Microsoft has made available Privacy Management for Microsoft 365, a new AI-based solution to help enterprises manage data privacy risks and build a privacy resilient workplace, as well as automate the response to subject rights requests at scale.
Privacy Management is built-into the Microsoft 365 compliance center and is currently available as an add-on to organizations with Office 365 A1/E1/A3/E3/A5/E5 and Microsoft 365 A3/E3/A5/E5 subscriptions.
A solution for operationalizing privacy management
“The data privacy regulation landscape is more complex than ever. With new laws emerging in countries like China and India, shifts in Europe and the United Kingdom, and currently 26 different laws across the United States, staying ahead of regulations can feel impossible,” says Vasu Jakkal, Corporate VP of Security, Compliance and Identity, Microsoft.
“With role-based access controls and data de-identified by default, Privacy Management for Microsoft 365 helps organizations to have end-to-end visibility of privacy risks at scale in an automated way.”
The solution is aimed to protect the company against privacy risks such as data hoarding, data transfers, and data oversharing, and to teach employees that work with personal data to make smart decisions when it comes to handling it.
From the privacy administrators’ perspective, Privacy Management for Microsoft 365 continuously finds where personal data is stored in the enterprise environment and maps it, allowing them to see an aggregated view of the organizations’ privacy posture; the amount, category, and location of private data; and associated privacy risks and trends over time.
The tool also makes responding to subject rights requests easier for admins. “Data privacy regulations such as GDPR or California Consumer Privacy Act (CCPA) grant consumers the right to know the specific pieces of data that organizations have collected about them. Responding to such requests (commonly known as data subject requests) has been a manual and cumbersome process,” Shilpa Ranganathan, Group Product Manager, Microsoft Security and Compliance, explained.
“The process begins with finding relevant data, followed by identifying and triaging multi-person data and legal conflicts and finally reviewing the data set across multiple teams before responding to the subject’s request. [Privacy Management for Microsoft 365] automatically locates the subject’s personal data, identifies data conflicts, enables secure collaboration through Microsoft Teams, and provides built-in review and redact capabilities.”
She also pointed out that Microsoft has also provided APIs to allow customers to integrate with their existing processes and solutions to automatically create and manage subject rights requests in Privacy Management, as well as partenered with several privacy software vendors to extend subject rights management capabilities to personal data stored outside of Microsoft 365 environment.
From the employees’ perspective, the solution intervenes when it detects a potential data incident. It blocks the sharing of data that should not be shared (e.g., with users in other geographic regions, in other departments, etc.), shows a message to the user explaining the policy violation in question, and allows the user to choose what to do next. The goal is also to improve employees knowledge about privacy risks and their ability to spot them in the future.