With only a few months left there is really no escaping it: every company dealing with data from EU persons must comply with the General Data Protection Regulation (GDPR).
The protection of data is important for the delivery of our services and has been our focus for some time. That is why I – as a security specialist at KPMG Crimsonwing – will share some of our knowledge and experience with you in the coming months to help you to be well prepared.
Begin with a practical tool
To start at the beginning: Good preparation starts with an overview. In this blog I will tell you more about the impact on your organization and the different aspects that play a role. But first I will start with a review of a tool that can help you on your way towards security compliance: the Microsoft Compliance Manager. An interesting investment, because it not only helps you now with GDPR, on the way to May 2018, but also with the application of ISO 27001 and compliance with other laws and regulations. I write this review based on my own test experiences.
Microsoft Compliance Manager: handy for overview and accountability
There are, of course, several tools that help you comply with laws and regulations, but the Microsoft Compliance Manager is first and foremost compatible with most office environments that use Microsoft tools. And secondly, it is a very complete tool in this area. What can you expect from this tool?
- An overview
The tool gives an overview of the conditions that your business needs to meet, depending on the type of regulation or standard (GDPR, HIPAA, ISO 27018, 27001). In addition, it provides status updates about the progress and upcoming control actions from Microsoft. Microsoft ensures that information about laws and regulations is specific and up-to-date. You can also add your own company-specific regulations.
- Detailed management information
You will find a list of services, implementation details and checks that Microsoft performs, including test details, external audits and results in the tool. Microsoft also advises on actions and tools that may be relevant to your organization. This gives you a good overview for your auditor or authorities.
- Assign work and track progress
The proposed (control) actions can be found in a separate overview. Here you can filter, you can bundle the actions and assign them to specific functions or departments within your organization. They can then add central test plans, results and proof.
- Share reports and results
You can easily share the reports in excel format with your auditors or with governments. These reports contain the required detailed information, supplemented with links to relevant appendices.
Pro’s and Con’s of this tool
The main advantage of this tool is the ease of use: if you are familiar with Microsoft Office, operating the tool is simple. Additionally, the descriptions of the control actions are in clear, non-legal language.
Required follow-up actions or suggestions for tools are formulated so that your system administrator can get started. For some organizations it is a disadvantage that – as far as I could see – the tool is only available in English.
Because the preview of the tool is only available for Microsoft Office, I have not yet been able to test it for Microsoft Dynamics or Azure applications. Furthermore, I do not find the search at article level very simple – per GDPR article, that is. The overview of GDPR control actions is good, but data protection officers (DPOs) and managers will usually have to answer questions from customers, auditors and governments at article level. However, if you export the overview of control actions to Excel, you can custom sort.
And then privacy: as you would expect from a tool like this, privacy is well organized. The data that you upload in the Compliance Manager – and which may possibly contain customer data – are well-protected. Microsoft does not have access to it.
Do you want to work with the Compliance Manager yourself? A preview can be found here. In my next blog I will tell you more about the different steps and actions you can take within your organization on the way to May 2018, when the GDPR is really an obligation.