Insights

Data protection and information governance has quickly become a pressing issue for every organisation.

The data footprint of every organisation is growing constantly, unless there are conscious efforts and processes in place to reduce this. Some of this data will be sensitive, which means there is a risk of storing that information. With cyber attacks or insider risks posing threats to an organisation’s data, it’s never been more important to consider our data protection and information governance.

In this insightful Q&A, we speak with Jason Lee, our Collaboration and Information Management Lead, to delve into the key challenges that organisations encounter and explore effective solutions.

You have the option to either watch the video interview or read the written transcript below.

1 - What is data protection and information governance and which organisations should be thinking about it?

“OK, so the way I look at it, if cyber security is about stopping the wrong people from getting access to your data, then data protection and governance is about stopping the right people from doing the wrong thing with your data.

That could be anything from stopping people from inadvertently sharing sensitive data outside your organisation. It could be making sure sensitive files are encrypted and can’t be forwarded. Or it could be life cycle management, it could be making sure you are only keeping things for as long as you need.

This will affect every organisation to some extent. So some organisations are more heavily regulated than others, but every organisation looks after some sensitive data, HR data for example, so everyone needs to think about data protection and governance.”

2 - What's an example of a common data protection challenge or information governance challenge that are organisations are facing with this - knowingly or unknowingly?

“Well, the biggest problem is usually what we call dark data. So that’s data that’s unstructured, which is files and emails. There’s no clear
ownership, there’s no organisational understanding of what it is, where it is, and otherwise it’s probably sat in a file share somewhere.

And really, if you don’t understand what data you’re storing, then how can you manage it effectively? How can you make sure that you’re retaining the stuff that you need to retain, and probably even more importantly, deleting the stuff that you’re obliged to delete?”

3 - Until recently, there was a ‘store everything’ attitude to data. What’s changed?

“Yeah, there was the “storage is cheap, why can’t we just keep everything forever?” argument.

To be clear, that was never a good idea, but we are seeing better recognition of that now. And I think the main reason behind that is an increasing focus on privacy, increasing awareness of our obligations around data privacy regulations like GDPR—which obviously have a part to play in that.

So there are a few points to think about here:

• So the first one is cost and the notion that “storage is cheap”. Storage really isn’t that cheap anymore. The volume of data organisations store is exponentially growing. Robust cloud storage can cost you significant money. To anyone who’s pricing up additional storage for Microsoft 365, for SharePoint Online, or sizing discs for virtual machines in Azure, you’re going to know that storage isn’t cheap anymore.
• The next thing to think about is data quality. So your users are searching files and emails to find relevant information. So you might even be looking at AI tools, things like Copilot for Microsoft 365 to boost your productivity. If you’re storing information that’s out of date, inaccurate, duplicated, potentially litigious, whatever it might be – you’re not going to get good results from that search or from that from that AI platform. So in other words, your signal to noise ratio is going to be poor, so keeping only what you really need to keep can boost effectiveness there.
• Final point to think about here would be your responsibilities and risks. So every piece of sensitive information you’re storing comes with a responsibility. It’s on you to make sure you’re managing it properly. It also carries a risk. Every piece of information carries a risk. There’s a risk that if you suffer a data leak or security breach, that information will be exposed. By only keeping what you need to, you’re managing and minimising that risk.”

4 - Who is Responsible for data protection, data strategy and data processes in an organisation?

“So that’s probably going to depend on the size of your organisation. So if you’re in a large organisation, you’ve typically got dedicated people or teams who are trained and have expertise in compliance and regulatory issues, and that’s typically distinct from IT operations and IT leadership.

In smaller organisations, it’s probably more fluid, so it’s typically going to fall to the execs or to leaders of teams who have specific data
protection requirements. So usually you’ve got HR teams, finance teams, and they’re both storing specific types of sensitive data that need to be managed, retained or deleted after a specified period.

I think my key message will probably be “don’t just assume IT will take care of it”.

So your IT team, they’re good at making sure you have storage available, that information is stored securely, that everything’s backed up, and so on. But they’re not necessarily the people who will know what information is sensitive and what information isn’t, what information you need to keep and for how long, and what information you need to delete etc., if that makes sense.”

5 - With organisations more stretched than ever, is it unrealistic to expect organisations to unpick years of data?

“I think to some extent you’ve just got to take your medicine on this one. So the chances are if you are still keeping absolutely everything, your data storage is going to be growing exponentially.

So this problem will get harder and harder to tackle. So start somewhere. It’s always going to be an ongoing process rather than an overnight task, and there are tools that can help.

So in Microsoft Purview, we can set up rules to pinpoint sensitive content. We can trawl your SharePoint sites, your OneDrives, find out where you’re storing the content that needs to be managed, and we can also look at broader data governance capabilities, identify dormant content that could potentially be deleted, and so on.

So there are tools that can help.”

6 - What are the key steps to improving data protection and governance?

“OK, so the the first step really has to be building an understanding of what you’re storing and where. So Microsoft call this “Know your data”.

Classification has got a big part to play here. So if we’re getting our users to label content based on sensitivity and we’re then reporting on where that label is showing up, then we’re starting to build that picture of “OK, where are we storing what types of sensitive
information”.

So there are some automation approaches we can we can bring to power on that as well. So that discovery phase is really key to start building that picture, building that understanding of where your sensitive information is.

Once you’ve got a good understanding, or a growing understanding of what you’re storing and where, then you can start introducing protection and prevention.

So protection is about looking at those files and emails, or the SharePoint sites and teams, that contain sensitive information and putting additional protections in place. So that could be things like encryption, rights management on files and emails, additional access
constraints on SharePoint sites and teams.

On the prevention side of things, this is about preventing data leaks, so detecting when sensitive information is being shared inappropriately, when someone might be sharing a file with someone from outside the organisation, and putting controls in place to stop that. So this is all about Data Loss Prevention, or DLP, and Insider Risk Management.

We’d also want to introduce some data governance, so making sure that you’re keeping the information needs to be kept, deleting the content that needs to be deleted, and so on.”

7 - What are some general data protection principles and best practices?

“I think the first thing is to have some clear accountability for data protection governance in your organisation. So, make sure everyone knows their responsibilities, who’s responsible for what.

Secondly, let’s make sure that policy leads the technology. It should always be that way around. So get your information classification policies, your data handling policies, get them right on paper, and let that guide the technology.

On the technology side, I think the first thing to do is ensure that you follow sound information management practices, so organising information based on who owns it and who needs what level of access to it.

Every piece of information you’re storing should have an owner, so that’s the person responsible for making sure it’s accurate, up-to-date, not duplicated, not out of date, not litigious, and so on. If a piece of information doesn’t have an owner, then why are you keeping it?

Next, I’d say consolidate your file storage. So we’re Microsoft cloud specialists, and we’re obviously going to favour Microsoft 365. If you can move your file share content into OneDrive for Business, into SharePoint Online, into Teams, you’ve then got far more tools available to manage and govern that content effectively.

So once you’ve done all that, then you’re really into that discover phase. So at that point, you’re looking at figuring out what information
you’re storing where, introducing classification to support that, and so on.”

8 - Which Microsoft compliance tools do we recommend to help organisations with data protection & governance?

“OK, so if you’re storing files and emails in Microsoft 365, you’ve already got access to a really solid set of tools.

So, Microsoft Purview gives you a fairly broad suite of compliance tools that covers things like Information Classification,
Information Protection with rights management, Data Loss Prevention, Insider Risk Management, Lifecycle Management and so on.

And depending on your licence level, you’re going to get different versions of these tools. So at Business Premium or E3, you’ve got the core versions, so you can classify based on sensitivity manually. You can apply retention labels, create retention policies, create basic DLP policies, etc.

And then at E5, it steps that up and gives you a really advanced set of capabilities in the same areas.

You’ve also got access to Microsoft Priva, which is priced as an add-on, and gives you access to some more specialised focused tools around privacy management and processing Subject Access Requests (SARs).”

9 - What are the latest data protection trends you're seeing, such as AI, automation and machine learning etc?

“OK, so AI is obviously the the hot topic everywhere in tech at the moment. It does have a role to play.

So in in Purview, we’ve got things like trainable classifiers. So these are machine learning algorithms that we train to recognise specific
types of sensitive content that can come in different formats. So things like invoices or CV’s. So we can recognise them, we can then use that to classify them, label them, and ensure they’re protected appropriately.

So how does the technology recognise sensitive content, such as credit card details, CV’s and invoices, etc?

Credit card details are actually much easier than things like CV’s and invoices. So a credit card number is very predictable. It’s it’s always 16
digits. It conforms to a checksum. It conforms to the Luhn algorithm. You’ve usually got some supporting information near it.

It will usually come with an expiration date as well. So, simple pattern matching using something called ‘sensitive information types’ is usually enough for that.

Things like CV’s, invoices, contracts are actually more challenging because you haven’t got those same predictable patterns, they come in all kinds of different formats.

If you think about the number of CV’s you’ve seen, and the different ways they’re presented and laid out, that needs a more flexible approach. That’s where that machine learning approach comes in, where you’re basically showing it several hundred examples of a CV, so it learns to recognise CV’s in different formats, and you’re using that to recognise and classify that content.

Can Microsoft Copilot help with data governance challenges?

OK, so I wouldn’t say Copilot can help with data governance. I think data governance can help with Copilot. So if you’re rolling out a generative AI tool like Copilot for Microsoft 365, it’s drawing on all the data you’ve got access to from across Microsoft 365, and anything else that you’ve connected to it.

You’re going to get better responses from Copilot if the data you’re storing is accurate and not duplicated, and it’s up to date, etc. So for example, if I ask Copilot a question about annual leave entitlements, but in SharePoint I’m storing four different versions of our annual leave policy, Copilot’s not going to know what to do with that. Chances are we’re going to get some bad advice.

So getting data governance right definitely plays a role in getting ready to make the most of tools like Copilot.”

10 - If nothing else, what’s the one thing that an organisation should do to improve data management?

“So this is a little bit subjective, but my advice would be to focus on information ownership. So start building that culture of every piece of information should have an owner, and start shifting your mindset from ‘keep everything forever’ to ‘do we have a good reason for keeping this piece of information?’ If not, delete it.”

11 - Where can people find out more on these topics?

“We recently ran a webinar. It’s called Solving Data Protection and Governance Challenges with Microsoft 365. It takes you through common data protection and governance challenges, and how we map different elements of Microsoft Purview and Microsoft Priva to meeting those challenges.”