The problem
Security is paramount these days and if you are not careful with the data you store you could be liable for a BIG fine.
GDPR (the General Data Protection Regulation) was brought into enforcement on 25th May 2018. It had been legislation for two years prior to this however it was not enforced to give businesses time to adopt new ways of working.
In the past security of data was not see as that big a deal because it was far cheaper to pay the fine than it was to have good security measures, the maximum you could be fined was £500,000 if the Information Commissioner’s Office (ICO) found out about a security breach. This was with the Data Protection Act that had been in force for 20 years, however, as stated earlier, businesses were not obliged to inform the ICO if they had had a security breach which is why it was not a viable approach.
GDPR was introduced to add weight to the regulators across the EU, it is a pan EU directive which now obliges businesses to inform the regulator if they have a breach, if they do not inform the regulator within a set time they are liable for a fine. Not only that but if you do inform the ICO you can still be liable for fine, each determined on a case by case basis, determined by size of the breach, how much security had been implemented and whether GDPR has been implemented.
Up until September 2019, the various EU’s regulatory authorities have issued, or announced they will be issuing, fines of approx. €372,120,990.50 which has made businesses appreciate the need for security.
What we did
With this in mind we have been assisting a National Charity in the UK with implementing security policies and processes that help prevent security breaches.
In order to do this, we have firstly helped them migrate to Microsoft 365 and then implement the following:
Setup policies for Data Loss Prevention (DLP) which scan for:
| UK Financial Data |
| UK Access to Medical Reports Act |
| UK Data Protection Act |
| UK Privacy and Electronic Communications Regulations |
| UK Personally Identifiable Information Data |
| UK Personal Information Online Code of Practice |
The above policies scan the content of Exchange emails, SharePoint sites, OneDrive accounts, teams chat and channel messages. The policies have been configured to intercept data if it is attempted to be shared externally and the user trying to share the data will be emailed with policy tips to ensure they do not violet the policy that triggered the alert.
The owner of the SharePoint site or one drive will also be notified as well as the owner of the content. The data controller and the compliance office are notified about policy violations.
The other feature that have been configured is to have Information Governance using custom labels that have been setup.
The labels are:
|
Public |
| Commercial Confidential |
| Internal Confidential |
| Management Group |
| Private |
The labels are used to trigger events or to manage how the data is stored or shared. Specific data labels trigger specific events, for example only public labelled data can be shared openly, Commercial Confidential can only be shared with specific partner businesses and the other labels cannot be shared externally by policy. Users are forced to label data when it is created and saved or created and shared such as documents, spreadsheets, email etc. Only specific users can lower the sensitivity of labels meaning that general users cannot change a label once it has been assigned to the data which stops users from demoting data in order to share it when it shouldn’t be.
The Compliance Administrator can now to Data Subject Requests (DSR) within the organisation, allowing reports to be generated showing all of the locations that data is stored and gathering all instances in a report that can be supplied to the user that has made the request, something they couldn’t do easily before which would potentially put them in breach of GDPR if they were found not to have supplied all the info from a DSR.
Lastly, we have configured Microsoft Service Trust portal which enables the charity to self-score GDPR compliance and allows the charity to show all steps taken to ensure data is secure within Microsoft 365. This provide a GDPR checklist the charity can follow to ensure they are compliant or if not, document what they are doing to work towards compliance.
Migrating to Microsoft 365 rather than Office 365 allows you to utilise these additional features.