LITIGATION SUPPORT TIP OF THE NIGHT

The EDRM has posted its first report on the GDPR, "Decoding GDPR". The report summaries some of the salient points of the GDPR, coming May 25, 2018:

• it's a regulation, not a directive, and as such is directly enforceable by the EU, unlike the old Data Protection Directive

• it has extraterritorial application

• fines up to €20 million or 4% of global revenue for violations

• the GDPR will standardize how personal data is treated throughout the EU

The GDPR applies to the processing of data when the data controller or processor is established in the EU, even if the processing does not occur in the EU. It will still apply to data controllers or processors not established in the EU when they offer goods or services to data subjects in the EU, or they monitor behavior of the data subjects in the EU.

The EU concept of 'personal data' contrasts with the US concept of 'personally identifiable information' The EU concept is broader, including any data that can be used to identify an individual. There are additional protections for special categories of personal data, including biometric, health, and genetic data. Standard practices for dealing with PII under HIPAA may not comply with the requirements of the GDPR.

Data controllers should not be regarded as being directly analogous to electronic discovery custodians. A custodian has possession of ESI. A controller has the power to process personal data.

The GDPR concept of processing is broader than the American electronic discovery concept which merely involves reducing and converting data. In the EU, review or storage of personal data can be 'processing'.

The GDPR requires the preparation of a Privacy Impact Assessment when the rights of data subjects are impacted. Unlike in America, in the EU the re-use of health data requires consent.

Penalties can be implemented in the EU when an organization fails to adhere to its adopted conduct of conduct for compiling with the GDPR. Guidelines and best practices may not be viewed as merely aspirational as they are in the US.

The GDPR distinguishes between 'cross border' data transfers that consist of transfers within the EU, and 'third country' data transfers that concern the transfer of data outside the EU.

Microsoft has posted a set of webinars which explain how Microsoft 365's built in tools can help businesses comply with the requirements of the General Data Protection Regulation, which becomes enforceable on May 25, 2018. The first of these webinars discusses securing personal data. The Tip of the Night for March 14, 2018 explained how the Office 365 compliance manager can help track compliance with the GDPR. 365 can do far more than just this, and helps users identify when specific files have data covered by the GDPR.

365 can assist with information protection through data loss prevention policies that restrict the flow of information, and synch with Exchange, OneDrive, SharePoint, and MS Office desktop programs. Azure Information Protection can be used to locate unprotected data, apply encryption to it, or expire it. Azure Advanced Threat Analytics can protect user credentials in the on-premises active directory.

These screen grabs from the webinar demonstrate how One Drive automatically identifies information with protected data. 365 can detect when a Word document contains personal information protected by the GDPR as shown in this example:

Other types of sensitive information such as credit card numbers can also be detected and flagged in One Drive as shown in this example for an Excel file.

When a user attempts to email an attachment to someone outside his or her organization that should not have access to the data, they will receive a warning:

365 can be configured to prevent such a file from being forwarded altogether.

Specific policies can be set up in Data Loss Prevention for different types of PII.

When account numbers and other such information are entered in a Word document, a user will automatically receive a warning about the PII.

When the Word document is saved, a watermark is automatically added . . .

. . . and a footer with a confidentiality caption is inserted.

In addition, the file is automatically encrypted.

The watermark and encryption stays with the document no matter where it is stored.

Azure's Information Protection Scanner reviews on-premises repositories for certain information types., and automatically marks files as confidential. It will generate a log that can be filtered to list the confidential files.

Azure information protection extends to SAS applications.

If you are looking for ways to ensure that the data on your firm's network or a client's network is compliant with the General Data Protection Regulation of the European Union when it becomes effective on May 25, 2018, you may find some help in Office 365.

Microsoft's Office 365 contains a compliance manger which will generate a compliance score. The score is based on the risk of failing to control data properly.

The compliance manager not only assists with tracking compliance with the GDPR, but also with ISO 27001 (for information security); ISO 27018 (for the protection of Personally Identifiable Information (PII)); NIST 800- 53 (security controls for federal information systems), NIST 800- 171 (unclassified information in non-federal systems), and HIPAA.

Compliance Manager can be accessed on this site: https://servicetrust.microsoft.com/