Priva Plus Compliance Manager

In this month’s webinar we covered Priva, Microsoft’s cloud solution for managing data privacy. While data privacy may not be the spiciest topic in information security or compliance, it plays a crucial role in the ever-changing landscape of regulatory spaghetti. Sure you’re building for HIPAA & PCI-DSS, but are you ready for CDPA, CPRA, or CPA? 

If you don’t know those acronyms, they’re rushing to meet you as US states prepare to begin enforcement of new privacy regulations in 2023. So far 5 states have committed to rolling out privacy laws over the next 13 months, with 4 of them imposing new requirements to perform “privacy impact assessments” and allow consumers to opt out of the sale of personal data. 

Some go much farther, but all grant consumers the right to request what information a company has about them, with some including very GDPR-resemblant language about right to export, transfer, and be forgotten/deleted, and critically all have very similar time-limits on servicing those requests and fixing any discovered configuration issues. 

Picture showing list of state privacy regulations & requirements

Perhaps we rang the alarm bells too loudly in 2018 for US organizations, but this time we can’t ignore them: penalties can become substantial if data is breached, over-shared, or is intentionally abused. And just like GDPR, we expect that US courts will look to make early examples of the serious nature of privacy. Google just lost $391M because they continued tracking user location data even after claiming they weren’t. Google can afford that bill, but not many of us can. 

Privacy impact assessments will consume a substantial bit of IT headspace in the next 18 months, and will involve a lot of manual effort to assign roles & responsibilities, assess existing content, but also to assess the business processes that exist to collect, process, and store that content. 

We covered most of the ins & outs of that in the webinar, but what we didn’t do was talk about how Compliance Manager, a component of Microsoft’s Purview compliance solution, is poised to help with the process element. 

We’ve discussed Compliance Manager in the past, and covered it extensively in a couple of separate webinars, but one of the key capabilities it enables is for organizations to activate assessments to which they must comply, and those assessments are conveniently named to match the legal framework. Well it turns out the regulations we discussed in the webinar are present as assessment templates in Compliance Manager right now! 

Picture showing Compliance Manager's list of assessment templates in Microsoft Priva

Activating these assessment templates will be a substantial time-saver in conjunction with Priva to understand and discover both the data you have and the processes by which you manage it, and Compliance Manager tracks your actions across multiple assessments so you don’t have to log your actions twice.