Trial user guide: Microsoft Priva

Welcome to the Microsoft Priva trial user guide.

With the privacy and regulatory landscape continuously evolving, keeping privacy and data protection top of mind has become imperative for organizations. This guide will help you make the most of your free trial by helping you safeguard your personal data and build a privacy-resilient workplace.

Using Microsoft recommendations, you’ll learn how Microsoft Priva can help you:

• Proactively identify and protect against privacy risks such as data hoarding, data transfers, and data oversharing.
• Automate and manage subject requests at scale.
• Empower your employees to make smart data handling decisions.

Let's get started

Microsoft Priva consists of two solutions, Privacy Risk Management and Subject Rights Requests, both of which can be trialed and purchased separately. Licensing and purchasing details can be found on Microsoft.com.

Privacy Risk Management

Priva Privacy Risk Management gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Privacy Risk Management policies are meant to be internal guides and can help you:

• Detect overexposed personal data so that users can secure it.
• Spot and limit transfers of personal data across departments or regional borders.
• Help users identify and reduce the amount of unused personal data that you store.

Privacy Risk Management offers built-in templates for these scenarios to help you easily create policies. You can also fine tune your approach by creating custom policies, using any of these templates as a starting point. When policy matches are found, admins can review alerts about the findings and make decisions about how to handle the data by creating issues for further action by your users. You can also configure email notifications and, for supported policy types, Teams notifications to notify your content owners directly about policy matches. They can take corrective action from these notifications and learn more about best practices for handling data with links you provide to your own training materials.

Subject Rights Requests

Several privacy regulations around the world grant individuals—or data subjects—the right to make requests to review or manage the personal data that companies have collected about them. These subject rights requests are also referred to as data subject requests (DSRs), data subject access requests (DSARs), or consumer rights requests. For companies that store large amounts of information, finding the relevant data can be a formidable task. For most organizations, fulfilling the requests is a highly manual and time-consuming process.

The Microsoft Priva Subject Rights Requests solution is designed to help alleviate the complexity and length of time involved in responding to data subject inquires. We provide automation, insights, and workflows to help organizations fulfill requests more confidently and efficiently.

Start your Microsoft Priva trial

If you are ready to begin using Microsoft Priva, follow these steps to set up prerequisites and get started exploring privacy insights.

1. Confirm subscriptions and licensing
2. Set user permissions and assign roles
3. Select Start trialand the following will be done for you:
   • Priva trial licenses are enabled (this happens in real time)
   • Privacy insights are generated (this takes 24 hours)

Start finding and visualizing privacy risks

Priva helps you understand the data your organization stores by automating discovery of personal data assets and providing visualizations of essential information. These visualizations can be found on the overview and data profile pages.

To begin, go to the Priva section of the Microsoft Purview compliance portal and view these pages:

1. Overview: Provides an overall view into your organization’s data in Microsoft 365. Privacy administrators can monitor trends and activities, identify and investigate potential risks involving personal data, and springboard into key activities like policy management or subject rights request actions.
2. Data profile: Provides a snapshot of the personal data your organization stores in Microsoft 365. This page helps you visualize where personal data lives, what types are the most prevalent in your organization, and how many different types exist across locations in your Microsoft 365 environment. You can also explore personal data from this location.

Priva Privacy Risk Management Policies

Priva Privacy Risk Management policies can help you address risk scenarios that are important to your organization. Our policy templates are centered on fostering sound data handling practices. Alerts let admins know when policy matches are detected and might need further investigation. Email notifications and tips in Microsoft Teams help users understand which activities carry privacy risks, allows users to immediately fix issues, and points them to privacy training.

To start quickly, use a template with default settings to create new policies for data overexposure, data transfers, and data minimization and scenarios. You can also customize template settings to create policies that suit your organization's needs.

Learn how to do everything from quick policy setup to editing and deleting policies on the create and manage policies page:

1. Quick policy setup using templates: most settings are chosen for you automatically to help you get up and running quickly.
2. Custom policy setup: Choose a template and then walk through each setting to customize your policy.
3. Setting alerts: Helps admins know when a user event matches a policy’s conditions. These are optional and you control how often alerts are generated, the threshold to generate them and the severity.
4. Testing a policy: Allows you to see insights before a policy is turned on so you can gauge a policy’s behavior and the type of alerts that may be generated.
5. Turning policies on or off: After monitoring in test mode, you can turn a policy on or turn off a policy at any time.
6. Editing policies: Edit the settings for a policy at any time whether it is in test mode or turned on.
7. Deleting policies: If you need to remove an existing Privacy Risk Management policy.

Investigate and remediate alerts in Privacy Risk Management

Microsoft Priva can help provide visibility into important discoveries from your data overexposure, data minimization, or data transfer policies. Within the Privacy Risk Management solution, admins can review alerts about content that matches your policy conditions. Reviewing alerts allows you to identify cases that need follow-up. You can do this by creating issues. Issues give your users a structured way to review content, assign the severity of the problem, and collaboratively work toward remediating issues.

The Investigate and remediate alerts page will provide information for the following actions:

1. View current alerts and issues: Priva’s Overview page provides a view into recent findings with updates about key areas of concern.
2. Manage alerts: Access your Alerts page to evaluate your active alerts and specify which ones require follow-up.
3. Manage issues: Issues are created by admins while assessing alerts about policy matches and can be resolved from the Issues page.
4. Review content and remediate issues: Review content associated with an issue, you can open the Content tab and see details about the file, any activities on record, and its remediation history, select Remediate to take one or more of the actions.

User notifications in Privacy Risk Management

When you set up a policy in Priva Privacy Risk Management, you can choose to notify users when their actions meet the conditions you set in the policy. There are two types of notifications: emails, which are available for all three policy types, and tips that appear in Teams, which are available only for the data transfer policy type. When you create or edit a policy, you can decide whether to turn on these notifications, how frequently to send them, and you can customize their content.

Sending notifications to users can be an important component in helping your organization meet its privacy goals. The notifications are designed to:

• Bring immediate awareness to users when their actions could expose personal data to privacy risks.
• Provide remediation methods directly within the emails, so that users can take swift action to protect data at risk.
• Direct users to your organization's privacy guidelines and best practices.

Explore user notifications to learn what you can set up in your organization:

1. Prepare training content for notifications: Including a link to privacy training is required if you choose to send user notifications when policy matches are detected.
2. Set user email notifications: Set up email notifications for all policy types when you create a new policy or edit an existing policy.
3. Send notifications in Teams: For data transfer policies, you can elect for users to receive policy tips and recommendations in secure Teams channels when a policy match is detected.
4. Preview and customize email content: When users receive email notifications about policy matches, they can follow prompts in the emails to immediately take corrective action. You can preview the email content and make your own changes when adjusting this setting in the policy creation or editing process.

Understand the Subject Rights Requests workflow

When you create a request in the Subject Rights Requests solution, the information you provide is used to look for matches about your data subject in your organization’s Microsoft 365 environment. Matched items are compiled for you to review, make choices about what to include, and redact information as necessary. Multiple users can collaborate on these steps within the Subject Rights Requests interface. The Overview page of the request provides status on the progress stages and guidance about the next steps to take.

Understand progress stages for requests and the requests details page

Select Priva Subject Rights Requests from the left navigation of the Microsoft Purview compliance portal to access the requests created by your organization and view their status.

Here you can get a snapshot of your request activity and any requests that require urgent attention based on the deadline set on the request. You can see which requests were created in this portal (origin: Microsoft 365) versus those which were created through the API (origin: External). You can also sort the list or group requests in your view by data subject residency, regulation, data subject relationship to the organization, and more.

The “Stage” column will show what step the corresponding request is in. Selecting a request will show an overview page tailored to help you see details about what stage the request is in to help guide you on what you need to do next.

Create a request and define search settings

Users will need the roles within the Subject Rights Request Administrators role group to create a request. There are two main ways you can create a request:

• From a template, a quick "out-of-box" option that uses tailored default settings; or
• The custom option, which is a guided process to walk through all settings.

Information to create a request and define search settings:

1. Understand request types: Priva Subject Rights Requests supports three different types of requests: access, export, tagged list for follow-up.
2. Getting started with your first request: A simple, out-of-box setup for your first request that uses default settings. This first run experience can help you explore the subject rights request workflow and get familiar with its functionality.
3. Data request templates: With just a few details, you can create a request using default settings and get up and running quickly. You can optionally edit these setting for additional flexibility.
4. Custom request: A guided process for creating a policy. Once you choose the custom template option, you can walk through each setting to customize your search.
5. Define search settings: You have the option to enhance what identifiers to use to find your data subject, as well as to better target your search by using search settings. You may also want to choose to get an estimate of your data before content items are retrieved, which allows you to preview results and edit your search query based on what you find. You can make those selections on the Search settings page of the request creation wizard.
6. Refining your search: Choose “Refine your search” on the Search settings page or edit your search query at the Data estimate stage, and you'll be prompted to provide details for personal attributes and have the option to set conditions to further target your search results.

Data estimate and retrieval

Once you create a request, Priva immediately begins to look for matches to the data subject in content within your Microsoft 365 environment. Once we've identified the items matching your criteria, you'll see the estimate in the Data estimate summary card on the request's Overview page, and the data estimate stage on the progress tile will switch to a checkmark. The amount of data within the scope of your search will affect the length of time it takes to complete the estimate.

Your request will move automatically to the next stage of Data retrieval, where all the content items are gathered together for stakeholders to collaborate on reviewing the data. In some instances, we'll pause the data estimate before moving onto retrieval and notify you of next steps to take before continuing.

Understand what’s happening during data estimate and retrieval:

1. Pause in data estimate: There are two reasons why a request will pause at the Data estimate stage: if you selected “get an estimate first” or if the estimate is projected to return a large number of items to review (over 10K items).
2. View and edit search queries: To see detailed information about the request's search, select View search query details on the Data estimate summary card. A flyout pane opens which summarizes the query and shows further details about what was found.
3. Retrieve data: Files, emails, chats, images, and other content items containing the data subject's personal data are retrieved. Once this stage is complete, the progress tile on the request overview page will automatically check off the Retrieve data stage. The retrieved data is ready for your review on the “data collected” tab for the request.

Review data and collaborate on a subject rights request

After data has been collected for a subject rights request, the next stage is to review the items, decide what items to include as part of the request, and redact information if necessary. By default, only included items will be part of the data subject reports for an access or export request. Optionally, you can exclude items or mark them not a match, showcasing you reviewed the item and determined it was not applicable to the request or it was a false positive match.

Visit the review data and collaborate page for more information on the points below:

1. Understand tasks for completing the data review: The Review data stage is when collaborators examine the content items on the Data collected tab. A Teams channel will automatically be set up to facilitate content review by all stakeholders. You can disable the creation of Teams channels for new requests within settings here.
2. Collaborate on the data review: Subject Rights Request administrators can view all requests. You can add other users to collaborate on a request, which will give them access to view that request and work with the data collected within it to help move the request to completion.
3. Complete the review" When all items have been reviewed and you’ve included the required content, it's time to close out the review step. Any of the collaborators on a request can complete the review.

Generate reports and close a request

After completing your data review for a subject rights request, the next stage is to generate the reports necessary to fulfill the request. Priva will create reports and collect the files marked as Include during the data review process. Selected files from these data packages can be submitted to your data subject to complete their request.

For information on how to get reports and close requests:

1. Understanding reports: After you select Complete review in the Review data stage of the subject rights request, the final reports for the request will start generating automatically.
2. Understanding data packages: Subject rights request data package contains items marked as “Include” during the data review stage of the process.
3. Select data retention periods for reports and data: The default retention period is 30 days from the date on which a subject rights request is closed. The data retention period is defined in Priva “Settings” and applies to all subject rights requests. You can view or change your data retention period there.
4. Close request: When you've performed all the necessary actions related to the subject rights request, mark the request as closed by selecting Close the request in the upper right of the request details page.

Integrate and extend through Microsoft Graph API and Power Automate

You can integrate Priva Subject Rights Requests with your existing business processes and tools by using the Microsoft Graph Subject Rights Request API. You can also extend the automation capabilities of Subject Rights Requests by using built-in Power Automate flows for tasks such as setting calendar reminders and creating cases in ServiceNow.

Integrate with Microsoft Graph API

The Microsoft 365 Subject Rights Request API offers a simple yet powerful way to introduce automation to your existing subject rights strategy. When an individual requests information from your organization, our APIs allow you to create those requests within Microsoft 365 based on the criteria for that request. You can create the subject rights request in Microsoft 365, keep track of its progress, and retrieve content when the request has completed generating reports.

Our APIs are available for anyone to use to make their solutions more extensible, such as ISVs, partners looking to accommodate Microsoft 365 in their solutions, and organizations looking to use the APIs with their line of business applications. View the full documentation at Use the Microsoft Graph subject rights request API.

Use Power Automate templates

Microsoft Power Automate is a workflow service that automates actions across applications and services. Subject Rights Requests includes built-in Power Automate templates to help users manage subject rights requests. Users can set up automation flows for processes like creating tickets in ServiceNow and adding calendar reminders about due dates. Learn more about Power Automate templates for Subject Rights Requests.

Data matching for Subject Rights Requests

With data matching, organizations can enable Microsoft Priva to identify data subjects based on exact supplied data values. This can help increase the accuracy of locating data subject content that corresponds with those data values both for your internal personnel and for external users you interact with. It also simplifies the need to supply fields manually during subject rights request creation.

Note: To use the data matching feature, you'll need to be a member of the Privacy Management role group. From within Priva in the Microsoft Purview compliance portal, select Settings in the top nav and then Data matching. From here, you'll need to define the personal data schema and provide a personal data upload as shown below. Note that you can add items, and you can delete items you add, but you can't modify an item.

Learn how to set up data matching:

1. Prepare for data import: Before defining the schema or uploading data, you will need to identify the source of your data subject information.
2. Define the personal data schema" The first step in setting up data matching is defining the personal data schema, which will describe the attributes for your data subjects.
3. Create sensitive info types: The second step in setting up data matching is to create unique sensitive info types for the personal data match (PDM). Sensitive info types (SITs), are pattern-based classifiers that detect sensitive information like Social Security or credit card numbers.
4. Upload personal data: After defining the personal data schema and sensitive info types, the third step is to upload personal data.

Additional resources

Microsoft Learn: Get detailed information on how Microsoft Priva works and how to best implement it for your organization. For more information, see the Priva overview.

Microsoft Priva Trial: To try Microsoft Priva for free, visit https://aka.ms/trypriva.

Why Microsoft Priva: Learn more about Priva capabilities in this video.

Learn more about or purchase Microsoft Priva: Privacy Risk Management and Subject Rights Requests are sold separately. Blogs, licensing and purchasing details can be found on Microsoft.com.