Whilst the General Data Protection Regulation (GDPR) came into force back in 2018, it is still causing confusion amongst many organisations including charities, even more so with the added complication of Brexit. Forming part of the Data Protection Act 2018, the UK Government says that:
“Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’.”
This means that information must be:
- Used fairly, lawfully and transparently.
- Use for specified, explicit purposes.
- Use in a way that is adequate, relevant and limited to only what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept for no longer than is necessary.
- Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
There is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, religious beliefs, genetics, trade union membership, health, sex life or orientation and biometrics.
But what does all this mean for charities where holding data and communicating with supporters/ service users plays such an important part?
There are tools out there to help charities comply with GDPR and other regulatory standards including the Code of Fundraising Practice. For the purpose of this guide, we will focus on Microsoft Compliance Manager.
Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps your organisation with compliance requirements. Therefore, it might already be something your charity has access to through your Microsoft 365 licences – i.e. if you are using all the popular applications such as Office, Excel, Word, PowerPoint, Teams, SharePoint, etc. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
Compliance Manager helps to simplify compliance and reduce risk by providing:
- Pre-built assessments for common industry and regional standards and regulations, or custom assessments to meet unique compliance needs (available assessments depend on your licencing agreement).
- Workflow capabilities to help you efficiently complete your risk assessments through a single tool.
- Detailed step-by-step guidance on suggested improvement actions to help you comply with the standards and regulations that are most relevant for your organisation. For actions that are managed by Microsoft, you’ll see implementation details and audit results.
- A risk-based compliance score to help you understand your compliance posture (i.e. the state of compliance with your organisation’s security policy) by measuring your progress in completing improvement actions.
Managing Information Protection and Governance is key to compliance and is based on the following:
- Know your data: Identify personal data and where it resides.
- Protect your data: Govern how personal data is used and accessed.
- Prevent data Loss: Establish security controls to prevent, detect and respond to data breaches.
- Govern your data: Address data request, report breaches and keep records.
Know your data
- Use Content Search and eDiscovery cases to search across mailboxes, public folders, M365 groups, Microsoft Teams. SharePoint online sites and One Drive for Business Sites.
- Use Sensitive Information Types to identify sensitive data.
Protect your data
- Use Sensitivity Labels to label and protect your data as it travels inside and outside your organisation.
- Use Office 365 Message Encryption to encrypt email and attached documents so only authorised recipients can read emailed information.
- Use Office 365 Security solutions to help prevent the most common attacks including phishing email and Office documents containing malicious links and attachments.
- SharePoint Information Management protects lists and libraries when a user checks out a document, the downloaded file is protected so that only authorised people can view and use the file according to policies that you specify.
Prevent data loss
- Use Data Loss Prevention (DLP) to prevent unintentional sharing of sensitive items.
- User Endpoint Data Loss Prevention to extend DLP capabilities to items that are used and shared on Windows 10 computers.
Govern your data
- Use Retention Policies and Retention Labels to retain or delete content with policy management and a deletion workflow for email, documents, instant messages and more.
- Use import service to bulk-import PST files to Exchange online mailboxes to retain and search email messages for compliance or regulatory requirements.
- Implement Azure Active Directory conditional access policies with Microsoft Intune to ensure that sensitive personal information is stored and accessed according to corporate policies.
To understand more about what Compliance Manager is, how it helps simplify compliance and reduce risk, visit Microsoft Compliance Manager – Microsoft 365 Compliance | Microsoft Docs or speak to a Microsoft Partner such as m-hance to discuss your charity’s specific requirements.
Authored by Joe Deally