Microsoft 365 security & compliance best practices case study: Crayon

Download case study

The European Union (EU) has a rich history of data regulations and data management legislation, with variations from country to country. The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, is intended to harmonize these differences and strengthen rules around how data can be used. Penalties for lack of compliance are significant, and the impact is quite broad since the GDPR applies to any organization that offers goods and services to people in the EU or that collects and analyzes data tied to EU residents.

Are organizations prepared? Several reports say no. GDPR is a business-wide challenge that takes time, tools, processes, and expertise, and could require significant changes to customers’ privacy and data management practices. With less than 50% of organizations predicted to meet the May 2018 deadline, many are turning to partners who can help them in their compliance efforts.

One such partner is Crayon. As a global leader in Software Asset Management (SAM), Crayon’s large consulting team act as trusted advisors to many of the world’s leading organizations. GDPR is tightly coupled with security; because both SAM and security are fundamental parts of strong organizational governance, Crayon decided that developing a GDPR practice under its SAM umbrella was a natural fit. “We know that good SAM practice and control of your license and software estate are prerequisites for building an organization’s GDPR practice,” says Ulrik Roland, Vice President of Software Asset Management. Synergies between the two give Crayon an edge in its consulting engagements with customers.

As Ashley Gatehouse, Chief Marketing Officer for Crayon, puts it, “Our offering around GDPR builds on current trends and the response we’ve seen from the market. We lead with security, and then provide customers with consulting-led solutions built upon Microsoft technology that help customers manage the contingent liability presented by the GDPR legislation.”

Services, assessments, and workshops drive customer progress

Crayon is launching a short, online customer self-assessment that an organization can use to get a baseline profile of its position with respect to GDPR awareness and preparation. This self-assessment, which will be available on Crayon sites, should lead to a more comprehensive review (similar to the Microsoft GDPR Detailed Assessment) found here. After evaluating a customer’s current state with GDPR readiness, Crayon can make informed recommendations and propose a tailored roadmap.

Roland explains their approach, “We hold awareness workshops to start, where we invite key customers. If, based on their own admission, their maturity is relatively low, we’ll start with explaining what GDPR is all about before we even do an assessment. We’ll then explain how the actual questionnaire works so they understand what they’re going to be asked about and can line up the right people to attend.”

When it comes to the workshops, people at Crayon may hold one or many, depending on whether they can get in front of all the stakeholders at the same time, or if they need to meet with staff in different locations or even different countries. Once the workshops are complete they analyze the data. The next step is a formal write up and summary that lays out risks, potential outcomes, and findings. “The outcome of the assessment is that they walk away with an understanding of immediate changes, short-term changes, and then the long-term changes that they may need to work on,” said Roland.

The total time to run the assessment, then analyze, and deliver results can vary widely depending on the organization. Average duration is about 20 days, but can run up to four months for a particularly complex customer.

Building GDPR awareness can expand partner reach

While the general awareness of GDPR is growing, many organizations don’t realize that the new regulation will apply to them. Crayon sees a lack of understanding that the legislation could affect all corporations, regardless of size. The key for Crayon is identifying and talking with the right stakeholders. “We take GDPR up to the right level in the organization and create an awareness that data privacy has to be managed, and indeed, managed ongoing. Then, organizations realize that they can outsource it all to partners, take on certain roles and responsibilities internally, or do a combination of the two. As long as you’ve got senior management, IT, procurement, and security officers talking to each other, you’ve got a much better chance of having an aligned strategy,” explains Phil Heap, Product & Services Director, SAM.

Crayon plans to use GDPR to get access to a whole new range of decision makers, enabling them to develop a larger footprint within customer organizations. “GDPR is a compelling event that is happening, and it’s coming very, very soon. It has strong correlation with an information security management program. So, anybody that’s looking to improve IT governance can use GDPR as leverage for getting across those different pillars within organizations, and getting the attention of senior management,” said Roland.

This leads to more room for Crayon. According to Gatehouse, “There’s an enormous education opportunity that’s open to us with GDPR. It’s helping us very significantly engage with customer opportunities that we wouldn’t otherwise necessarily be able to engage with. When you start talking about the contingent liability, that would manifest on their business if they were non-compliant, you get attention from all business leaders.”

Leveraging the power of partnership

While GDPR provides a great opportunity for partners looking to help customers become compliant, it can be relatively complex for both customers and partners. In a discussion with Microsoft CVP Julia White at Inspire, Nabil Chebbi, Vice President, Crayon Group, suggests that partners interested in adding a GDPR practice work closely with Microsoft. “When you look at Microsoft 365, it’s a great offer because it is compliant for GDPR, and selling Microsoft 365 will help with addressing the needs of GDPR from the beginning.”

In particular, Chebbi emphasized that partnership has accelerated their own GDPR practice development. According to him, “To be able to meet the needs of customers, you need to save time, you need to go to market faster, and you need to pay attention to the profitability model. Leveraging what Microsoft or another partner offers through a P2P motion would help you go to market more quickly.”

Case in point: Crayon even white labels its services so other partners can sell them to customers under their own names. It also supplies curriculum and supporting tools that partners can use for practice development.

GDPR is a catalyst for organizational change

While companies may struggle to make the GDPR deadline, there are still many things they can do in the meantime, including implementation of governance and better management processes. Customer maturity with GDPR varies widely.

A key opportunity for partners is to come in at the beginning and help customers assess their environment, highlight gaps, and provide recommendations and a roadmap to drive toward compliance goals.

GDPR will be the catalyst for robust business since meeting GDPR is not a one-time event, but instead an always-on activity. Crayon and other service providers have a powerful opportunity to build long-term trust and relationships, and provide profitable, ongoing managed and value-added services to customers into the future.