The General Data Protection Regulation (GDPR) is a new European Union (EU) privacy law that took effect on May 25, 2018. Designed to give individuals control over their personal data, it’s an important step forward in helping protect individual privacy and data rights. The GDPR applies to organizations based in the EU, as well as any organization located elsewhere that sells goods and services in the EU or processes or monitors the personal data of individuals in the EU. It has significant implications for health organizations because the GDPR treats health data as a “special category” of personal data that is considered sensitive by its nature.
The GDPR presents a unique set of challenges for health organizations. While the healthcare sector is used to strict data protection requirements and intense regulatory oversight, the GDPR imposes more expansive data subject rights that present new requirements for many organizations. Because of the GDPR’s emphasis on these rights, many health organizations will need to thoroughly reexamine their data flows, data stores, and privacy processes.
Microsoft 365: Uniquely positioned to help
As regulations become more complex and cyber security attacks increase, health organizations need a proactive and intelligent way to manage personal data compliance. Microsoft 365 combines Windows 10, Office 365, and Enterprise Mobility + Security into an integrated, complete solution with built-in tools and resources to meet GDPR identification, categorizing, managing, and reporting requirements.
Microsoft employs artificial intelligence and machine learning to support unified retention policies across Microsoft 365, which help health teams automate, implement, and monitor data governance policies. With just a few clicks, an administrator can create a retention policy and apply it as broadly or as specifically as needed across Exchange, SharePoint, One Drive for Business, and Skype for Business content. Machine learning and cloud intelligence from Microsoft also help health organizations identify and retain important data, perform more efficient document reviews, and prevent accidental sharing of sensitive information, while making it easier to eliminate trivial, redundant, and obsolete data that could pose a risk if compromised.
Protect sensitive health data
Health organizations have a moral imperative to be good stewards of sensitive health data. With Microsoft 365, you can identify and automatically protect sensitive information and help prevent its inadvertent disclosure. Our unique platform approach includes data governance and protection across devices and apps, both on-premises and in the cloud:
- Identity and access management to protect user identities and control access to networks and other resources based on user risk level
- Information protection that helps secure sensitive data across devices, apps, cloud services, and on premises with integrated data governance
- Threat protection that provides defenses against advanced threats and helps you recover quickly after an attack
Assess and manage compliance risk
Compliance requirements, especially in a highly regulated industry such as healthcare, can be complex to interpret, labor intensive to implement, and difficult to monitor. And with changes and regulations evolving all the time, understanding your current state of compliance risk can be difficult, in addition to the expense and challenge of figuring out what to do about it. A feature of Microsoft 365, Microsoft Compliance Manager assesses your current compliance risk and provides actionable insights to improve your compliance posture.
Because the GDPR provides for expansive data subject rights and allows people to request all their sensitive data, grants them the right to have their data deleted, and requires organizations to notify people of breaches within 72 hours, the regulation demands an unprecedented level of efficiency. With Microsoft 365, health organizations can quickly identify relevant data with predictive coding that enables them to automatically distinguish between relevant and non-relevant documents. This also makes it easier to investigate, hold, and refine data relevant to regulatory investigations, medical research, or malpractice actions, reducing the time required for discovery and the cost of legal resources to perform extensive analysis of less relevant or duplicative records.