This eBook explores the dichotomy between global and local security and compliance requirements, considers the challenges you and your team may face and provides clear insights into how to support your organisation in achieving your goals.
In this eBook, we’re going to explore the dichotomy between global and local regulatory and compliance requirements and how we can, or maybe we can’t, use the Security and Compliance Center within Office 365 to mitigate those issues. We’re going to consider the key elements within Office 365 that can help us. Specifically, within the Office365 Security and Compliance Center, we will look at what the capabilities are and how they should be delivered. Whether they should be delivered globally or maybe locally within your business. The focus is going to be very much on compliance, information governance and regulatory features. We’re not going to look at the security features or the role of an information security officer. I’m going to assume that you’ve already got stuff in place and experts in your organization that are already stopping the bad guys from getting into Office 365 and into your networks, etc.
Let’s kick off with a bit of an overview and some background around what the challenges are.
The problem space is very much concerned with balancing information governance, compliance and the regulatory controls based on both the central business needs that an organization has from head office all the way down to the local requirements be that, local requirements in different countries or different departments. This can be very complex especially if your business has a presence in many countries across the globe or focuses on numerous sectors. The Security and Compliance Center is our main portal to manage this.
There are a lot of things that need to be considered; governance, compliance and regulatory controls, different sectors, health, finance, retail, all have different rules, and all have different things that they need to think of to make sure that they’re complying in AARP and annoying the regulators. Often countries have their own regulations; everybody’s probably aware of the general data protection regulation (GDPR) launched last year. The California Consumer Privacy Act, the Swiss Data Protection Act and lots of other regulations are also focused on data, personal data and keeping that data safe and making sure organizations like yours are looking after and are using people’s data, your customer’s data, your employees’ data appropriately.
Many organizations have both governance and IT teams spread across the business. Some central functions may cover the globe or all of your businesses, but I’m sure you probably also have local teams servicing customers at a more focussed level be that Finance, HR or IT for example.
Stakeholders are part of the Problem Space as well, people that you’re trying to please, you’re trying to make everybody happy, and that can be a huge juggling act.
The 7 Waves of Governance
A great place to start our journey around Security and Compliance Center is to consider the seven waves of governance.
Many organizations implement Office 365 focussed on collaboration, not necessarily compliance. Compliance and regulations stuff is possibly considered boring and not necessarily delivering business value. However, governance should always be a consideration when planning Office 365 projects and should be looked at holistically to include all elements from the very start.
The Seven Waves of Governance have seven very clear areas, which can be summarised as follows:
- Information governance
- IT assurance (making sure that the kit and the technology is delivering)
- Kaizen and continuous improvement
- Change management and adoption
- Aligning to the business
- Making sure we’re capturing the requirements of the ever-changing business landscape
- Making sure that the project is well-governed.
All these things are fundamental to the governance of your project and fundamental to ensure that you make the best of the Office 365 Security and Compliance Center.
When you implemented Office 365, set up the tenant, configured active directory and all that kind of stuff, the chances are that you weren’t thinking about compliance, your focus was probably on migrating data and increasing collaboration. The seven waves of governance are a really good way of helping you to focus your implementation on what is important. We are going to focus on the information governance aspect and the business alignment throughout this eBook.
Focuses and Challenges.
So, what is the key challenge? Let’s dive into the Security and Compliance Center and start to understand what we want to do, what the capabilities are, and the associated challenges.
The Security and Compliance Center is a brilliant piece of technology and a great portal. If you’re living in a very clear organization, operating in one country wherever that may be, or only operating and doing business in one sector, then the Security and Compliance Center is a fantastic tool for you and will help you. But when you start looking at wider, larger, global or international organizations that are doing business and having to think about regulations across many countries or business sectors, that’s where the challenges start to come in.
The Security and Compliance Center fundamentally is the key resource for you to help meet your organizations legal, regulatory and technical standards for content security, data use and information government. That is our main place to go to and what we’re going to focus on in the rest of this eBook.
The Security and Compliance Center currently has a huge number of capabilities. They cover everything from information governance to mail to technical assurance to threats and cyber activities. We’re going to focus on the alert capabilities, classification and data governance, data loss prevention, content search and eDiscovery. These are the key capabilities that the Security and Compliance Center can offer you that, have the most impact and the most challenges for getting your organization compliant with the regulations it needs to adhere to.
There are three key questions that we need to ask and when we’re looking at information governance, compliance and regulatory capabilities they are above and beyond fundamental questions of why we are putting a platform in the first place.
Whose data should I be focusing on?
The answer depends on what we are trying to do. Are we looking at the whole company? Are we trying to monitor and look at and make sure that the data across the whole company is compliant? Or are we focusing on country data? Do we need to consider geolocation and compliance boundaries to focus on data relating to a specific country? Are we looking at a lower level, business unit, department, teams, or just trying to look at individuals making sure a specific person is doing the right thing with data that we’ve got in our tenant?
In some ways, considering the lowest level is sometimes easier than trying to look at country or business unit level because the toolset that Microsoft offers is very much geared around governing and keeping safe individual documents, individual pieces of data, making sure that they are labelled correctly, that the retention is right, making sure that your data loss prevention rules stop that data from leaving your organization or only allow it to go to certain people.
The Security and Compliance Center works great if you’re looking at the whole company and equally as good if you’re looking at individuals. The grey area and the challenges that we’re going to discuss will help when you’re looking at those different compliance needs across countries and business units and departments.
Why am I interested?
Is it for legal reasons? Is it compliance? Is it regulatory? Is it for information governance and business value? Are we trying to make sure that the data that we have is well-governed and is delivering value?
They’re the sorts of things that we need to be thinking about because this will change how we use the tools. The answer will change where the responsibility and accountability fall within the tools that we’re implementing.
How (and can) the technology support me?
There are inherent capabilities within the Security and Compliance Center, which we’re going to go through in a moment. Geo-location helps us store our data in an appropriate data center within the Microsoft ecosystem. Compliance boundaries help us to prevent people from searching data that they shouldn’t be looking at. Information barriers can be used as walls to prevent data from transferring across boundaries.
Key capabilities within the Security and Compliance Center
Alerts allow us to set up policies that allow you to track user and administration activities, things like malware threats, data loss incidents, and activities that people are doing on your tenant. They are based on audit events, and any alert notifications presented to you in the Security and Compliance Alerts dashboard. Email notifications can also be used, and by default, they get sent to the tenant administrator.
If you think about the number of alerts that Microsoft has implemented by default and add to those others that you’re potentially going to create as well, that could mean a lot of email flowing to the tenant administrator who probably is not the right person to notify. It’s not their responsibility; it’s not their accountability.
A key challenge is that alerts are created and managed at a global level. There is just one place to do it. They are set up, configured and delivered in the alerts pane in the Security and Compliance Center.
The alerts by default target all users unless you explicitly specify the individual people that you’re interested in or want to exclude. You can create a rule based on everybody excluding the senior management team, or the legal team or a team that is sending sensitive data outside of the organization all the time as part of their role. When setting up a regional alert, you would potentially need to target a set of users or a team and by adding people individually. As an example, you may need to target the UK finance team and send any alerts to the UK Head of Security. The challenge with a rule and an alert like that this is the maintenance nightmare that you create. You’ve got to make sure that the emails are going and getting managed by the right person. You’ve got to make sure that you’re keeping the right people in that group. Once the rule and alerts are set, you need to update them with future personnel changes as people move around your organization. This creates overhead and a resource required to ensure that everything remains relevant and keeps up to date.
When we consider retention in this context, we need to think about classification labels, data governance, records retention, and unified labelling.
Firstly, we can label our content based on the end-user adding a label or by specific criteria triggering a label to be applied. A document that contains personal data, credit card data, or passport number, for example, triggers a label to get automatically applied to that document, so you know what sort of content is involved.
The other type of capability we’ve got within this area is the ability to keep data under retention or records retention policies so that they comply with legal, regulatory or business requirements to keep data for a certain amount of time or to delete data after a certain amount of time.
Retention is key around your information governance in your tenant for your entire organization. All your contents should be under a specific retention policy and you should have a hundred percent coverage. The Security and Compliance Center contains different reports that show how much of your content is under some sort of retention period.
The challenge here is that different countries and sectors potentially have different requirements for how long you keep data, 5 years, 10 years, 20 years are common but very different. Achieving 100% retention across all our data is not as easy as it seems.
Retention labels and records retention can only be applied globally; otherwise, you must explicitly state the individual SharePoint sites, one drive, etc, that you want the labels to apply to. This is a challenge because, in a lot of organizations, sites can be created by anybody. When you spin up a Microsoft Teams area, it spins up a SharePoint site. What retention label should be on those files? Is there any? The fact that we have either to apply it to this or to everything or just apply it to specific sites becomes a bit of an administrative nightmare because sites can be created and deleted all the time. Staying on top of that is difficult.
There is no out of the box capability to target labels at specific data. As an example, we can’t say this particular label for records retention should apply to all UK content. This retention label should apply to all Swiss content. This classification label should apply to all American content. That capability isn’t there when your one tenant with multiple organizers and multiple countries are operating under it. There are lots of other limitations. Things like policies having a certain number of sites it can be allocated explicitly to and various other things.
There’s also no obvious security and compliance permission roles that allow you to just give access to local information governance teams in the different countries to create a management administrator for their own labels.
Data loss prevention
Data loss prevention is again a key part of your company’s governance strategy which allows you to prevent or at least be notified of sensitive data leaving your company. It helps you protect content in exchange emails, team chat, channel messages, one drive and SharePoint documents.
Again, all countries and sectors will have different requirements. A confidential document in the UK with personal data may be fine to send outside of the organization. In fact, it’s probably an everyday occurrence when you’re sending documents to a doctor or to insurance brokers or to your third-party provider of some other service. But in other countries that may be not allowable at all. In DLP, data loss prevention, you’ve got a lot of different rules that only the countries involved understand because they know what’s possible and what is and isn’t allowed.
The challenges, again, are very similar to before. DLP policies can only be stated globally, or you must explicitly state where you’re applying that policy, which SharePoint site(s), one drive(s) or email account(s), etc. There is no capability to target your DLP rules at a specific region of data such as all German, UK, Spanish or Irish data. And there’s no way, again, for focusing a DLP rule on a particular team or function, e.g. HR because of the data that they’re handling. That’s not possible. There’s also no ability for local rules administration and event handling.
What happens when one of these data loss prevention rules gets triggered and there’s an alert? Who do you tell? Who cares about a document in the UK? Sending that alert out to everybody or a load of administrators across your company is painful and a waste of time. Only certain people are interested in certain rules, which is a considerable challenge when dealing with data loss prevention, in Security and Compliance Center for global organizations.
eDiscovery is the process of identifying, collecting and producing electronically stored evidence in response to legal proceedings or maybe internal business investigations.
In the Security and Compliance Center, there are three key eDiscovery capabilities.
Legal hold is basically securing at a point in time a specific set of content. You might put somebodies one drive on hold, you may put someone’s mailbox on hold, or you may do a search based on some sort of criteria and keep certain SharePoint sites on hold or certain documents with certain criteria on hold.
Once you’ve got that content on hold, then you’ve got a copy. You can export it and then begin to understand what data is in it as part of an investigation.
Content search is a very powerful tool. It allows us to look inside of our content and find certain criteria that we’re looking for, certain keywords or certain types of data for example.
Data exports allow us to take the data offline for use in criminal proceedings and presenting it to legal teams, etc. It is very powerful. In a global organization with eDiscovery, out of the box, can search across the whole tenant. You can, in theory, use content search as part of an eDiscovery case, to look at the CEO’s mailbox, to look at finance documents to see what people’s salaries are.
It’s very powerful and it’s very important to use it and have respect for it so you can govern it appropriately. When using eDiscovery properly, we tend to have lots of input from legal teams and compliance teams in the local business, the people that are requesting that eDiscovery case. It requires significant business input into the process.
A level of localization is possible which is positive. With both geo-location and compliance boundaries, we can start to limit the amount of data that a certain person, (an eDiscovery manager as they called) can review. It’s possible to limit access to only the UK data or only the Spanish data, whatever it happens to be.
There are some challenges though as always with these things. The first is defining and creating appropriate compliance boundaries. They use AD attributes so can be difficult to retrofit if you haven’t considered these eventualities at the start. You really do want to think very seriously and design this, based on what your requirements are. What are those compliant boundaries? How will they be managed? If you put them in place, who is going to run those eDiscovery cases within those individual boundaries? And what does that mean when you’ve got cross-organizational eDiscovery?
What happens if the content is being shared between different departments, different geographies, different sectors. You will need to set up permission groups to do that. All these considerations increase the amount of maintenance that is required, which also needs to be controlled and managed. Somebody has got to be responsible; teams of people have got to be in place to make sure that they manage the permissions to support the business needs, but also to keep data safe.
We touched on this a little bit earlier within eDiscovery. Effectively it is the same technology but with eDiscovery, you have the goal of finding content for a legal case, Content search on its own is more for searching or reporting. But you can use content search to search for content within your tenants such as email documents, instant message conversations teams etc in your Office 365 organization.
Content search can search both your metadata and the content within your documents. And it can use keywords, conditions, expressions and things like sensitive information types to help support your business requirements. Sensitive information types are great as they can help you define credit card numbers, diseases, national insurance numbers, and other things, all of which can potentially be classed as business data or personal data and can be identified and used within content search. Using Sensitive Information Types means that you can start to understand where that kind of data is stored within your tenant.
Localization is possible as with eDiscovery. We can use geolocation and compliance boundaries to target content search or rather to restrict people using content search. The administrators that are within security and compliance can be restricted to only be able to search certain bits of data that meets our needs. The challenges are, as it’s not a reporting tool is not very configurable. It has a lot of power around what it can search in, how it can search and what it can pull back, but you’re basically lumped with a set of columns that Microsoft have previously defined. So, it’s not a reporting tool, but it is a very good tool for using for investigations.
Appropriate permission groups need to be maintained to support the business needs and make sure that aligns with our compliance boundaries and location if appropriate. This requires considerable effort to define and create the appropriate compliance boundaries and use the right AD attributes, so although it’s a very powerful tool, a lot of administration both in the setup and ongoing is needed to make sure it meets the businesses requirements.
As always, the potential solution depends on your circumstances. The best solution to fit your organization is going to depend on your intricacies, how your organization is set up, the resources you have, the teams you have available and the regulations that you’re accountable for.
Option 1: Separate Tenants
One option would be to implement separate tenants. If we implemented separate tenants, maybe one for each country, then this would mean that each administration is basically local to that country. That works really well if your organization is extremely siloed. If your overall business, is really a conglomeration of lots of smaller businesses that are very focused individually on what they do, and you have very little cross-organization or cross-country collaboration then this may be a good solution.
But we’ve got to ask, and again this is down to your organization, is that really a good thing to be that siloed?
There are a couple of big challenges with having separate tenants. The first is that everyone else in your organization is going to be seen as external, which will have some limits. Although Office 365 supports external sharing and external collaboration, the reality is they are going to be external and will face issues, limits, problems, and challenges when you want to collaborate across the different separate tenants.
From a Security and Compliance Center point of view, it’s going to exponentially increase DLP and alert false positives. If you think about it, if the Head Office and some global functions are based in the UK, you might create a knowledge center or training materials might be hosted there. Every person from every other tenant that accesses those resources will be flagged as external users accessing a lot of data and that’s going to trigger an alert. It may trigger DLP rules if you’ve got rules around what data can be flowing within the organization, so it does present some challenges that you might have to think about.
Option 2: Go global!
We could go global; we could forget all the complexities of the other countries. We could decide we’re a global organization, but our head office is in America, the UK, the Isle of Man, Switzerland, Germany, or wherever and decide that should control what the governance policies used globally are.
It does give opportunities for central control. Visibility over what rules and what governance is in place and insights into what everyone’s doing, but it is going to have significant challenges. There’s going to be an increase in workload for that global, centralised team.
Potentially you’re going to have to make sacrifices in order to simplify. If you’re just having one set of global rules and you’re not catering for all the intricacies of the various other countries and, and functions within the organization, then you’re potentially going to have to simplify things. Otherwise, those central roles are going to have to become very complex to cater for everybody else’s individual circumstances to ensure all rules are met, which will increase the cost and the time of managing the governance of your tenant.
There are some big challenges involved and whilst some organizations do that, there may be a better way.
Option 3: Create Custom Solutions
Creating a custom solution would mean getting the developers involved. It offers opportunities to mitigate some of the challenges currently faced in Office 365.
It’s possible to create a solution to automatically apply retention labels to sites and items as they’re created through a site creation process. You could potentially start automating and simplifying eDiscovery processes. Maybe even starting to be able to deliver local DLP policies and handling by bypassing the out of the box tools, taking the data and putting it elsewhere.
Tools like Splunk API could help you to take advantage of the vast amount of data that the Security and Compliance Center and the tools within it generate and manage and might help you leverage or get over some of those challenges and deliver some business value.
But the challenge as always is that there’s going to be a significant increase in implementation costs. You’re going to need more resources, more time to implement it. You’ve got to maintain it over time which adds cost and people, etc. The complexity of your Office 365 implementation will increase significantly.
You could also introduce an amount of redundancy. Office 365 is an evergreen platform, so it’s constantly evolving. The Security and Compliance Center is evolving all the time. Custom solutions you build today may be unnecessary in 6, 12 or 18 months. Although custom solutions may offer you some ways to get over some of these hurdles that we’ve identified so far, it is going to cost time, money and complexity.
Option 4: Utilise both Global and Local Services
Potentially, the best approach is to utilize a combination of both global and local services – pick the best of each to suit your specific circumstances.
The opportunities of this approach are that you can take advantage of the benefits of both worlds.
Where you have global functions and global requirements for governance that relate to how your business operates rather than the legal regulations in specific countries; they’re ideal to deliver globally.
It makes sense to try to deliver as much as you can on a global level, on a tenant level, through your global teams. After that point, use local capabilities, local targeting of rules and functionality in local teams only where you absolutely must. This gives you a balance of appropriate resourcing. It supports a global oversight of what everybody’s doing around information governance and compliance and regulation. But also helps to foster an increased local engagement. And we shouldn’t forget that if you’re doing business in the EU and you’re processing in any way EU citizens’ data, then GDPR is going to apply and GDPR fines for breaches, etc, are a global issue, not a local issue.
Whichever way you are organized, if there’s a GDPR breach in the Netherlands, in Germany or in France or wherever, the global organization is accountable for that fine. It really makes sense to have that global oversight, and close links to your local organizations in the different countries and to help you mitigate that risk. You could even invest in custom solutions as part of this, so you use global, local and maybe some custom solutions for anything important to solve within your tenant.
This global and local service approach has its challenges as well. It’s a compromise and balancing act, it takes a lot of design, a lot of thinking from the start to make sure that you have the right things in place, in the right areas. That you have the right amount of focus at a global level and that you have enough empowerment and insight at the local level to make sure that they’re meeting their local requirements and their local regulations.
We have ever-evolving scenarios, Office 365 is evergreen, the Security and Compliance Centers’ capabilities are changing all the time. Business maturity is changing, businesses have different needs and regulations are changing. Your balance of global and local services will need to keep up.
This kind of approach also needs a significant amount of communication and awareness effort to your stakeholders. Who is responsible for what? What are the group teams and departments meant to be accountable for and deliver? What are your local legal and compliance teams meant to be doing? What are they accountable for? Who do they turn to if they want to support and help?
At a country level, you might have data protection officers, information governance officers or other roles at a high level reporting into country CEOs, COOs, who need to be aware and understand and mitigate the governance risks that are in place and understand how things like Security and Compliance Center helps them to mitigate their local risks.
There’s a lot of communication and a lot of effort is required in order to get that to work as a model.
What are the recommendations?
If you haven’t already spotted the hints, the recommendation is a global/local kind of model, but, what does that really mean? What should you (from a service point of view from within the security and compliance center) go to do with each of those services and where are they going to be pitched?
Global Service Recommendations
Utilize global alerts that are already configured, making sure that the right global teams get notified and are actively managing those alerts.
Create new global alerts to meet your global team’s requirements. Don’t just rely on the alerts that exist. Look at what’s important to your global compliance, regulation and information governance teams and try and create a list to help them and support what they’re doing.
Then take requests from the business for specific alerts based on their own specific users, requirements or location and target alerts to them with emails and communications being sent to key stakeholders within that country/business area.
For retention, it makes sense to create a global retention policy that covers the whole of your organization. For example, to keep all, non-record data for maybe seven years after it was last modified. If a document has just sat there for seven years with no changes or updates, then it will just get automatically deleted. It’s a housekeeping discipline and tries to keep your tenant clean, while also trying to minimize the amount of personal data that is kept longer than it should.
From there, create global records retention labelled policies that cover the key main retention periods that your organization has, whatever that may be. Whether it’s one, two, three, five, seven, 10, 25, 50, 100 years or forever. Create that set of records, retention labels globally because they are going to apply to most areas, most teams, most countries within your organization.
Then consider any element of the business with specific retention requirements, so different trigger points and maybe for different periods than the core global ones and then apply those to specific sites.
Data Loss Prevention
DLP is a tricky one! There’ll be a set of DLP rules that need to be used at a global level that covers all data. That’s great. After that, potentially you will need to manage any alerts that get raised and pass them to the local jurisdictions to manage. If you think somebody in the Spanish business unit is sending data they shouldn’t be, you notify the Spanish COO or Spanish Data protection officer and notify them to manage that locally.
With eDiscovery, again, a global team is probably best placed to manage the cases that cross all boundaries across the whole of the organization.
You might want to consider changing the eDiscovery roles so that you’ve got from a global perspective, you might create the cases and then allocate users into those, eDiscovery cases from local business units, with an eDiscovery role that doesn’t have the manage case attribute enabled and are part of that group. They can’t create and modify, delete, close a case, but they can do everything they need to within that case, so do legal holds, content searches and exports and ensure from a group perspective that you have oversight on those locally managed cases. Cause even in a jurisdiction says the UK where maybe you’re used to using compliance boundaries to limit those searches to just the UK. That’s still not necessarily going to stop somebody doing an eDiscovery case and looking at the CEO’s mailbox when really, they were meant to be concentrating on something else. You still need a global service to have that oversight on locally managed cases.
From a content service perspective, the first thing is just don’t let the business think it’s a reporting tool. Use it, allow them to request searches, but use it really to gain insights into data governance and the content that you’ve got there.
Local Service Recommendations
Use local alerts based on specific users or SharePoint sites, one drive settings, etc. Define them, pass them up to the global team to implement and get yourselves notified when something’s alerted.
Review global retention policies and where you absolutely must have something different, work out how you can manage those differences locally and consider what sites that policy is going to apply to. Remember to think about how your local policies can be applied to new sites as they are created.
Data Loss Prevention
DLP doesn’t have any real capabilities for doing things locally, so you might want to consider using a different technology. Quite often organizations already have a strategic DLP tool in place which tends to be able to be used in Office365 as well. But either way, you want to be feeding your DLP requirements into the global teams so that they can take that into account and if it is appropriate, then implement them within the DLP tool in Office365.
To manage eDiscovery cases at a local level you need to set compliance boundaries and ideally geolocation as well. Where eDiscovery cases cross boundaries and organizations that are highly collaborative, then those requests need to be passed up to the global team to manage and look across the data.
From a content search perspective, if a business unit, a team, a function or a country needs to use content search, the likelihood is it’s probably going to be part of an eDiscovery case unless they want some sort of insights into what data is within their country, within their remit.
To summarize from a technology perspective, we need to design the Office365 platform for collaboration for your business’s requirements and business values and for compliance.
Ideally you want to be thinking about your compliance requirements as part of that initial setup, the initial design of Office 365. Retrofitting down the line is much more difficult, as it’s hard to start putting the technology, the processes and everything else retrospectively in to cater to your wide and disparate needs from a regulatory and compliance perspective.
Look carefully at licensing, whether you have E3 versus E5. Do you want advanced data governance? Do you need those capabilities? What are your compliance needs and what’s going to suffice for your organization? Don’t just look at the licensing from a functional perspective. Look at it from a compliance perspective as well.
What kind of compliance information, governance functions should be key stakeholders in the design of your Office365 platform? Where it’s feasible, look at geolocation, where data is stored, it will give you more capabilities around governance to make sure that you keep your data safe and you can govern it appropriately to your local regulations.
Design things like compliance boundaries into your solution from the start. It affects things like site creation and other elements within Office365. So really do try and think about that upfront.
From an organisational perspective, there’s a lot to be done here. You need to make sure you’ve got both global and local teams to support your business from an Office 365 perspective. Managing the tenant, using things like Security and Compliance Center, etc. But also, from a business perspective. In a cross-functional cross-country organization; you should have local security and compliance and legal and regulatory teams as well as similar reams at a global level as well.
The structure you choose will depend on what sectors you’re doing business in, the countries you’re based in and what countries you do business with. Also, how collaborative you are across your boundaries.
Who should operationally own the key technologies like the security and compliance center from a regulatory and compliance perspective? Probably not the IT department, they’ll need to support it and will need to help train or need to be involved.
Ideally, a business team that understands both the global organizational needs for information governance and compliance and regulatory aspects needs to have overall responsibility. They need to understand regulations in various countries that you operate in, but also have a good relationship with the local stakeholders in those areas. Because it is a team effort to have your whole tenant delivering services and data across the globe. You need to understand what’s going on in each country, in each area. And you need to understand how legal regulatory compliance needs manifest themselves. How important are they and what impact do they have, so the organization really does need to support all of this?
Coping with Evolution.
Most of all, to be set up to support the business regulatory and compliance needs you must be agile. Office365 is evergreen. New capabilities are arriving all the time and being enhanced to help you and help your cause. We’ve got the new separate security center and compliance center portals coming online. We have unified labelling, new geo-locations being delivered, information barriers, but also legal and compliance and governance requirements are also constantly evolving and adding further challenges to us. Currently, some key ones are GDPR, California consumer privacy act, Swiss data protection act. Whether the States in the U.S.A are starting to develop their own consumer and personal data privacy acts and regulations and other countries are following suit. All of this is changing. It really does make sense to have a very robust governance function at a central level that is hooked into the security and compliance center and hooked into local teams and local capabilities to really make sure that you can evolve and you can stay out of the news.
Remember the Goal
What we’re trying to do is keep a company’s employee data and customer data safe. We’re trying to make sure that our regulators are happy in all our countries and we’re trying to make sure that we are doing business and our organization looks good from a data room and personal data perspective. We need to have a handle on all of this, and there’s a lot to do. There’s a lot of challenges to take on board and to implement, but it’s worth it. The world is getting more and more litigious, there are more and more regulations and more and more focus outside of our organization on how and what we’re doing with data and personal data. We need to get this right and we need to get this right from the start.