Unpacking New DLP Features on Office 365
Following a two-year transition period, the EU will fully implement the General Data Protection Regulation (GDPR) on May 25, 2018. Though the GDPR was designed to fortify individual data protection policies within the EU, organizations can anticipate both positive and negative ramifications of the regulation.
Considering that the GDPR can enforce fines of up to 4% of the annual turnover depending on the organization’s standing, data breaches no longer pose merely a subjective threat to how data is shared, stored, and consumed. In fact, the GDPR reinstates the notion that organizations need to double down and invest in a more comprehensive data loss prevention (DLP) strategy.
In this post, we will explore DLP options available within the Office 365 ecosystem and present how these features can help prepare your organization for the GDPR.
What is DLP?
Data breaches not only pose a risk to the organization, but can result in major penalties should a breach occur and Personally Identifiable Information (PII) is exposed.
Data loss prevention entails deploying a viable solution that allows administrators to protect sensitive information—including phone numbers, bank or credit card numbers, and passport details—from falling into the wrong hands. DLP also helps to shield organizations from fines, insider threats, and, importantly, data breaches.
Office 365 DLP Features
Since many Office 365 administrators resort to the out-of-the-box features within Office 365 as a means of establishing a security parameter, it’s essential to understand Microsoft’s proprietary DLP features.
The set of DLP tools included within the E3, A3, and G3 premium subscriptions for Office 365 allow administrators to implement preventative measures to mitigate loss of data. By creating DLP policies within the Security & Compliance Center on Office 365, admins can build the first barrier against risk and bolster their organization’s security.
Enabling Data Loss Prevention on Office 365
Enabling data loss prevention features on Office 365 is an intuitively easy process. To leverage pre-built templates and permit the identification of sensitive data in real time, Office 365 administrators can access the Data Loss Prevention module to monitor their users’ tasks and apply region-specific rules to their policies.
To create a new DLP policy, click on Create a Policy, followed by a selection between the Financial, Medical and Health, Privacy, and Custom options. This will prompt the regional selection, which automatically populates the DLP policy template with the respective country or region’s industry regulations.
As you customize the DLP policy template, you can authorize automated responses if the system detects anomalies or permission breaches, such as one or more occurrences of a credit card number or address. A few of the possible responses include:
- Blocking the information.
- Notifying specific users of a potential breach.
- Allowing a manual override with a business justification.
- Flagging a false positive match.
This feature not only allows administrator to easily enable data loss prevention in Office 365, it provides a variety of compliance and security options that are key to meeting the requirements set by the GDPR.
DLP Policy Tips on Office 365
DLP Policy Tips on Office 365 are automatically generated messages that bring to attention potential security risks and solutions. Depending on the situation, Policy Tips provide the user with expert guidance without interrupting their workflow, and they allow users to correct their behavior before moving forward.
However, if the option to manually override Policy Tips has been selected, the user must provide a business justification for the override, which serves as a form of accountability in the event of a breach. Hypothetically, this would place the user in a position to defend his or her reasoning behind the override to the organization.
For example, let’s imagine that a user has drafted an email that contains credit card information for a list of clients. In the real world, this may be the type of information that is needed to process a batch of payments.
Once the data has been entered into the email, the DLP policy will then inform the user via a Policy Tip that the contents of the email conflict with a policy set by the organization. The user can then choose to encrypt the sensitive information, find a more secure means of forwarding the email, or override the Policy Tip and send the message with the PII attached.
Ultimately, the DLP Policy Tips feature on Office 365 serves as the final precautionary measure against actions that could potentially put the organization at risk of a data breach. Although IT is responsible for setting the permissions for manual override, communicating the significance of Policy Tips to users is crucial for GDPR compliance and mitigating risk.
GDPR is understandably a concern to many organizations in the EU, and while there’s still some time before it is fully implemented, it’s essential for organizations to begin investigating their data loss prevention strategy. The new DLP features on Office 365 present a suite of options that administrators can leverage to avoid the inevitable urgency that many organizations will face during 2018, and in doing so, they can ensure a secure collaboration environment and guarantee GDPR compliance.
Metalogix Provides a More Robust Security Plan
Amidst all of the challenges that the GDPR poses for organizations, you may find that the DLP features within Office 365 are not comprehensive enough for your organization’s needs. If you’re looking for an industry-leading security and information governance solution for your collaboration environment, then Metalogix can help.
Purpose-built for Office 365 and SharePoint, our solution provides a robust security plan that not only lowers your security risk, but allows you to discover, classify, and secure sensitive data throughout your organization. Check out a free, personalized demo of ControlPoint and see how you can protect your organization today!
Matt is the founder of Kinetal and a self-confessed tech geek. Matt founded Kinetal in 2013 and has been delivering social media training since 2011, with a passion for Media and Technology. You’ll find him behind a camera or finding creative ways to create Digital Marketing campaigns.