Section 17 – Implement and manage privacy requirements by using Microsoft Priva

Configure and maintain privacy risk management

If you don’t Privacy Risk Management, you can enable the trial from the overview page

Then add permission you need

Role group	Description	Roles
Privacy Management	This role group contains all the Priva permission roles in a single group. This group may be a good fit for organizations where the same individual performs all duties. Members of this group have full access to all features of Priva for which you hold a license. We recommend always having at least one active member of this group.	Case Management – Data Classification Content Viewer – Data Classification List Viewer – Privacy Management Admin – Privacy Management Analysis – Privacy Management Investigation – Privacy Management Permanent Contribution – Privacy Management Temporary Contribution – Privacy Management Viewer – Subject Rights Request Admin – View-Only Case
Privacy Management Administrators	Members have broad access to Priva functions, including permissions and settings, and creating, reading, updating, and deleting Privacy Risk Management policies.	Case Management Privacy Management Admin View-Only Case
Privacy Management Analysts	Members act as case analysts. They can investigate policy matches, view file metadata, and take remediation actions. Members can’t access content items.	Case Management Data Classification List Viewer Privacy Management Analysis View-Only Case
Privacy Management Investigators	Members act as data investigators. They can investigate policy matches, view associated file content, and take remediation actions. Members can access content items.	Case Management Data Classification Content Viewer Data Classification List Viewer Privacy Management Investigation View-Only Case
Privacy Management Viewer	Members can view analytical information in Priva; for example, the Overview page, Data profile page, and subject rights request reports.	Privacy Management Viewer
Privacy Management Contributors	When you add a user as a collaborator on a subject rights request, they automatically get added as a member of this role group. Learn more about adding collaborators on subject rights requests.	Privacy Management Temporary Contribution Privacy Management Permanent Contribution
Subject Rights Request Administrators	Members have full rights to create and manage subject rights requests, and can add approvers for requests.	Subject Rights Request Admin
Subject Rights Request Approvers	Members can approve subject rights requests to which they’ve been added as an approver.

Priva Privacy Risk Management helps you safeguard personal data in your Microsoft 365 environment. It automatically detects risks and guides users towards fixing them.

Key benefits:

• Find exposed data: Secure sensitive information by identifying data with overly broad access permissions.
• Control data transfers: Monitor and limit transfers of personal data across departments, regions, or outside your organization.
• Minimize data storage: Reduce the amount of unused personal data you store, lowering privacy risks.

Easy to Use:

• Pre-built policy templates get you started quickly.
• Customize policies to fit your specific needs.
• Clear alerts inform admins about potential issues.

User-Friendly Remediation:

• Users receive email or Teams notifications directly.
• Notifications include recommended actions and links to your training materials.

Create and manage Privacy Risk Management policies

Stage	Description	Action Items
Understanding Needs	Identify key data privacy risks in your organization.	Review compliance requirements. Identify sensitive data types you handle. Analyze potential data exposure scenarios (e.g., overly broad access permissions).
Selecting Policy Templates	Choose pre-built templates to address your most pressing data privacy concerns.	Data Overexposure: Identifies content with personal data at risk of unauthorized access. Data Transfers: Monitors and restricts personal data movement across departments, regions, or outside your organization. Data Minimization: Detects and helps eliminate unused personal data stored in your systems.
Customizing Templates (Optional)	Fine-tune template settings for a tailored approach.	Define specific data types to monitor (e.g., Social Security numbers, credit card numbers). Select user groups or departments the policy applies to. Designate locations within Microsoft 365 to scan for data matches (e.g., Exchange, OneDrive, SharePoint). Set conditions for triggering policy alerts (e.g., number of data instances, time since last access). Choose notification methods (email or Teams) to guide users in resolving issues.
Creating and Testing Policies	Build your policies and test functionality in a safe environment.	Use the policy creation wizard in Microsoft Purview compliance portal. Set alert frequency and thresholds to manage notification volume. Define alert severity levels (Low, Medium, High) based on urgency. Activate test mode to simulate policy behavior and review insights. Refine settings based on test results to optimize policy effectiveness.
Deploying Policies	Turn on policies to automate risk detection and user notifications.	Review policy settings for accuracy. Activate policies once testing is complete. Monitor alerts for potential data privacy issues.
User Awareness and Training	Encourage responsible data handling practices within your organization.	Leverage user notifications with clear guidance on resolving identified issues. Provide links to relevant training materials on data handling best practices. Encourage users to report potential privacy concerns.

Data Overexposure Quick Setup Guide

Feature	Description	Steps
Default Data Overexposure Policy	Identifies personal data with overly broad access levels (Public, External, Internal) in OneDrive or SharePoint.	1. Go to Microsoft Purview compliance portal. 2. Navigate to Priva Privacy Risk Management > Policies. 3. Click “Create a policy”. 4. Select “Data Overexposure” and “Create”. 5. (Optional) Review default settings. 6. Enter a descriptive policy name and select “Create policy”.
Custom Data Overexposure Policy	Create a tailored policy by defining data types, user groups, locations, and notification preferences.	1. Go to Microsoft Purview compliance portal. 2. Navigate to Priva Privacy Risk Management > Policies. 3. Click “Create a policy” and select “Custom”. 4. Choose “Data Overexposure” template and enter a policy name (optional description). 5. On “Data to monitor” page, select data types (classification groups or individual types). 6. On “Users and groups” page, define who the policy applies to (all users/groups or specific ones). 7. On “Locations” page, choose locations to scan (OneDrive, SharePoint sites – all or specific). 8. On “Conditions” page, select access levels to detect (Public, External, Internal). 9. On “Outcomes” page, choose to send user email notifications with remediation steps and training link (optional). 10. On “Alerts” page, configure admin alerts (frequency, thresholds, severity). 11. On “Mode” page, choose “Test it out first” or “Turn it on right away”. 12. Review settings and select “Submit” to create the policy.

Data transfer policy Quick Setup Guide

Feature	Description	Steps
Default Data Transfer Policy	Identifies personal data transfers outside your organization (emails, OneDrive/SharePoint links or file movement, Teams chats).	1. Go to Microsoft Purview compliance portal. 2. Navigate to Priva Privacy Risk Management > Policies. 3. Click “Create a policy”. 4. Select “Data Transfers” and “Create”. 5. (Optional) Review default settings. 6. Enter a descriptive policy name and select “Create policy”.
Custom Data Transfer Policy	Create a tailored policy by defining data types, user groups, locations, transfer conditions, and notification preferences.	1. Go to Microsoft Purview compliance portal. 2. Navigate to Priva Privacy Risk Management > Policies. 3. Click “Create a policy” and select “Custom”. 4. Choose “Data Transfers” template and enter a policy name (optional description). 5. On “Data to monitor” page, select data types (classification groups or individual types). 6. On “Users and groups” page, define who the policy applies to (all users/groups or specific ones). 7. On “Locations” page, choose locations to scan (Exchange, OneDrive, SharePoint, Teams). 8. On “Conditions” page, select data transfer types to detect (outside org, across regions, between users/groups/sites). 9. On “Outcomes” page, choose user notification methods (Teams tips, email with remediation steps and training link). 10. On “Alerts” page, configure admin alerts (frequency, thresholds, severity). 11. On “Mode” page, choose “Test it out first” or “Turn it on right away”. 12. Review settings and select “Submit” to create the policy.

Data minimization Quick Setup Guide

Feature	Description	Steps
Default Data Minimization Policy	Identifies inactive content with personal data untouched for at least 30 days (Exchange, OneDrive, SharePoint, Teams).	1. Go to Microsoft Purview compliance portal. 2. Navigate to Priva Privacy Risk Management > Policies. 3. Click “Create a policy”. 4. Select “Data Minimization” and “Create”. 5. (Optional) Review default settings (data detection after 30 days of inactivity). 6. Enter a descriptive policy name and select “Create policy”.
Custom Data Minimization Policy	Create a tailored policy by defining data types, user groups, locations, and the inactivity period for data detection.	1. Go to Microsoft Purview compliance portal. 2. Navigate to Priva Privacy Risk Management > Policies. 3. Click “Create a policy” and select “Custom”. 4. Choose “Data Minimization” template and enter a policy name (optional description). 5. On “Data to monitor” page, select data types (classification groups or individual types). 6. On “Users and groups” page, define who the policy applies to (all users/groups or specific ones). 7. On “Locations” page, choose locations to scan (Exchange, OneDrive, SharePoint, Teams). 8. On “Conditions” page, set the inactivity threshold (30, 60, 90, or 120 days since last modification). 9. On “Outcomes” page, choose user notification methods (email with remediation steps and training link). 10. On “Alerts” page, configure admin alerts (frequency, thresholds, severity). 11. On “Mode” page, choose “Test it out first” or “Turn it on right away”. 12. Review settings and select “Submit” to create the policy.

Custom policy page

Identify and monitor potential risks involving personal data

Data Overexposure: Identifies content with personal data at risk of unauthorized access.

Data Transfers: Monitors and restricts personal data movement across departments, regions, or outside your organization.

Data Minimization: Detects and helps eliminate unused personal data stored in your systems.

What data should your policy look for?

Priva Privacy Risk Management offers several ways to define the data your policies will monitor:

1. Classification Groups:

• Pre-defined categories of sensitive information types, like regulations (HIPAA) or locations (Australia).
• Choose from the list or search for specific groups.
• See which sensitive information types are included within a group (click “View”).
• Add or remove groups using the checkboxes and “Add” button.

2. Individual Sensitive Information Types:

• Specific data points like Social Security numbers or email addresses.
• Create custom groups of sensitive information types.
• Choose from the list or search for specific types.
• After selecting types, edit the group name (optional).
• See details and configure settings for each type (info icon).
• Set the “instance count” – the minimum number of detected instances to trigger a policy alert.
• Combine multiple groups using “and” or “or” logic and define their order of evaluation.

3. Trainable Classifiers (Machine Learning):

• Automatically identify categories of sensitive content using machine learning.
• Similar to Individual Types, create custom groups.
• Search for or choose classifiers from the list, including custom ones created by your organization.
• Note: A group can contain both types and classifiers.
• When a classifier detects sensitive content, it’s counted as one match per item.
• Each instance of a sensitive type within an item is considered a separate match.
• There are limitations on alert thresholds when using trainable classifiers (see “Alert frequency and thresholds” for details).

Choosing the Right Approach:

• Flexibility: Individual Types or Trainable Classifiers offer the most customization.
• Common Standards: Classification Groups are useful for adhering to established data protection regulations.

Remember: You cannot combine Classification Groups with Individual Types or create custom groups within Classification Groups.

Evaluate and remediate alerts and issues

This table focuses on actions you can take at each stage, making it easier to navigate the process of viewing and managing alerts and issues in Priva.

Feature	Action	Details
Monitor Policy Matches	1. View “Overview” page. 2. Check “Policies” page for details.	Get a quick view of recent findings and active alerts related to policy matches.
Review Alerts	1. Go to “Policies” page. 2. Select “View alerts”. 3. Choose an alert for details.	See a filtered list of alerts triggered by policies. Analyze details like severity and involved files.
Manage Alerts	1. Select an alert. 2. Choose “Create issue” for investigation. 3. “Dismiss alerts” for non-critical ones. 4. “Modify alerts” to adjust frequency/thresholds.	– Flag alerts requiring further action as “issues.” – Dismiss non-critical alerts. – Fine-tune alert triggers for a policy.
View Issues	1. Go to “Issues” page.	See a prioritized list (high, medium, low, unassigned) of open issues stemming from alert assessments.
Resolve Issues	1. Select an issue. 2. Collaborate via Teams, email, or link sharing (optional). 3. “Review content” for associated files. 4. Choose “Remediate” actions. 5. “Resolve” after remediation.	– Gather input from others (optional). – Review files linked to the issue. – Take corrective actions like notifying owners, applying labels, marking false positives, deleting data (minimization), or making private (overexposure/transfer). – Close the issue with final comments after addressing it.
Issue Details	(For in-depth information when reviewing an issue)	Access detailed information on the issue through dedicated tabs, including: – Overview: Current status, next steps, content summary, related policy, alert details, and a timeline. – Alerts: List of alerts associated with the issue. – Content: Filterable list of related content items with details and remediation history (if any). – Notes: Add or view notes for your team. – Collaborators: Manage collaborators who can help resolve the issue.

Implement and manage subject rights requests

Be sure you have the permissions

Subject Rights Request Administrators	Members have full rights to create and manage subject rights requests, and can add approvers for requests.	Subject Rights Request Admin
Subject Rights Request Approvers	Members can approve subject rights requests to which they’ve been added as an approver.

Track the progress of your data subject requests with these key stages:

1. Data Estimate:
   • Priva analyzes the request and estimates the amount of relevant data.
   • Depending on the volume, the request may automatically proceed to data retrieval.
   • You can pause the process here to review the estimate before data collection (learn more about data estimate and retrieval).
2. Data Retrieval:
   • Priva gathers all relevant content, including files, emails, chats, and images.
   • Once complete, the request automatically moves to data review.
   • (See data estimate and retrieval for more details).
3. Review Data:
   • Collaborators examine the collected data and identify items related to the request.
   • This stage may involve redacting content and adding case notes (learn more about reviewing data).
   • For delete requests, an additional approval step occurs within data review (see creating and managing delete requests).
   • After review, manually advance to report generation.
4. Generate Reports:
   • Once data review is complete, a user manually initiates this stage.
   • Priva creates reports for the data subject (including the data package) and your organization’s records (learn more about generating reports).
5. Close the Request:
   • When all tasks are finished, close the request to mark it as complete (refer to generating reports for closing the request).

Setup Method	Description	Benefits	Considerations
Quick Setup (Template)	Pre-configured templates for Data Access, Export, or Tagged for Further Action requests.	– Fast and easy to use. – Tailored search settings based on data subject relationship (current/former employee, customer, etc.).	– Limited customization options. – Default settings may not be ideal for all requests.
Custom Setup (Guided Process)	Step-by-step wizard for creating a request with full control over settings.	– Highly customizable. – Ability to define search locations, search terms, and data estimate options.	– Requires more setup time compared to templates.

Additional Information:

• Exploring Functionality with Your Information: Use your own information to test the request workflow and become familiar with each stage.
• Data Estimate: Before retrieving data, Priva calculates an estimated amount based on your search parameters. You can choose to pause the process here for review. (See Data Estimate and Retrieval for details).
• Reviewing Data: Collaborators examine collected data, identify relevant items, and perform actions like redacting content. (See Reviewing Data for a Subject Rights Request for details).
• Closing the Request: Once all tasks are completed, mark the request as closed. (Refer to Generating Reports for closing the request).

Tips:

• Sort your request list by “Relation to Org” to see requests grouped by data subject relationship.
• Use advanced search options within templates to refine search results.
• Refer to specific resources linked throughout the table for detailed information on each stage of the process.

Select the setup method that best suits your needs. If you need a quick and basic request, a template might be sufficient. However, if you require more control over search parameters and data retrieval, choose the custom setup.

Closure

Priva Privacy Risk Management: Key Points

Function:

• Automatic data privacy risk detection and remediation guidance within Microsoft 365.

Benefits:

• Identify exposed data with overly broad access.
• Monitor and control data transfers.
• Minimize storage of unused personal data.

Configuration:

• Enable trial (if needed).
• Assign roles (predefined or custom) for permission control.

Policy Management:

• Three policy types: Data Overexposure, Transfers, Minimization.
• Define scope (data types, users, locations, notifications).
• Configure alerts (frequency, thresholds).
• Test, deploy, monitor, and maintain policies.

Subject Rights Requests:

• Requires specific permissions.
• Stages: Estimate, Retrieval, Review, Report, Close.
• Choose quick setup (templates) or custom setup for control.

Overall:

• Manage permissions, create/manage data privacy policies, and handle subject rights requests effectively.

Link to main post

Thank you!

That it! One more study guide in the books, now SC-100, SC-200, SC-300, SC-400 and AZ-500 are complete but I think I will start to update my AZ-500 and SC-300 from this day forward.

For this last post I will like to thank you all for reading and supporting. All the feedback is more than welcome from my audience because you are the ones that these post are for. Raising the community, because the community raised me!

Stay tuned!