GDPR Compliance at a Global Scale

GDPR Compliance at a Global Scale

Challenge: Achieving GDPR Compliance at Scale

Our client needed help planning and executing an effort to implement GDPR-compliant data protection protocols. This effort would need to provide for updating existing systems where possible and replacing them with new systems when necessary to achieve compliance.

The changes required to secure compliance can be quite substantial: GDPR defines personal data very broadly (any data related to an identifiable natural person) and failing to adhere to GDPR regulations can result in substantial fines. What’s more, compliance requires supporting in-depth citizen requests (called Data Subject Requests, or DSR’s) pertaining to their personal data. Organizations need to be able to obtain copies, request corrections, delete, and restrict access to an individual’s personal data on demand. This requirement means all personal data held throughout a global organization needs to be carefully tracked, secured, and made available for rapid retrieval.

The client identified Azure RMS (Right Management Service), and AIP (Information Protection) as the desired solution stack and developed an overall implementation roadmap. They sought an experienced technology consultant to take on the sweeping workflows needed to execute their roadmap to improved data protection.

Solution: Azure Rights Management and Data Protection

Our client’s plans would require truly global effort: to ensure vital EU-based data could be seamlessly used throughout the organization, GDPR-compliant systems would be need be rolled out to all global locations, not just those in Europe. And user groups across the world would need to be trained on this new technology.

With the scale of this project in mind, AspireLive was brought in to lead a carefully planned phased roll out of tools needed to take control of data security in pursuit of GDPR compliance.  This cluster of technologies provided for automatic identification and classification of sensitive data types and included:

  • Account security using Microsoft Muti-Factor Authentication via Microsoft Authenticator, including conditional access, and disabling legacy authentication.
  • Data classification and encryption with Azure AIP P2 and Azure RMS to help identify sensitive data types and encrypt, expire, or delete data when it is no longer required.  This solution allows searching for data that requires governance under GDPR, streamlining fulfillment of DSR’s and minimizing encryption blind spots.
  • Data Loss Prevention to ensure sensitive data types aren’t transmitted without being properly encrypted.
  • Microsoft Cloud App Security to integrate reports from firewalls, cloud apps, and Office 365 to allow administrators to create policies for sensitive data types across multiple cloud types.

A pilot program was used to pinpoint and solve any pain points before a broader global roll out. Our team began by identifying pilot groups and users, locating appropriate server roles and prerequisites for the pilot project, and pinpointing files that could not be automatically categorized and protected. After selecting an appropriate client configuration, we conducted rigorous testing of real GDPR compliance concerns, including handling a test GDPR DSR and Breach Identification report.

An exhaustive debrief evaluated the security policies implemented in the pilot, identifying lessons learned, evaluating generated compliance reporting, and developing training materials for users and administrators in the pilot implementation.

With this initial pilot a success, our team proceeded to implementation of this technology cluster across the organization. Implementation included installation and configuration of all optional plug-ins and add-ons needed to achieve GDPR compliance. Our team conducted manual labeling and classification of documents which could not be automatically discovered and secured, ensuring all data held by our client was successfully migrated to this new data protection infrastructure.

The effort concluded with training for all users, ensuring the required understanding to both access secure files using an app interface and protect new files using the new technology suite.

We followed up user training with an Admin Orientation session, where we analyzed real end user data and logs to develop an in-depth understanding of data security ops at a global scale as we handed off administrative responsibilities to the client’s internal team.

Benefits: EU-Friendly and Future-Proof Data Security

AspireLive successfully delivered a data security solution that would allow our client to operate freely in the EU. This capability is essential to not only grow in the European Union area but manage a global organization without onerous data silos between EU and non-EU operations.

As the scale of threats to personal data continues to grow, more and more governments are expected to rollout more demanding data protection regulations. While every country’s regulations won’t look the same as GDPR, we can expect virtually all of them to include substantially raised requirements for protection and reporting. Investing in a leading data protection solution now also helped our client future-proof their operations for this rapidly evolving regulatory environment.

Our client, an investor and infrastructure asset manager in the wireless communications space, oversees truly global operations spanning Europe, Asia, Australia, and the Americas.

Industry

Innovative Technology

WebSIte
Services
Risk & Compliance
Security Implementation
Brands
Key Personnel