What is GDPR?
In 2018, the General Data Protection Regulation (GDPR) came into force. This regulation affects all companies that deal with personal data within the European Union.
In this respect, the GDPR aims to strengthen the rights of data subjects. In other words, it gives consumers effective control over the personal data they provide to a company at a certain point in time.
In this context, a data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or processed".
Application
- It implies PRIVACY BY DESIGN. In other words, privacy as a central aspect in the configuration of new products and/or processes.
- It also implies the use of clear and simple, concise and transparent language.
- It is also necessary to incorporate CONTROLLERS. Internal managers in charge of demonstrating compliance with the GDPR.
- PIA, security impact assessment. That is, identifying and minimising risks of non-compliance as a formal requirement.
- In addition, new rights are added for the data subject. For example, FORGETTING, DATA PORTABILITY or TO OBJECT (that the data cannot be used in direct marketing).
Penalties for non-compliance
- First, companies must report breaches in their information security measures within 72 hours.
- 20 million or 4% of total turnover (whichever is higher).
- They will also be liable for any financial compensation for damage caused.
- In addition, companies in breach of the rules will have to publicise their infringement. With the consequent reputational damage that this entails.
- On the other hand, each State may associate administrative sanctions with possible legal sanctions.
Microsoft Azure | GDPR
One of the requirements of GDPR is the ability to identify data and control who has access to it. In this regard, Microsoft Azure enables the management of user identities and credentials and access control through:
- AZURE ACTIVE DIRECTORY (Azure AD). Through this tool, only certain authorised users can access data, computing environments and applications.
- AZURE INFORMATION PROTECTION. Ensures that data is identifiable and meets security requirements.
In addition, GDPR requires the protection of data contained in systems, reporting and compliance monitoring.
For example, it provides visibility and controls in relation to cloud security. It does this by monitoring resources, providing security recommendations and assisting in threat detection and deterrence.
Both data at rest and data in transit are protected. That is, data protection while being transferred from an application to the Azure environment.
It protects cryptographic keys, certificates and passwords. It also includes the guarantee that Microsoft cannot see or extract the keys. Azure logs allow you to monitor and audit the use of stored keys.
That is, configurable audit options and security logs. In addition, Log Analytics is able to collect and analyse data generated by local or cloud resources.
It locates leaks and is able to identify attackers. It achieves this through behavioural analysis and anomaly detection technologies.
Office 365 | GDPR
To ensure identification and management of access to personal data, Office 365 provides:
- DATA LOSS PREVENTION (DLP). For example, able to identify more than 80 common sensitive data types.
- ADVANCED DATA GOVERNANCE. Useful for finding, classifying and defining policies. Also for taking steps to manage the data lifecycle.
- OFFICE 365 eDISCOVERY. A very important function as it is able to find text and metadata in all Office 365 resources. I.e. SHAREPOINT ONLINE, ONEDRIVE FOR BUSINESS, SKYPE FOR BUSINESS and EXCHANGE ONLINE.
- CUSTOMER LOCKBOX. For express authorisation to access personal data.
On the protection of personal data against security threats:
For example, to protect e-mail.
Able to detect advanced threats and provide proactive protection.
Identifies abnormal and high-risk uses.
Responsible for monitoring and tracking the activities of administrators and users.
Microsoft Dynamics 365 | GDPR
Microsoft Dynamics 365 allows you to manage and monitor access to data in the following ways:
- ROLES. That is, limiting the tasks that a given user can perform.
- RECORDS. Similarly, it is able to limit access to certain records.
- FIELD. And it restricts access to certain fields. For example, it could be access to personal information.
- AZURE ACTIVE DIRECTORY (Azure AD). Finally, you have this cloud tool that allows you to control user access.
With regard to the protection of personal data, Microsoft Dynamics 365 uses:
Important when integrating safety requirements at every step of the process.
Both in transit between user devices and data centres, and at rest in databases.
MICROSOFT ENTERPRISE MOBILITY +SECURITY | GPDR
Already in its design, Microsoft incorporated industry-leading security features. Therefore, the transition to the new European legal framework is not as complicated as it could be.
In this regard, it has capabilities that enable it to ensure the integrity of personal data.
It can also manage what data is held, where it resides and can control how it is used and accessed by users. It is also able to establish effective security controls to prevent and detect vulnerabilities and incidents.
- AZURE ACTIVE DIRECTORY (Azure AD). Ensures that only authorised users have access to computing environments, data and applications.
- MICROSOFT CLOUD APP SECURITY. To discover all cloud apps in your environment. It also allows you to identify users and usage and receive a risk score for each app.
- MICROSOFT INTUNE. It provides protection for data hosted on personal computers and mobile devices. It is therefore a very important tool.
- MICROSOFT ADVANCED THREAT ANALYTICS. It locates leaks and is able to identify attackers. It uses behavioural analysis and anomaly detection technologies.
MICROSOFT SQL SERVER and AZURE SQL DATABASE | GDPR
In order to control access to the database and the administration of the use of the data, there are safeguards that allow authorisations at different levels:
- AZURE SQL DATABASE FIREWALL. Capable of limiting access by restricting certain specific server databases. In addition, it allows only authorised connections.
- SQL SERVER AUTHENTICATION. So that only authorised users can access the server databases. Supports both Windows authentication and SQL Server logins.
- SQL SERVER AUTHORISATION. Because security in SQL Server and Database is role-based, it allows you to maintain control of data through role membership and object-level permissions.
- DYNAMIC DATA MASKING (DDM). Through the masking of data to users or applications, access to information is controlled.
- ROW LEVEL SECURITY (RSL). Also to implement restrictions on rows of data.
For the protection of data against security threats, SQL Server and SQL Database are equipped with:
- TRANSPARENT DATA ENCRYPTION. By encrypting the database, it effectively protects data at rest. In addition, it offers related backups and transaction log files.
- TRANSPORT LAYER SECURITY PROTOCOL (TLS). TLS is responsible for the protection of data in transit over SQL Database connections.
- ALWAYS ENCRYPTED. A highly innovative feature, designed to protect sensitive data in SQL. It encrypts data without revealing the keys even to the database engine.
- SQL DATABASE AUDIT and SQL SERVER AUDIT. To track events that have occurred in the database and log them as an audit.
- SQL DATABASE THREAT DETECTION. Through an advanced set of algorithms, it detects anomalous activity that could be a threat.
WINDOWS 10 and WINDOWS SERVER 2016 | GDPR
Security has been a priority in the design of Windows 10 and Windows Server 2016. In this sense, they comply with the requirements of the new GDPR regulation through:
- WINDOWS HELLO. An alternative to enterprise-level passwords that uses a natural (biometric) or known (PIN) method.
- WINDOWS DEFENDER. It is an anti-malware solution capable of detecting and protecting against malware.
- WINDOWS DEFENDER ADVANCED THREAT PROTECTION (ATP). Advanced security through incident detection, investigation and response.
- DEVICE GUARD. Enables blocking of servers and devices to protect against advanced threats. This allows devices to run only authorised applications.
- CREDENTIAL GUARD. Through this functionality it is possible to isolate device secrets and prevent access to them. For example, tokens or logins.
- BITLOCKER DRIVE ENCRYPTION. To protect data when a device is lost or stolen.
- WINDOWS INFORMATION PROTECTION. In this case, it is the protection of data from unauthorised users and applications. It also helps to prevent leaks of company-sensitive documents.
- SHIELDED VIRTUAL MACHINES. Disks and virtual machines are encrypted via BitLocker.
- JUST ENOUGH ADMINISTRATION AND JUST IN TIME ADMINISTRATION. To limit the powers and time for administrators to act.
Do you want an appointment with a consultant?
Contact us with no obligation and we will advise you. Start the digital transformation of your company!