Compliance Manager and GDPR – “Data Subject Action Pattern”

Over the past week, I have spent my extra time reading over every article in the GDPR and how it maps to technology (or the lack thereof).
Today, Microsoft has released the Compliance Manager tool for individuals and organizations to use to “assess” their readiness for the upcoming GDPR articles that are supposed to go into effect on May 25th, 2018.  The interesting thing, or not, about this tool is. it is simply a check list of the articles from the GDPR.  In the future it will cover, NIST 800-53, ISO 27001, and ISO 27018.  It doesn’t not actually do any checks against your tenant like the Office Security Score tool does to tell you if you are in violation of anything…and nor should it.  This means…
You still have to do the compliance work!
In the absence of any other compliance management focused tools, this is a great start to helping you track most of the things you need to do.  Not only that, but being able to know when a particular article was last checked via the reports is a great way to ensure that a Data Protection Officer (DPO) is not forgetting their responsibilities to “data subjects”.   It should be noted that the Compliance Manager tool will not suffice for the “Certification” in article 42 of GDPR.  So you should still be prepared to pay an outside auditing firm to review your code of conduct, data flows, etc.  And if you want the full disclosure with T&Cs, you can review what Tina Ying (Office Marketing) wrote here. You can even watch a quick video on YouTube.
Some things I’d like to see added to the Compliance Manager:

1. Custom policy creation and tracking (for state legislation, etc)
2. Events that filter into the Office Graph or the Office 365 management api for when a compliance goal is met or the task has not been review in x period of time

As I’m sure you are painfully aware, there is a *huge* sales and marketing push by Microsoft and other tech vendors to take advantage of GDPR.  Funny thing is most of the people that bring it up haven’t even read the thing and really don’t know anything about it!  Which brings me to my next item to point out:
Office 365 is (will be) GDPR Compliant
The first thing you need to know about the phrase “Office 365 is GDPR compliant”, is that it means “Microsoft” will be covered, not you!  Office 365 cannot fix or make you compliant through a simple check list.  Microsoft is attempting to make all of their cloud services and products GDPR ready, and at some point they will be sharing everything they learned about their internal journey with us (hmm, I wonder what their Compliance Manager report looks like).  Don’t hold your breath here, by the time they share it with us, it will be too late for you!  If you are already familiar with Compliance Manager, you are probably saying “but they provide all these helpful actions for each article”.  Ok, some of these are valid and some are not.  The reality is that they only apply to Microsoft 365 cloud services and will not help you with all your systems outside of Microsoft 365.
So back to GDPR.  Have you read it?  I have…top to bottom and vice versa, 3 times, both versions.
What most people don’t realize is that each Member state can override certain articles to make them more strict (like national security, public interest, etc).  The date above is for all the changes that a Member State would like to be made to be integrated into their countries legal system.  What does that mean?
There could be 28 different versions of GDPR after May 25th, 2018!
The compliance manager will help you with the high level articles, but the details for each country will be a toss up and I’m pretty sure you won’t see 28 versions of GDPR in the compliance manager.
So that all being said…
What do you need to do to be GDPR compliant? 
A check list\tool can help, taking the time to read the articles is better, or, if you prefer not to put your legal hat on, having a consultant like me teach you what’s in it and how to mitigate potential violation(s) is best!
After you have an understanding of it, you will realize:
Its a lot. 
Development re-work, notification systems, records management…a lot.  And yes, I said Records Management.  When you look at the GDPR, it really is enforcing you to:
Implement a “case-based” system for “data subjects” across *all* your platforms.
Just as a side note, “Case-based” records management is a feature long absent from SharePoint or Office 365 “content services”.  And no, “Labels” will not help you whatsoever with GDPR.
So, net net, if you haven’t started yet, then you won’t make the deadline of May 25th, 2018 (which I’m guessing some countries won’t have the full set of articles legally integrated on that date so you may have more time depending where you or your data subject lives).
I will be posting a presentation soon (about 80% done) that reviews every article and what you should do (if anything) and how a Microsoft product or service “may” help you.  The more in-depth version of the presentation will go into development patterns and show you some simple things you can do to implement what I am coining as the “Data subject action pattern”
I will be speaking at DevIntersections about GDPR and how all these articles map to the various Azure technologies and how you must redesign your apps and your thinking to be able to support my new “Data subject action pattern“.
Enjoy!
Chris