory

Classification and Labeling

Tools and services selection

Install, configure and enable

Discover, classify, label and report

Out of Scope activities

û
Enable non-discovery features & functionality

End user solutions

Data discovery in non-supported locations

Timelines & planning
 Ex
Workflow and Schedule

am
ple
Step 1 Step 2 Step 3 Step 4 Step 5
Identify & Assess Plan for Classification Select the solution Configure and Enable Discover and Classify
Project Governance
 Ex
Project Governance Update

am
ple
Risk and issues management

Date recorded Risk/Issue description Probability Impact Mitigation plan

Change management

Success Criteria
Q&A