Get a handle on privacy with Microsoft Priva
As a business taking part in the modern digital economy, you’re inevitably going to have to handle personal information at some point or another. Protecting this data – and the privacy of the data subject – is a substantial responsibility with very real financial and reputational consequences for failure.
Today, we’re going to take a deeper look at the tools Microsoft is bringing to the privacy table. Specifically, the latest evolution of Microsoft Privacy Management, now known as Microsoft Priva.
Data Protection vs Data Privacy
Before we dive into Priva itself, let’s quickly address a very common question: are data privacy and data protection not the same thing?
The simple answer is no.
The easiest way to understand the difference is to think of data privacy as “who”. Who has access to the data, and who can they share it with?
Data protection is how you enforce those permissions – and prevent unauthorised access, data loss and/or corruption – using a combination of technology and policies.
The importance of “privacy culture”
One of the biggest challenges of data privacy is that it’s centred on people. It’s not something the IT or Compliance team can “just take care of” by implementing the right technology.
It’s essential that users are also educated and empowered to make good decisions when handling data, supported by clear processes and policies enforcing the rules. Done well, this creates what Microsoft has called a “proactive privacy culture” and “privacy-resilient” workplace.
The role of technology (Microsoft Priva)
Technology may not be a magic bullet when it comes to data privacy, but it still has an essential role to play.
With increasingly widespread (and complicated) privacy regulations coming into force, globally, the right technology can dramatically improve your ability to meet growing privacy obligations.
Microsoft has recognised this opportunity, building on the foundation of Privacy Manager to create Microsoft Priva: a solution specifically designed to streamline modern privacy risk management and facilitate compliance.
Microsoft Priva is available in two modules (sold/licensed separately). Each module focusses on a different aspect of data privacy.
Priva Privacy Risk Management Module
The Priva Privacy Risk Management module has three critical objectives:
- Surfacing privacy risks by flagging personal data entering and residing within the Microsoft environment, using a combination of templated and customisable search criteria.
- Empowering the assessment and management of risks via management dashboards with active data, policy and usage alerts, complete with full drill-down capabilities.
- Educating users on risks presented by the data they consume.
Priva includes pre-programmed – but customisable – policy templates addressing the main categories of privacy risk, namely:
- Data minimisation – retention of personal information for longer than necessary.
- Data overexposure – unnecessary sharing of personal information.
- Data transfers – transfers of personal information across departmental and/or geographic borders.
Much to our excitement, Priva also integrates with Compliance Manager. That makes it possible to leverage Microsoft Purview’s data protection and privacy assessment templates (corresponding to compliance regulations and industry standards around the world) to better understand what steps must be taken in Priva to meet your compliance obligations.
Priva Subject Rights Requests Module
This Priva module focusses on enabling fast, efficient response to data subject rights requests. It’s particularly useful for organisation facing these requests at scale, dramatically reducing their workload, while improving response times and accuracy.
Key functionality includes:
- Automated data discovery
- Secure collaboration workflows via Microsoft Teams
- Built-in review and redact capabilities
- Integration with business processes via Microsoft Power Automate
- API access
While Priva Subject Rights Requests is a powerful tool, it does have at least two shortcomings that we’d be remiss not to mention.
The first is its inability to action the defensible deletion of information surfaced by a DSAR when necessary.
The second is the fact that it is currently only able to search within Microsoft 365. That could be a significant obstacle for organisations with a diverse data estate looking to achieve a single-pane view on privacy across their entire landscape.
While these gaps will almost certainly be addressed in future releases, they do mean third-party privacy tools will remain an attractive option for certain businesses in the meantime.
Are you Priva-ready?
There’s little doubt in our mind that Priva is a great tool and will become a privacy staple for most organisations, eventually. However, it’s important to remember that privacy – together with your broader security and compliance – is a journey and not a destination.
The technological landscape is constantly evolving and requires regular review to ensure you make the most of the capabilities available to you. Depending on your current setup and maturity level, Priva may be your natural next step, or it could be some distance down your compliance and security pipeline.
The only reliable way to know where you stand is to analyse your existing compliance and security posture in order to build a strategic roadmap that lays out your optimal cloud journey.
Not sure where to start? Get in touch for an in-depth assessment and pick our experts’ brains on the most appropriate – and value-adding – options available to you.