In a global economy, compliance with General Data Protection Regulation (GDPR) has been a big eye-opener. If you’re working with European citizens, residents, or organizations, GDPR compliance is critical.
Within the United States, as of January 2020, the California Consumer Privacy Act (CCPA) ensures similar protections to GDPR for California residents’ personal information. For businesses such as Withum, with a California office and clients, this is a standard that organizations are now responsible for maintaining.
AIP is a cloud-based solution that allows for the classification of content (such as emails and documents), based on sensitivity. This is done by applying labels. Labels can be applied automatically, manually, or via a combination of the two. AIP labels ensure information is protected and can help achieve compliance with measures such as GDPR, CCPA, NIST 800-171, CMMC and more.
When introducing any new technology, there will undoubtedly be an impact on your user base. Investing time to understand not only regulatory requirements, but the individual ‘why,’ benefits, and uses cases for your team members will go a long way.
We’ve seen many organizations struggle with pushback that AIP is yet another IT thing they must do. The use of departmental or divisional pilot groups, as well as a phased rollout approach, helps identify potential disruptions before they affect hundreds or thousands of users. Pilots allow time to adjust change management strategies, communications, and settings of individual labels themselves.
It’s essential to pilot any protection or encryption associated with AIP, identifying all possible scenarios. Finance and Human Resources are excellent places for starting pilot groups, as they often interact with sensitive content.
1. Know your Microsoft licensing! Though this seems like an obvious piece of advice, there are BIG differences in functionality. For adoption and compliance, there is a lot of value in the premium Azure Information Protection plans. From automatically applying labels, scanning on-premises files for sensitive content, to configuring specific conditions, these features can aid in ensuring compliance with GDPR, CCPA NIST 800-171, CMMC and more. Microsoft provides a comprehensive checklist here.
2. Have a dedicated AIP team. As our own IT department at Withum can attest, this cannot be done alone. We partner with clients to guide them through this process and provide needed support. Reach out and let us know how we can help!
3. Azure Information Protection Unified Labeling is new. There are many features in preview and more become available daily. However, it’s worth noting that a bulk of documentation you’ll come across is still centered on Azure Information Protection Classic.
4. Lastly, consider your organization’s environment. Are you all in on Microsoft, or are you using other content management platforms? Do you have other systems where you store sensitive information? Having a holistic picture of your IT landscape is crucial when considering licensing, configuration, as well as the adoption of AIP.