Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing general availability of Privacy Management for Microsoft 365
Published Oct 19 2021 06:00 AM 18.5K Views

An exponential increase in hybrid and remote work has caused people to fluidly transition between work and personal activities. As a result, more personal data is being generated, retained, shared, and accessed across a multitude of devices and clouds, making the data susceptible to sophisticated and disruptive attacks. 58% of data breaches in 2020 involved personal data[1] and 70% of U.S adults feel that their personal data is less secure than five years ago[2]. Consequently, there are growing concerns over trust in technologies and organizations that handle personal data. Legislatures across the globe are responding to such concerns by enacting regulations that protect personal data and provide consumers the right to their data, compelling organizations to make data privacy central to their business.

 

We have heard from our customers that managing the complexity of data privacy is challenging, and often a manual process. To help, we are excited to announce the general availability of Privacy Management for Microsoft 365, enabling customers to safeguard their personal data and build a privacy-resilient workplace.

Privacy Management for Microsoft 365 allows organizations to

  • Identify critical privacy risks and conflicts
  • Automate privacy operations and respond to subject rights requests
  • Empower employees to make smart data handling decisions

 

Identify critical privacy risks and conflicts

One of the biggest challenges in managing privacy is understanding where personal data is stored, especially in an unstructured environment. 60% of companies still use manual processes to maintain data inventory and mapping, primarily through email, spreadsheets, and in-person communication[3], which is costly and ineffective. Privacy Management automatically and continuously discovers personal data in customers’ Microsoft 365 environments by leveraging data classification and user mapping intelligence. Organizations can see an aggregated view of their privacy posture, including the volume, category, location, and movement of personal data in their Microsoft 365 environments. Additionally, they get visibility into the current status and trends of the associated privacy risks arising from personal data being overshared, transferred, or unused.

 

Figure 1: Overview dashboard showcasing privacy risks and trendsFigure 1: Overview dashboard showcasing privacy risks and trends

 

Figure 2: Data profile page for granular details (volume, storage, geography) of personal dataFigure 2: Data profile page for granular details (volume, storage, geography) of personal data

Automate privacy operations and respond to subject rights requests

Although manual processes and homegrown solutions can sometimes help discover personal data, organizations lack actionable insights to help mitigate risks. Research shows that 35% of organizations update their privacy data map quarterly or annually[4], leading to possible blind spots between each update. Lack of contextual insights, compounded with discontinuous privacy data mapping, could lead to critical risks going undetected or unaddressed and, in turn, potential noncompliance with privacy regulations. Privacy Management correlates data signals across the Microsoft 365 suite of solutions to deliver actionable insights that help mitigate privacy risks before they become a problem. Privacy admins are provided with ongoing insight into privacy risks and are able to customize the templates listed below to better meet their organizations’ privacy requirements.

 

Data transfers

As part of business operations, most global organizations share personal data across their departments, regional offices, and even with other organizations. Regulations such as General Data Protection Regulation (GDPR) define restrictions on such personal data transfer across borders. In order to meet these regulatory requirements, organizations create data flows and maps, which rely on human judgment and assumptions regarding how data is stored and transmitted. Privacy Management helps to detect if personal data is shared across departmental or geographical borders and either blocks the transfer (in Microsoft Teams) or provides remediation actions to apply additional protection controls, helping organizations stay compliant with data transfer requirements.

 

Data overexposure

Allowing employees to share personal data across departments and geographies can also result in overexposure and prolonged access to the data. To comply with regulatory data access requirements, organizations should ensure strict access management policies and limit access only to people who need it. To be able to effectively scale their access management programs, organizations need help understanding data collection objectives, current access policies, and optimal timelines for revoking or restricting access. Privacy Management helps detect external, excessive, and idle access to personal data and notify data owners of remediation actions, helping organizations reduce or restrict open and external access to personal data.

 

Data minimization

Regulations like the GDPR require organizations to collect and process the minimum amount of personal data needed for a specific objective and dispose of the data after that objective is achieved. With the exponential growth in data, most data owners are struggling to ensure timely and systematic disposal. In addition, privacy admins aren’t equipped with the context behind data collection and usage, preventing them from deciding when the data should be deleted. To mitigate risks from unused and idle data, most organizations set up company-wide policies for data disposal that may not consider unique scenarios, potentially resulting in personal data either being stored for too long or disposed of too soon. Privacy Management helps detect unused personal data with no retention labels and notify data owners to either dispose of the data or apply a deletion policy, helping organizations reduce the amount of unneeded and unused personal data.

 

Figure 3: Default and custom policy templates that can be configuredFigure 3: Default and custom policy templates that can be configured

Subject rights request management:

Data privacy regulations such as GDPR or California Consumer Privacy Act (CCPA) grant consumers the right to know the specific pieces of data that organizations have collected about them. Responding to such requests (commonly known as data subject requests) has been a manual and cumbersome process. The process begins with finding relevant data, followed by identifying and triaging multi-person data and legal conflicts and finally reviewing the data set across multiple teams before responding to the subject’s request. Research shows that 53% of the companies handle subject requests manually, 42% have a partially automated process, and only 2% have automated their response[5]. Privacy Management helps organizations automate and manage subject requests at scale. The solution automatically locates the subject’s personal data, identifies data conflicts, enables secure collaboration through Microsoft Teams, and provides built-in review and redact capabilities. Organizations can also leverage integration with Microsoft Power Automate templates to create calendar reminders, search files with specific tags, and track subject requests in ServiceNow.

 

Figure 4: Subject rights requests managementFigure 4: Subject rights requests management

To meet customers where they are in their privacy journey, we have built APIs that allow customers to integrate with their existing processes and solutions to automatically create and manage subject rights requests in Privacy Management. We are also excited to announce partnerships with leading privacy software vendors OneTrust, Securiti.ai, and WireWheel to extend subject rights management capabilities to personal data stored outside of Microsoft 365 environment, enabling customers to have a unified and streamlined response to subject requests. For more details on integration, please see this announcement.

 

Empower employees to make smart data handling decisions

Data owners are struggling to stay current with their organization’s privacy best practices, which can lead to unintentional privacy incidents. 92% of privacy incidents are unintentional or inadvertent[6] in nature and about 14% of organizations do not provide privacy training for their employees[7]. Privacy Management helps organizations scale their privacy operations by sharing accountability between the admins and the data owners. Admins can customize privacy policies so that data owners receive recommended actions or training that are both contextual (through Microsoft Outlook emails) and in the moment (through Microsoft Teams). Data owners are able to take action to mitigate risks from within the Microsoft applications, eliminating the need to choose between privacy and productivity. Over time, such relevant recommendations and contextual training can be an effective way to educate employees about their organization’s privacy practices, drive real behavioral change, and help build a privacy resilient workplace.

 

Figure 5: Microsoft Teams blocking personal data transfer in-the momentFigure 5: Microsoft Teams blocking personal data transfer in-the moment

 

Figure 6: Microsoft Outlook email digest to help employees proactively remediate privacy risksFigure 6: Microsoft Outlook email digest to help employees proactively remediate privacy risks

Get started

To help you get started right away, Privacy Management with its strict role-based access control and data de-identified by default, analyzes personal data in your Microsoft 365 environment and provides initial insights. Without any policy configurations on your end, you will be able to visualize the volume, category, and location of personal data along with associated privacy risks. These data-first insights help you prioritize risks that are most important to your organization. For example, based on the initial evaluation, you might choose to focus on mitigating data transfer risks across different departments within your organization before tackling risks arising from overexposed data.   

 

Privacy Management is generally available for customers as an add-on to a Microsoft 365 or Office 365 subscription and can be accessed from Microsoft 365 compliance center. Leverage the free 90-day Trial to get started with Privacy Management today!

 

Learn more

  1. Read product documentation for more information on Privacy Management in Microsoft 365
  2. Read about Novartis’ experience with Privacy Management here
  3. Watch this video to learn more about Privacy Management capabilities
  4. Visit this website to learn more about privacy at Microsoft

The Privacy Management team is looking forward to hearing from you. 

 

[1] Data Breach Investigations Report, Verizon, 2020

[2] How Americans see digital privacy issues amid the COVID-19 outbreak | Pew Research Center

[3] IAPP-EY Annual Privacy Governance Report, 2019

[4] Data Protection and Data Privacy Survey, Dec 2020, IDC

[5] IAPP-FTI Consulting Privacy Governance Report, 2020

[6] Data indicates human error prevailing cause of breaches, incidents, IAPP

[7] Privacy in Practice 2021: Data Privacy Trends, Forecasts, and Challenges, ISACA

 

2 Comments
Version history
Last update:
‎Jan 26 2022 10:10 AM
Updated by: