EU GDPR – is it relevant to Australian companies?

The new General Data Protection Regulation (GDPR) from the European Union (EU) imposes new rules on organisations that offer goods and services to the people in the EU, or collects and analyses data tied to EU residents, no matter where the organisations or the data processing is located. GDPR comes into force in May 2018.

If your customers reside in the EU, whether you have a presence in the EU or not, then GDPR applies to you. The internet lets you interact with customers where ever they are, and GDPR applies to anyone that deals with EU people where ever they are.

And the term personal data covers everything from IP address, to cookie data, to submitted forms, to CCTV and even to a photo of a landscape that can be tied to an identity. Then there is sensitive personal data, such as ethnicity, sexual orientation and genetic data, which have enhanced protections.

And for the first time there are very strong penalties for non-compliance – the maximum fine for a GDPR breach is EU$20M, or 4% of worldwide annual turnover. The maximum fine can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Essentially GDPR states that organisations must:

  • provide clear notice of data collection
  • outline the purpose the data is being used for
  • collect the data needed for that purpose
  • ensure that the data is only kept as long as required to process
  • disclose whether the data will be shared within or outside or the EU
  • protect personal data using appropriate security
  • individuals have the right to access, correct and erase their personal data, and to stop an organisation processing their data
  • and that organisations notify authorities of personal data breaches.

Specific criteria for companies required to comply are:

  • A presence in an EU country
  • No presence in the EU, but it processes personal data of European residents
  • More than 250 employees
  • Fewer than 250 employees but the processing it carries out is likely to result in a risk for the rights and freedoms of data subject, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

What does this mean in real terms to common large companies? Well…

  • Apple turned over about USD$230B in 2017, so the maximum fine applicable to Apple would be USD$9.2B
  • CBA turned over AUD$26B in 2017 and so their maximum fine would “only” be AUD$1B
  • Telstra turned over AUD$28.2B in 2017, the maximum fine would be AUD$1.1B.

Ouch.

The GDPR legislation won’t impact Australian businesses, will it? What if an EU resident gets a Telstra phone or CBA credit/travel card whilst on holiday in Australia or if your organisation has local regulatory data retention requirements that appear, on the surface at least, at odds with GDPR obligations…

I would get legal advice if the organisation provides services that may be used by EU nationals.

In a recent PWC “Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets” 92% of responses stated that GDPR is one of several top priorities.

Technology cannot alone make an organisation GDPR compliant. There must be policy, process, people changes to support GDPR. But technology can greatly assist organisations that need to comply with GDPR.

Microsoft has invested in providing assistance to organisations impacted by GDPR.

Office 365 Advanced Data Governance enables you to intelligently manage your organisation’s data with classifications. The classifications can be applied automatically, for example, if there is GDPR German PII data present in the document the document can be marked as confidential when saved. With the document marked the data can be protected, whether that is to encrypt the file or assign permissions based on user IDs, or add watermarks indicating sensitivity.

An organisation can choose to encrypt their data at rest in Office 365, Dynamics 365 or Azure with their own encryption keys. Alternatively, a Microsoft generated key can be used.  Sounds like a no-brainer, all customers will use customer keys. However, the customer must have a HSM (Hardware Security Module) and a proven key management capability.

Azure Information Protection enables an organisation to track and control marked data. Distribution of data can be monitored, and access and access attempts logged. This information can allow an organisation to revoke access from an employee or partner if data is being shared without authorisation.

Azure Active Directory (AD) can provide risk-based conditional access controls – can the user credentials be found in public data breaches, is it an unmanaged device, are they trying to access a sensitive app, are they a privileged user or have they just completed an impossible trip (logged in five minutes ago from Australia, the current attempt is from somewhere that is a 12 hour flight away) – to assess the risk of the user and the risk of the session and based on that access can be provided, or request multi-factor authentication (MFA), or limit or deny access.

Microsoft Enterprise Mobility + Security (EMS) can protect your cloud and on-premises resources. Advanced behavioural analytics are the basis for identifying threats before data is compromised. Advanced Threat Analytics (ATA) detects abnormal behaviour and provides advanced threat detection for on-premises resources. Azure AD provides protection from identity-based attacks and cloud-based threat detection and Cloud App Security detects anomalies for cloud apps. Cloud App Security can detect what cloud apps are being used, as well as control access and can support compliance efforts with regulatory mandates such as Payment Card Industry (PCI), Health Insurance Accountability and Portability Act (HIPAA), Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR) and others. Cloud App Security can apply policies to apps from Microsoft or other vendors, such as Box, Dropbox, Salesforce, and more.

Microsoft provides a set of compliance and security tools to help organisations meet their regulatory obligations. To reiterate policy, process and people changes are required to support GDPR.

Please discuss your legal obligations with a legal professional to clarify any obligations that the EU GDPR may place on your organisation. Remember May 2018 is only a few months away.

Windows Information Protection – enabling BYO

Windows 7 has entered the extended support phase of its lifecycle.  What’s this mean? Well Microsoft won’t end security updates for your Windows 7 PC ‘s until the 14th of January 2020, so security should be covered.  However, feature updates (bug fixes), free phone and online support have already ended.  At the same time as Windows 7 leaves extended support Office 365 connection policies are changing to only allow Office clients in mainstream support to connect (that will be Microsoft Office 2016 or later and Microsoft Office 365 ProPlus)[i].  So, if you’re are running Windows 7 and/or Office 2013 or earlier now is the time to look to the future.

As we all know from the press and personal usage, the real successor to Windows 7 is the evergreen, bi-annually updated Windows 10.  The continual change of Windows 10 (aka Windows as a service) along with evergreen SaaS apps enterprises are increasingly adopting,  combined with an end user expectation of always updated and current apps (courtesy of smart phones) means the desktop strategies of yesterday (i.e. tightly managed, infrequently updated, limited or no personalisation) no longer look appropriate.

And BYO remains a hot topic for customers and pundits alike.

So how can you manage a continually changing desktop and support BYOD yet maintain the security of your data?

Microsoft have introduced a couple of capabilities to address these problems.  This blog will focus on developments in the ability to protect corporate data on lightly managed corporate or private devices – specifically, data at rest.

Windows Information Protection (WIP) is a new capability that harnesses Azure Rights Management and Intune (also available via System Center Configuration Manager) to protect data on Windows 10 Anniversary Update (build 1607) or later devices.  These are all part of the Azure Information Protection offering that addresses both client and server side protection of data.

WIP is an option under Intune -> Mobile Apps -> App Protection Policies.  As with any other Intune policy WIP can be applied to any Azure AD user group.

WIP has two main considerations regarding data security; data source and data access.

Data Source

In WIP you define network boundaries.   Below is the network boundaries blade in Intune.

Network boundary

A network boundary effectively defines where data does not need to be protected (i.e. within the boundary, say Office 365) and where it does (i.e. accessing outside the boundary such as downloading a file from Office 365, as per the figure below).

Explorer

On-premises applications and file servers could be within another network boundary, as could other SaaS options.  When data is sourced externally (a PC on the internet) from within a network boundary it should be marked as “work” and encrypted, as shown below.

explorer

Data Access

WIP has the concept of “Allowed Apps”.  These are applications defined within the WIP policy to be allowed to access work data.  Below is the allowd apps blade in Intune.

allowed apps

Microsoft classifies applications into “enlightened apps” and “unenlightened apps”. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.  Unenlightened apps can’t differentiate between corporate and personal data, and so all data is considered corporate and encrypted (by Windows not the app).  The Microsoft client apps (Office, Edge, Notepad, etc.) are examples of “enlightened apps”.  Finally, if an application is not defined in Allowed Apps then it can’t read work data, nor can corporate data be cut and paste into an app that is Allowed.  If the scenario where an “unenlightened app” won’t work with WIP it can be defined as exempt and the corporate data is not encrypted.

With Windows Information Protection, Windows now includes the functionality necessary to identify personal and business information, determine which apps have access to it, and provide the basic controls necessary to determine what users are able to do with business data (e.g.: Copy and Paste restrictions). Windows Information Protection is designed specifically to work with the Office 365 ProPlus and Azure Rights Management, which can help protect business data when it leaves the device or when its shared with others (e.g.: Print restrictions; Email forwarding).[i]

And this capability is available in all editions of Windows 10 Anniversary Update (build 1607 or later).

Do you need Azure RMS?

WIP is focussed on securing enterprise data on a device.  It does not address securing enterprise data in the wild.  Azure RMS provides rights management to data once it has left a device.  Azure RMS works with a fairly limited set of applications (mainly Microsoft Office across most platforms). With WIP alone a protected file can’t be shared with another user, say by USB or an external drive or even an email attachment. It will be encrypted and inaccessible.  With RMS data protection can be extended to data that leaves the device, such as an email attachment from an enlightened app (think Word, Excel, PowerPoint, OneNote, etc.) or a file on a USB drive or a cloud drive. With RMS you can audit and monitor usage of your protected files, even after these files leave your organisation’s boundaries.

Addressing your Information Protection needs (on Windows 10)

WIP is not the definitive be-all and end-all capability for protecting corporate data.  Rather it is part of a suite of capabilities that Microsoft provide on Windows 10.  BitLocker protects the device, WIP provides data separation and data leakage protection and AIP provides additional more complex data leakage protection as well as sharing protection.   These three capabilities combine to protect the data at rest, in use and when shared.

So, now enterprise data can be secured on a Windows 10 device rather than the traditional approach of securing the device; suddenly BYOD doesn’t look that scary or impractical.

[i] Taken from Introducing Windows Information Protection <https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/>

[i] Taken from Office 365 system requirements changes for Office <https://techcommunity.microsoft.com/t5/Office-365-Blog/Office-365-system-requirements-changes-for-Office-client/ba-p/62327>