So you heard us announcing the Microsoft Priva at our webinar - Establish an information protection and privacy strategy with Microsoft Principal Group Program Manager Nishan DeSilva. I will build on from the webinar and provide further insights into Microsoft Priva.
Microsoft Priva is a new category of features in Microsoft Compliance Centre, providing solutions targeted at Data privacy compliance. The Microsoft Priva brand is now available with its first set of Priva solutions:
Priva Privacy Risk Management - a sensitive information template based capability to create privacy risk management policies to identify and remediate privacy risks such as data transfers, data overexposure, and data minimization, and empower information workers to make smart data handling decisions.
Priva Subject Rights Requests - helps automate and manage data subject access requests process and related case management workflows.
Why should you care about Data Privacy?
Regulations governing the collection and use of personal data by enterprises are changing substantially throughout 2021. According to a Gartner report, the regulations will continue to change through 2023, resulting in several privacy laws leaving organisations to figure out a way to find and demonstrate compliance.
Companies must be able to perform large-scale classification of their data while answering several of the following questions:
What types of personal data do you have on file (PII, PHI, PCI, etc.)?
Where is it located?
What level of security is required?
Who has access?
How will the data be used?
Do you have consent to use that data?
This is particularly a challenge for companies operating in North America, where the number of states with either passed or proposed legislation currently represent more than 85% of the U.S. population.
Whilst the regulations are growing in a patchwork pattern, most companies are still using extremely conventional methods to manage privacy requirements. The privacy risk management activities regards to unstructured information is still limited to:
Focus on on finding personal data for recordkeeping
Significant reliance on end users to identify personal data and demonstrate compliance with privacy compliance
Relies heavily on survey and task assignments to get point-in-time inventory or fulfil subject requests
To gain and maintain customer and employee trust, and comply with privacy regulations without hindering productivity, organizations will have to make privacy central to their business operations.
Only 1% of organizations have automated the process to respond to subject rights and most organizations are spending significant amount of time and cost in managing these requests. IAPP-FTI Consulting Privacy Governance Report 2020 (n=473)
How Does Microsoft Priva Address the challenge?
Microsoft Priva is located at Microsoft 365 compliance center. This provides the following capabilities:
Policies: Microsoft Priva solution provides ability to configure 3 types of privacy risk management policies. These can be configured with a selection of 200+ sensitive information type templates ready made for specific privacy regulations (e.g. GDPR, CCPA etc.). In addition customers can also create their own custom templates to further enhance the accuracy and scope of the policies. The templates can then be used in the following risk management categories:
Data transfers Policy: This policy helps detect personal data being shared across borders (departments, regions, or countries) and provides mitigation actions. The policy can be customized by data storage locations, data types and geographic regions.
Data minimization: This policy helps detect personal data that has no retention labels applied and has not been used for more than a specified number of days.
Data overexposure: This policy helps detect external, excessive, and idle access risks.
Overview dashboard: provides trends and actionable insights on personal date, privacy policies, policy matches and violations, and subject rights requests. The personal data is categorized by type (e.g., credit card, address, etc.), data location (e.g., Exchange, SharePoint, Teams, etc.) and geographic location.
Data Profile: provides an integrated experience for Privacy admins to explore the data matching the policy, and perform a complete review of the matched content, locations and users. This provides a familiar experience of Content Explorer already available as part of the 'Data Classifications' feature in Compliance Centre.
Subject rights requests: Privacy Management streamlines the process of responding to subject rights requests by automatically discovering subject’s personal data within the Microsoft 365 environment. It also provides visibility into data conflicts such as legal or confidential holds and built-in annotation and redaction capabilities.
How does Microsoft Priva support remediation of Privacy Risks?
It's important to note that Priva is not a standalone solution. It's a new experience of workflows / policies / dashboards built on an existing fabric of information protection, protection and prevention. The following image describes the role of Microsoft Priva in addressing your privacy risk management, data discovery and subject rights requests needs.
The above diagram demonstrates the integration of Microsoft Priva with the Microsoft Compliance suite to provide organisations with an integrated Compliance solution for all of their information in Microsoft365.
What is the User experience of Microsoft Priva?
Microsoft Priva integrates very well, a little too well that you often wonder if its just a new page to the same old functionality we have all been using in Compliance Centre. For example: The data profile experience takes you to an existing Content explorer functionality. However, as Microsoft has positioned this as a new brand category, we can expect more features and experiences to come as we have seen with the evolution of Microsoft Information Protection, Governance and Data Loss Prevention capabilities.
Here are a few screenshots of the currently available experiences with Microsoft Priva brand.
How Do I know if my organisation should invest in Privacy Solutions?
Data Privacy compliance is important for every organisation capturing / receiving information which contains personal data. A responsible and policy based management of such information, to know it, protect and govern it throughout its useful purpose and lifecycle is essential. Here are 3 critical success factors to prepare your organisation with the rising challenge of privacy compliance.
Establish a privacy compliance framework, standards and policies to support your organisation's privacy obligations.
Establish a strategy and roadmap for enabling Microsoft 365 Compliance features to prepare the technology to support privacy policies.
Implement Policies to monitor and provide actionable insights essential to transition to preventative / remediate mode for effectively governing the personal data in your organisation.
How can Infotechtion help?
Infotechtion is a Microsoft GOLD partner specialising in Security and Compliance solutions across Microsoft365 and hybrid platforms. Begin your compliance journey with a Compliance workshop to discover your sensitive data and develop a compliance strategy in 4 weeks. This workshop is often funded by Microsoft, you can register your interest through the Microsoft commercial marketplace Microsoft Compliance Workshop - 4weeks or contact Infotechtion directly to Book a Demo | infotechtion.com.
Comments