By David J. Rosenthal
Inside and outside of IT, there is growing awareness of the increasing frequency and severity of data breaches, as well as the economic and reputational harms they expose organizations of all types to. No business wants to see their name in the headlines associated with the loss of customer, user, or employee data, particularly not when personally identifiable information or other sensitive data assets are involved.
Additionally, a wide array of regulatory bodies worldwide have already enacted or are in the process of enacting strict new rules that govern when and how personal data can be collected, stored, and shared, notably the GDPR (General Data Protection Regulation), which penalizes mishandling digital privacy matters throughout the EU.
Microsoft, being well aware of these developments, announced a new solution that directly addresses these issues and serves as a comprehensive layer of protection to mitigate privacy breaches. Privacy Management for Microsoft 365 joins other Microsoft security and compliance tools implemented and managed by Razor Technology, including Compliance Score and Compliance Manager, which features Advanced eDiscovery, Insider Risk Management, Information Protection, and Information Governance.
These technologies will serve as more than just a more secure way of handling data, but a more efficient one as well. Too many organizations are still performing data mapping with manual workflows like spreadsheets and email. Those applications are not optimized for that task which results in wasted time and effort when responding to privacy requests from customers, employees, vendors, and regulators.
The Power to Protect Privacy
A truly data-safe workplace will require more robust technologies and Privacy Management for Microsoft 365 delivers them, helping organizations in three significant ways:
- Identifying critical privacy risks and conflicts
- Automating privacy operations and responses to subject rights requests
- Empowering employees to make smart data handling decisions
Because privacy management is still an emerging field, many organizations lack a centralized framework and instead roles and responsibilities are dispersed and shared somewhat haphazardly throughout the org chart. Armed with Microsoft’s new tool, Razor Technology can help them better and more consistently protect private information.
That means more proactive response times when alerted to a privacy concern, the incorporation of user actionable content in change management and user education campaigns, and simply more robust discovery and response capabilities with Subject Request Management (commonly called Data Subjects Requests or DSRs).
But what harms, specifically, does Microsoft Privacy Management mitigate? For starters, it flags privacy risks, including data overexposure, suspicious data transfers, and data hoarding.
How Data Privacy Management Works
Privacy Management is built into the Microsoft 365 compliance center to centralize access to the many benefits it affords organizations endeavoring to better safeguard sensitive and personal data. It features a continuous data discovery process where three privacy policies are automatically executed in the backend which generate actionable insights regarding all private data moving through their systems and networks. Specifically it offers the following key benefits:
- Visibility into private data, automated data discovery, and user mapping intelligence
- Privacy management at scale with intelligent automation that flags risks and initiates a response
- Increased employee awareness of their role in protecting private data and a culture of proactive privacy
This information is accessible by authorized users and administrators in the Overview Dashboard. Trends depicting the movement and status of personal data, privacy policies, policy matches, and subject rights requests are visualized and categorized by several criteria:
- Type (e.g. credit card numbers, addresses, phone numbers)
- Logical Location (e.g. Exchange, SharePoint, Teams)
- Physical Location (e.g. geographic region, facility)
The privacy management solution offers three, out-of-the-box default setups or can be customized to fit an organization’s unique needs. The default policy frameworks address:
- Data Transfers: detects data being shared across departments, regions, or countries
- Data Minimization: flags data that has been idle for a set period of time or lacks retention labels
- Data Overexposure: detects data that is seeing unusually high or unexplained usage
One major benefit of Microsoft’s Privacy Management is a vast improvement in the efficiency of handling subject rights requests. The system automatically locates any of the subject’s personal data that exists within the Microsoft 365 platform and, importantly, highlights data conflicts like regulatory and internal confidentiality holds for automatic annotation and/or redaction as the case requires.
Who Has Access to Privacy Management?
All Microsoft 365 subscribers will be able to access this new solution if they choose to. Additionally, it will be available to subscribers of Office 365 E1, E3, or E5. It is an add-on solution for E5 Value and not included in the subscription. For Office 365 and Microsoft 365 (E1, E3, and E5) enterprise or education customers the solution is delivered in two independent modules sold at different price points:
Privacy Management – Risk
- $5 per user per month
- Private data visibility in Microsoft 365 (including Exchange Online, SharePoint, OneDrive for Business, and Teams)
- Remediation recommendations
- IW engagement tools
Privacy Management – Subject Rights Request
- $200 per request (purchasable in blocks of 1, 10, or 100)
- Automated requests
- Integrates Microsoft Power Automate templates with existing business processes (requires a Power Automate license)
- Programmatic access to APIs
- Secure Teams collaboration (requires appropriate Teams license)
Both Privacy Management modules are available through Razor Technology’s CSP (Cloud Solution Provider) offering. It should be noted that neither module is currently available for use on government clouds. Also, these modules only work with data stored in Microsoft 365, though the programmatic API access in the Subject Rights Request module does permit integrations with external platforms.
Lastly, neither module is currently supporting “right to be forgotten” requests, but they do support “right to access” and “right of data portability.” Deletion requests will instead defer to a tagged list for follow ups and manual deletion.
This new management platform from Microsoft offers a compelling solution that scales to fit the needs of organizations of all sizes and offers a truly comprehensive framework for securing private data without hindering productivity. It’s a step in the right direction and will likely become a must-have upgrade for most businesses.
Razor Technology works at the cutting edge of data privacy and modern workplace productivity enhancement with leading digital tools. Contact us today to learn more about Microsoft’s new Data Privacy Management solution.