In today’s data driven landscape, organisations find themselves faced with the dual challenge of ensuring data security and meeting robust data retention requirements. Microsoft Purview Information Protection (Purview) is a technology solution to help organisations discover, classify, and protect and automatically delete sensitive information, ensuring consistent and compliant data management.
This blog will explore how Purview's capabilities can assist your organisation in addressing several commonly experienced challenges. For more detailed guidance on how you can use Purview to overcome challenges like data loss and insider risk, sign up for our Purview webinar.
Supporting Compliance with Laws and Standards
Purview offers robust data governance capabilities for your organisation to manage and protect data and, in doing so, support a simplified approach to compliance with requirements of laws and standards. These may include the following:
General Data Protection Regulation (GDPR)
Article 5: Ensure data integrity and confidentiality by preventing unauthorised access, alteration, or disclosure of personal data.
Article 32: Mandates appropriate technical and organisational measures to secure personal data, including encryption and access control, which Purview DLP policies help enforce.
Article 33: Requires notification of personal data breaches to supervisory authorities and data subjects. Purview will support in detecting and preventing potential breaches.
Health Insurance Portability and Accountability Act (HIPAA)
Security Rule: Requires covered entities to implement safeguards to protect electronic Protected Health Information.
Breach Notification Rule: Mandates notification of breaches involving unsecured Protected Health Information.
Payment Card Industry Security Standards (PCI DSS)
Requirement 3: Protects stored cardholder data, ensuring that sensitive information is not improperly stored or transmitted. Purview enforces policies that can automatically identify payment card information and restrict its transmission.
Requirement 7: Restricts access to cardholder data to only those individuals whose job requires it. Purview helps enforce access controls and monitor the movement of data internally and externally.
ISO/IEC 27001:2022
Annex A.8: Ensures the protection of information through its lifecycle, including handling, processing, storage and transmission.
Annex A.12 Mandates operational security controls to manage and control data security risks.
Annex A.18 Requires compliance with legal, regulatory, and contractual requirements.
Protecting Against Risk of Data Loss or Misuse
Purview's security and risk management features allow your organisation to identify data, apply protective measures, and monitor attempted unauthorised access, reducing the risk of data breaches. This protection extends to documents and emails, including those that contain sensitive information, such as intellectual property, financial information, and personal data.
By using sensitivity labels, your organisation can identify the sensitivity of data across its organisation, and the label can enforce protection settings that are appropriate for the sensitivity of that data. That protection then stays with the content.
Automatic labelling can prevent inadvertent or malicious sharing of files with unauthorised personnel. Purview can automatically apply sensitivity labels based on the contents of a document or email, using pre-defined rules and machine learning. For example, recognising payment card data through identification of a Primary Account Number (PAN). Purview can also recommend labels to users, prompting them to apply the appropriate level of protection.
Additionally, Purview provides auditing and reporting capabilities with the compliance portal to provide oversight of data access and usage. This can serve to ensure that DLP policies are effectively enforced, and your organisation is not subject to unauthorised access and data breaches.
Promoting Secure Data Sharing
Purview supports secure data sharing through the ability to enforce encryption when a label is applied to documents and emails. When a sensitivity label that requires encryption is applied, Purview uses Azure Information Protection (AIP) to encrypt the contents. This ensures that only authorised users can access the protected data.
Additionally, Purview integrates with Azure Rights Management (ARM) to apply policies that control access and usage rights. This includes defining who can view, edit, copy or print content, ensuring that even when sensitive information is shared, it remains secure.
Encryption and protection policies remain with the email or document through its lifecycle, ensuring that the data is consistently protected, whether it is stored on-premises, in the cloud, or on users’ devices. This extends to when files are shared for collaboration purposes, using tools like Microsoft Teams and SharePoint, both within and outside your organisation.
Supporting an Automated Approach to Managing Retention of Data
Retention requirements vary across different standards, reflecting the need to balance data protection with regulatory compliance. Your organisation must understand and comply with the specific retention requirements relevant to your industry and jurisdiction. For example:
- Under the principle of storage limitation, the General Data Protection Regulation requires that personal data is kept no longer than necessary for the purposes for which it was collected.
- The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities retain medical records for at least six years from the date of its creation or the date when it was last in effect, whichever is later. Some state laws may have stricter requirements.
- ISO/IEC 27001 does not specify exact retention periods but requires organisations to establish and document data retention periods based on business, legal, and regulatory requirements.
- General laws in each jurisdiction will also dictate retention periods for employment records (typically ranging from 1 to 7 years), tax records (commonly 3 to 7 years) and contracts/ agreements (often recommended to retain for the duration of the contract plus several years after termination).
Retention policies and labels within Purview can support with your organisation’s approach to managing retention through controlling how long content is kept and when it should be deleted. They can be applied to various content types, including emails and documents, to automatically delete or flag data for a disposition review after a specified period.
Disposition reviews enable nominated individuals to review data scheduled for deletion before it is permanently removed. This provides a safeguard to ensure that the data deletion aligns with business and regulatory requirements. The review process can be configured to decide who will review the data and what criteria they must use to make the decision.
By incorporating Purview sensitivity, retention labels and DLP policies, your organisation can address these legal and regulatory requirements, ensuring comprehensive data protection and compliance across various standards and regulations.
If you want to discuss Purview's capabilities in more detail or are interested in running a pilot project with support from Bridewell, please get in touch. For more on this topic, we also recommend our Microsoft Purview webinar.