Report: Execute data requests and keep required documentation

By Microsoft

07/06/2017

Execute on data requests, report data breaches and keep required documentation

Record-keeping

Organisations processing personal data will need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data and the legal basis of such transfers; organisational and technical security measures; and data retention times applicable to various datasets. One way to achieve this is using auditing tools, which can help to ensure that any processing of data—whether it be collection, use, sharing, or otherwise—is tracked and recorded.

Microsoft cloud services offer embedded auditing services that can help you meet this standard.

Azure, Office 365, and Dynamics 365

In the Service Trust Portal, you can find comprehensive information about the various Azure, Office 365 and Dynamics 365 compliance, security, privacy and trust offerings, including reports and attestations. Third-party independent audit and GRC (governance, risk management, and compliance) assessment reports help you to stay up to date on how Microsoft cloud services comply with global standards that matter to your organisation. Trust documents can help you understand how Microsoft cloud services protect your data and how you can manage data security and compliance for your cloud services.

Azure

Auditing and logging of security-related events, and related alerts, are important components in an effective data protection strategy.

Azure logging and auditing capabilities enable you to:

Create an audit trail for applications deployed in Azure and virtual machines created from the Azure Virtual Machines Gallery.
Perform centralised analysis of large data sets by collecting security events from Azure infrastructure as a service (IaaS) and platform as a service (PaaS). You can then use Azure HDInsight to aggregate and analyse these events, and export them to on-premises SIEM systems for ongoing monitoring.
Monitor access and usage reporting by taking advantage of Azure logging of administrative operations, including system access, to create an audit trail in case of unauthorised or accidental changes. You can retrieve audit logs for your Azure Active Directory tenant, and view access and usage reports.
Export security alerts to on-premises SIEM systems by using Azure Diagnostics, which can be configured to collect Windows security event logs and other security-specific logs.
Get third-party security monitoring, reporting and alert tools from the Azure Marketplace.

Microsoft Azure Monitor enables organisations to easily view and manage all their data monitoring tasks from a central dashboard. You get detailed, up-to-date performance and utilisation data, access to the activity log that tracks every API call, and diagnostic logs that help you trace issues in your Azure resources. In addition, you can set up alerts and take automated actions. Azure Monitor integrates with your existing tools, so you get rich end-to-end monitoring and analytics by combining Azure Monitor with the analysis tools you are already familiar with.

Office and Office 365

Service Assurance in the Office 365 Security & Compliance Center gives you deep insights for conducting risk assessments, with details on Microsoft Compliance reports and transparent status of audited controls, including:
- Microsoft security practices for customer data that is stored in Office 365.
- Independent third-party audit reports of Office 365.
- Implementation and testing details for security, privacy, and compliance controls that help customers comply with standards, laws, and regulations across industries, such as ISO 27001 and ISO 27018, as well as the Health Insurance Portability and Accountability Act (HIPAA).
Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues. Use the Office 365 Audit log search page to start recording user and admin activity in your organisation. After Office 365 prepares the audit log, you can search it for a broad range of activities, including uploads to OneDrive or SharePoint Online or user password resets. Exchange Online can be set up to track changes that are made by administrators, and track whenever a mailbox is accessed by someone other than the person who owns the mailbox.
Customer Lockbox gives you authority over how a Microsoft support engineer may access your data during a help session. In cases where the engineer requires access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer is able to access the data. Each request has an expiration time, and once the issue is resolved, the request is closed and access is revoked.

Enterprise Mobility + Security (EMS)

Azure Information Protection provides rich logging and reporting to analyse how sensitive data is distributed. Document tracking allows users and admins to monitor activities on shared data and revoke access in unexpected events. Azure Information Protection also provides capabilities to analyse unstructured data residing in file shares, SharePoint sites and libraries, online repositories and desktop or laptop drives. With access to the files, you can scan the contents of each file and determine whether certain classes of personal data exist in the file. You can then classify and tag with a label each file based on the kind of data present. Additionally, you can generate reports of this process, with information about the files scanned, classification policies that matched and the label that was applied.

Windows and Windows Server

Windows Event Log provides rich event logging capabilities that enable administrators to view logged information about operating system, application and user activities. This log system can be configured to audit detailed user and application actions including access to files, application usage, and policies changes, just to name a few. The Windows Event Log also enables administrators to forward events from clients and servers to a central location for reporting and auditing purposes.

Reporting tools and documentation of cloud services

As with any other database or system handling personal data, your use of cloud services should be well recorded and well understood by your organisation. For example, your organisation will need to understand the personal data held by service providers on your organisation’s behalf; the contractual relationship governing those service providers; and what happens to the data when a service relationship ends.

We help you manage this information by maintaining simple and clear reporting tools about your account in the Microsoft cloud, along with extensive documentation about our cloud services, how they work and our contractual relationship with you.

Notifying data subjects

The GDPR will change data protection requirements and employ stricter obligations for data processors and data controllers regarding notice of personal data breaches that result in a risk to individual rights and freedoms. Under the new regulation, as defined in Articles 17, 31, and 32, the Data Processor must notify the Data Controller of any such personal data breach after having become aware of it without undue delay.

Once aware of a breach, the Data Controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify affected individuals without undue delay. This means that if you are using a Data Processor in your role as Data Controller, you need to make sure you have a clear set of expectations built into your contracts around potential breach notifications.

For incidents where Microsoft holds some or all of the responsibility to respond, we have established detailed Incident Security Incident Response Management processes such as outlined for Azure, Office 365, and Dynamics 365. We also back up our GDPR commitments in our contract language.

Microsoft products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365 and Windows 10—have solutions available today to help you detect and assess security threats and breaches and meet the GDPR’s breach notification obligations.

Handling data subject requests

Among the most significant elements of the GDPR are the rights of the “data subject” stipulated in the Articles under Section 2: Information and Access to Data, Section 3: Rectification and Erasure, and Section 4: Right to Object and Automated Individual Decision Making.

These obligations may have implications on your IT environment and operations as a Data Controller, and the IT environment and operations of any service providers you engage as Data Processors.

Proper data governance has been a key element of privacy laws and is advocated in most data protection and privacy laws and regulations. One key element of governance under the GDPR is the establishment of a Data Protection Officer (DPO) in specific circumstances outlined in Articles 35, 36, and 37. The DPO needs to be involved in all issues which relate to the protection of personal data.

A second important element of GDPR governance is the completion of the Data Protection Compliance Review generating a Data Protection Impact Assessment (DPIA) under the direction of a DPO. Article 33a is specific on the requirements in that within two years of completing a DPIA, the Data Controller need to carry out a compliance review to demonstrate that the processing of personal data is performed in compliance with the DPIA.

The Microsoft Trust Center provides information about the ways in which we can support your journey, including a special section on Microsoft’s views and commitments around the GDPR.

Find out more about Securing your Data
Find out more about Safeguarding your Infrastructure
Find out more at a GDPR Cloud workshop