Starting today Microsoft Cloud App Security provides new risk assessment capabilities to help you determine if the cloud apps and services used across your organization are compliant with GDPR requirements.
On May 25, 2018 the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect. The GDPR imposes new rules on organizations that offer goods and services to EU citizens, or that collect and analyze data tied to EU residents, regardless of where the businesses are located. It establishes strict privacy requirements, governing how you manage and protect personal data, while respecting individual choice – no matter where data is sent, processed, or stored.
With organizations increasingly leveraging cloud applications to outsource productivity and other workloads, data is no longer stored in one central on-premises location. Instead your data is now spread across multiple public cloud apps and services, where it can be easily accessed and shared with others. Additionally, Shadow IT makes it even more difficult for organizations to conclusively assess their compliance with GDPR requirements. With the new accountability, enforced by the GDPR framework, it is more important than ever to ensure your corporate data is stored and handled accordingly.
Assess GDPR readiness with Microsoft Cloud App Security
The Discovery capabilities in Cloud App Security, Microsoft’s CASB solution, can now help you determine whether your cloud apps and services comply with GDPR requirements, so you can take corrective action if necessary.
Sourcing from a catalog of more than 16,000 apps, Cloud App Discovery enables you to identify which cloud apps and services are being used in your organization. Before today, the service leveraged 60 different parameters, including regulatory certifications, industry standards, and best practices, to assign a risk score to each one of those apps.
We have added 13 new components to the risk assessment, directly aligned to GDPR requirements, to provide you with a more comprehensive GDPR readiness overview for your organization. In cases where a cloud provider is listed as not GDPR ready, you will also be able to see which GDPR controls have not been implemented by the cloud service provider.
The new risk information can be viewed in the risk profile of each app, which is accessible from the cloud app catalog and the discovered apps page in the Microsoft Cloud App Security portal. Shortly, you will also have access to a powerful, pre-built query (‘GDPR-ready cloud apps’), to get a quick view of all the cloud apps that are used across your organization and that meet the GDPR framework requirements.
During your risk assessment, look for the following risk factors in our portal to determine GDPR compliance:
- GDPR readiness statement (links directly to the GDPR statement of the cloud service provider and was previously available)
- Reporting data breaches (Article 33)
- Right to be forgotten/Right to erasure (Article 17)
- Data protection impact assessments (DPIA) (Article 35)
- Data protection officers (Article 37)
- Secure cross border data transfer (Article 44, 45)
User ownership (Data Subject Access Rights)
- Lawful basis for processing (Article 6)
- Right to access (Article 15)
- Right to be informed (Article 13, 14)
- Right to rectification (Article 16)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision making including profiling (Article 22)
- App risk assessment view with the new GDPR-aligned criteria
If you are a cloud service provider, be sure that your service is properly assessed – contact us today to update your GDPR readiness status, by sending feedback directly from the Cloud App Security portal.
More information and feedback
Get more information on how to use Microsoft Cloud App Security to govern discovered apps that don’t meet GDPR requirements. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.