Leveraging Microsoft 365 for CCPA and GDPR compliance

In the last few years, there has been a massive spike in the adoption of cloud technologies. Office 365 (O365), within the Microsoft 365 bundle of services, is the most widely used cloud service with approximately 180 million active users.  Additionally, more than half a million businesses use Microsoft Teams, the integrated unified communications platform, including 91% of the Fortune 100. The mass exodus toward Microsoft 365 stems from its ability to increase productivity, decrease costs, and allow for better management of risk. 

Of all the benefits of the growing adoption of Microsoft 365, the most important one for today’s booming global economy is the management of risk, especially with the growing number of privacy and data protection regulations around the world. 

It is no longer just the EU's GDPR that is governing global organizations. In January of 2020, the world’s fifth largest economy will implement the most comprehensive privacy law in the U.S.: the California Consumer Privacy Act (CCPA). The good news is that this expansive act is designed to give consumers more control over their personal information. The bad news is that California’s new privacy law could cost companies substantial amounts of money.

California’s Department of Finance released a report which provided a broad range of potential costs companies may face in order to become and stay compliant with the CCPA.  On the low end, researchers estimated that firms with fewer than 20 employees may have to pay around $50,000 at the outset to become compliant. On the high end, firms with more than 500 employees could pay an average of $2 million in initial costs. Collectively, the researchers estimated about $55 billion will need to be spent by companies to become compliant. To put this amount into perspective, $55 billion is equivalent to about 1.8% of California’s gross state product in 2018. In addition, total compliance costs for all companies, subject to the law, could range from $467 million to more than $16 billion over the next decade.

However, there is good news for companies that already have or intend to invest in Microsoft 365—they can save significant time and money by simply learning to configure and deploy various tools and features already included in Microsoft 365 to help meet privacy requirements.

Assess and Manage Risk

From the board and C-level executives on down, organizations should prioritize the need to understand all applicable privacy regulations. A top priority is determining what they should do with the data, before even starting a conversation on what they can do, such as using data science or analytics to gain business value and consumer insights.

To assess whether, or which, privacy rules apply to your organization, it is crucial to first analyze the data your organization processes and where it resides. If you are subject to certain privacy rules it may be necessary to implement and manage audit controls to ensure compliance. This can be done through tools within O365 to achieve the following objectives: 

• Content Search, together with "sensitive information types," can be used to find personal data in the environment and report on its location.
• Compliance Manager, through a single dashboard, allows privacy professionals to perform assessments, protect data, and respond to data requests.
• Organizations can assess compliance and perform ongoing risk assessments from one central place.
• Users can protect data across all devices, applications, and cloud services by using encryption, controlling access, and implementing information governance.
• Users can respond to customer, data subject, and regulatory requests by locating relevant data through built-in eDiscovery and auditing features.

Classify, Protect, and Monitor Personal and Sensitive Data

Both the GDPR and the CCPA levy damages for violation of privacy laws with regard to security measures violations and data breaches of personal information. Since organizations live in a world with a tsunami of data across their digital estate, understanding where their most sensitive data is and how to protect it is critical to reduce compliance risks.

In order to get a grasp on where sensitive data lives, data labels may be a great option.  If no labeling system is currently in place, a classification schema for personal data should be designed to decide if you also want to implement labels. If you do want to apply personal data labels, the next step is to develop the taxonomy and search criteria for finding sensitive data. For personal data, this may have already been completed by identifying sensitive information types or by customizing or creating new sensitive information types for your environment. 

Another feature to consider is Microsoft Information Protection (MIP). MIP can help decrease exposure to fines and penalties by harnessing an integrated and intuitive approach to target the 80% of corporate data that is estimated to be dark or unclassified and unprotected.

Secure Information

Due to increasingly sophisticated and prevalent cyber threats, a big driver of customer adoption of Microsoft 365 is the need for security and complex information protection. In fact, 31% of organizations have experienced cyberattacks related to data acquisition, and the average cost for each stolen identifiable record in 2019 was $150 in the United States—and that number is steadily rising. The Microsoft 365 suite lets you safeguard data in several ways:

• Identity & threat protection brings together security value across Office 365, Windows 10, and EMS into a single offering. It includes advanced threat protection services including Microsoft Threat Protection (Azure Advanced Threat Protection (ATP), Windows Defender ATP, and Office 365 ATP including Threat Intelligence), as well as Microsoft Cloud App Security, and Azure Active Directory.
• Information protection & compliance helps security and IT teams perform ongoing risk assessments across Microsoft Cloud Services, automatically protecting and governing sensitive data throughout its lifecycle, and efficiently respond to regulatory requests leveraging intelligence.
• Encrypt data at rest and in transit by using several strong several strong encryption protocols and technologies that include Transport Layer Security/Secure Sockets Layer, Internet Protocol Security, and Advanced Encryption Standard.

Although Microsoft 365 contains many tools to assess and maintain compliance with privacy regulations, the bulk of the responsibility still falls on an organization. By implementing data privacy and security into everyday practices not only will reduce risk, but can allow for better insight into data which helps drive business success.