Learn about Priva Privacy Risk Management

Privacy Risk Management in Microsoft Priva gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management’s policies are meant to be internal guides and can help you:

  • Detect overexposed personal data so that users can secure it
  • Spot and limit transfers of personal data across departments or regional borders
  • Help users identify and reduce the amount of unused personal data that you store

Privacy Risk Management’s built-in templates for these scenarios give you an easy start on policy building. You can also fine-tune your approach through creating custom policies, using any of these templates as a starting point.

When policy matches are found, your admins can review alerts about the findings and make decisions about how to handle the data by creating issues for further action by your users. To learn more, see Investigate and remediate alerts in Privacy Risk Management. You can also configure email notifications and, for supported policy types, Teams notifications to notify your content owners directly about policy matches. They can take corrective action from these notifications and learn more about best practices for handling data with links you provide to your own training materials. For more information, see Send user notifications in Privacy Risk Management.

Learn about key risk scenarios

Privacy Risk Management's policy options help you address three key areas of privacy concern. Whether you're using a default template or customizing it to meet specific needs, Privacy Risk Management can help you find issues in these areas and guide your users through recommended steps for remediation.

Limit data overexposure

Data overexposure policies can help you detect and handle situations in which data that your organization has stored is insufficiently secure. For example, if access to an internal site is open to too many people or your permissions settings have not been maintained, personal data stored on that site may be vulnerable to a breach. Data overexposure policies can evaluate your data for these risks and alert you to potential issues.

Privacy Risk Management can alert you about data overexposure for content items that are accessible to the public or have their access restricted by your organization. Privacy Risk Management also offers remediation options that help your users resolve any issues that are found. For data overexposure, these include making content items private, notifying content owners, or tagging items for further review.

Find and mitigate data transfers

Transferring data across departments or regional borders can increase the risk of data exposure. For example, if the data is sent via unencrypted mails or to unauthorized recipients, the data may no longer be secure. Data transfer activities like these can have regulatory impact or may violate established organizational privacy practices. Using data transfer policies in Privacy Risk Management can help you spot and limit such transfers.

Data transfer policies allow you to monitor for transfers between different world regions or between departments in your organization. When policy matches are found, remediation options include making content items private, notifying content owners, or tagging items for further review.

Minimize stored data

Over time, companies can collect large amounts of personal data from customers or employees. Sometimes this includes data that no longer needs to be stored and is being unused. This type of data should be reduced to limit privacy risks. Data minimization policies can be used to address risks of this type.

Data minimization policies allow you to look for data that your organization has been storing for at least a certain length of time. This can help you manage your ongoing storage practices. When policy matches are found, remediation options include marking items for deletion, notifying content owners, or tagging items for further review.

Microsoft Priva legal disclaimer