01
Why Data Protection Is Now a Business Requirement
Data protection is no longer just a compliance checkbox. Businesses that mishandle personal or confidential data face regulatory fines, civil claims, reputational damage, and loss of client trust โ regardless of whether a breach was malicious or accidental.
In Australia, the Privacy Act 1988 and Notifiable Data Breaches scheme apply to most businesses. In Kenya, the Data Protection Act 2019 (KDPA) creates obligations for any organisation handling personal data. In both jurisdictions, 'we didn't know' is not a defence.
The most common data loss event is not a hacker stealing data. It's an employee emailing the wrong person, uploading to a personal file sharing service, or losing a laptop with unencrypted files.
02
Data Classification: Know What You Have
You cannot protect data you haven't classified. Data classification assigns a label to information based on its sensitivity โ and drives what protection controls apply.
| Classification | Examples | Protection Required |
|---|
| Public | Marketing materials, job listings | None โ intended for public access |
| Internal | Internal procedures, meeting notes | Available to all staff, not for external sharing |
| Confidential | Financial data, contracts, employee records | Restricted to authorised staff, encrypted when shared |
| Highly Confidential | M&A documents, legal privilege, PII datasets | Heavily restricted, logging on all access, encryption required |
Microsoft Purview Sensitivity Labels
โLabels applied manually by users, or automatically by content classifiers
โLabel-based protection โ Confidential documents encrypted, sharing restricted
โLabels follow the document wherever it goes โ cloud, email, USB, external sharing
โAvailable in Word, Excel, PowerPoint, Outlook, Teams, SharePoint
03
Data Loss Prevention Policies
DLP policies automatically detect and prevent sensitive data from leaving the organisation inappropriately โ via email, Teams, SharePoint sharing, or browser upload.
What DLP can detect
โAustralian Tax File Numbers (TFN)
โCredit card numbers and financial account data
โNational identification numbers
โCustom sensitive information types โ your own patterns (e.g. employee IDs, project codes)
โBulk file movement โ when unusually large amounts of data are accessed or downloaded
DLP actions
โBlock the action โ email not sent, upload blocked
โWarn the user โ 'this may contain sensitive data, do you want to continue?'
โRequire justification โ user must enter a reason before overriding the block
โAlert the security team โ incident logged for review
โApply encryption โ Confidential email encrypted before delivery
DLP policies in audit mode first โ let them run for two weeks to understand false positive rates before enabling block mode. A DLP policy that blocks legitimate work will be disabled or bypassed by frustrated users.
04
Microsoft Purview Information Protection
How it works
โSensitivity labels applied to documents and emails โ either manually or automatically
โLabel-based encryption โ Confidential documents are encrypted using Azure Rights Management Service
โEncryption follows the document โ even if shared externally or downloaded to a personal device, encryption persists
โAccess control โ only authorised users can open encrypted documents, even if they receive the file
Automatic labelling
โContent-based classification โ Purview scans documents for credit card numbers, TFNs, PII patterns and suggests or applies labels
โTrainable classifiers โ train Purview to recognise your specific sensitive content types
โSharePoint and OneDrive scanning โ classify existing files in SharePoint libraries
โTeams messages โ classify and protect sensitive information shared in Teams channels
Monitoring and reporting
โContent Explorer โ see all classified content across SharePoint, OneDrive, Exchange
โActivity Explorer โ track who accessed, modified, or shared labelled content
โDLP incidents report โ all policy matches, user overrides, blocked actions
05
Retention Policies and Compliance
Data retention is the other side of data protection โ not just preventing unauthorised access, but ensuring data is kept for required periods and deleted when no longer needed.
| Data Type | Typical Retention Requirement |
|---|
| Financial records (AU) | 7 years โ Corporations Act / tax requirements |
| Employee records (AU) | 7 years post-employment (Fair Work) |
| Personal data (AU NDB) | As long as necessary for purpose โ then delete |
| Personal data (KDPA Kenya) | Defined retention period required in privacy notice |
| Health records | Varies by state/type โ consult legal counsel |
Microsoft Purview Retention Policies can automatically enforce retention โ keeping data for defined periods and triggering deletion or review when the period expires. This reduces the risk of inadvertently holding data longer than legally required.
Legal hold
When litigation or regulatory investigation is anticipated, retention policies can be overridden with legal holds โ ensuring data is preserved regardless of normal deletion schedules.
06
De4sec Data Protection Service
Data Discovery
Content Explorer scan of Microsoft 365 tenant โ understand what sensitive data exists and where.
Classification Framework
Design sensitivity label taxonomy aligned to your business and regulatory requirements.
Purview Implementation
Deploy sensitivity labels, configure DLP policies, implement retention policies, enable audit logging.
Ongoing Compliance
Monthly DLP incident review, sensitivity label audit, retention policy review, regulatory compliance reporting.
