Microsoft Purview & Priva - What is the difference?
Over the last many months, I have been having a lot of conversations on Privacy which lead to conversations on Microsoft Priva. Some of the frequent questions I get are:
- How is Priva different from other capabilities in the Microsoft Purview stack?
- I already own all of Microsoft Purview, what additional benefit will I get if I use Priva?
Before I explain the difference between the two, let's do a quick recap of the capabilities of each.
Microsoft Purview
Microsoft Purview is a basket of products that brings together Microsoft's data governance and risk and compliance solutions. It includes the below risk & compliance solutions
- Microsoft Purview Information Protection
- Microsoft Purview Data Loss Prevention
- Microsoft Purview Data Lifecycle Management
- Microsoft Purview Records Management
- Microsoft Purview Insider Risk Management
- Microsoft Purview Communication Compliance
- Microsoft Purview Compliance Manager
- Microsoft Purview eDiscovery
- Microsoft Purview Audit
- Microsoft Purview Data Connectors
and the below data governance solutions:
- Data Map
- Data Catalog
- Data Estate Insights
Microsoft Priva
Microsoft Priva is Microsoft's first Privacy Management solution. It provides capabilities that help you:
- Proactively identify and protect against privacy risks such as data hoarding, problematic data transfers, and data oversharing
- Gain visibility into the storage and movement of personal data
- Empower employees to make smart data handling decisions
- Enable users to effectively manage data and take steps to comply with evolving privacy regulations
- Manage subject rights requests at scale
It provides built-in, customizable policy templates for the following scenarios
- Data oversharing - Identifying personal data that is too widely shared.
- Data transfers - Identifying cross border transfer of personal data or transfer between different departments
- Data hoarding - Identifying unused personal data
Now it may seem that these use cases can be achieved using capabilities like Microsoft Purview DLP, Records Management, eDiscovery etc. which brings me back to the question I started with. "If I own Microsoft Purview, why do I need Priva?".
Data protection and data privacy go hand in hand. You cannot have data privacy without data protection. Microsoft Purview and Microsoft Priva, powered by a unified platform, together can enable automation and scalability for data protection and privacy. While Microsoft Purview offers governance and compliance capabilities that help organizations manage data and risks, Microsoft Priva is purpose-built to automate privacy management.
Let's look at some other commonly asked questions:
- What is the difference between data transfers policy in Priva and data loss prevention policy in Purview?
DLP policies are applied at egress points in the organization. For e.g. when someone is sending an email or sharing a file on SharePoint. Using DLP you can prevent unauthorized sharing of confidential information. When it comes to personal data, organizations need to have visibility into the cross-boundary transfer activities and be able to manage them. Priva provides data transfer policies to help gain visibility and control into cross-geo, cross-department, or other cross-boundaries personal data transfer. Additionally, Priva also gives admins the option to engage with information workers via email digests, notifying data owners about the detected cross-boundary data transfer and directing them to take corrective action or training.
DLP helps block risky or inappropriate data transfer, while Priva helps add a layer of customizable “transfer boundaries” on top of that. Using Priva you can monitor the type of content being shared between users in different countries, departments, job functions (these are based on Azure AD attributes) and educate users on the appropriate use of personal data using Information Worker digests.
2. What is the difference between data minimization policy in Priva and data lifecycle management policy in Purview?
Data Lifecycle Management policies help organizations set up retention or deletion policies to manage data lifecycle. While retention or deletion may be required by an organization to adhere to industry regulations or the organization policy, automatic deletion of sensitive data is at times risky as just file metadata may not provide enough context to the decision maker. The data owner will have the most context and understanding of data collection and intent of use which is extremely critical in taking a decision about deleting the data. Priva can engage the data owner and remind them to review a file that has been idle for a period of time.
Organizations can leverage DLM for automated and at scale retention and deletion, and on top of that, use Priva to engage with users to delete personal data that no longer serves the purpose of its collection.
3. How does Subject Rights Request differ from Microsoft Purview eDiscovery?
Microsoft Purview eDiscovery is meant to conduct litigation or internal investigation. It has features designed to be used by the legal team such as custodian management, redaction, and annotation. It focuses on the "what" of the search. For e.g. searching for all files and communications related to a contract or a project.
Subject Rights Request focuses on the "who" of the search. It is designed specifically to search for content relating to a data subject. It provides features like conflict detection for confidential files, records and multi-person files. It has workflows built in for access requests and right to be forgotten. The licensing is also designed for serving data subjects. Instead of buying a per user per month license, organizations buy the number of subject rights request they need to service over a period of time.
In essence, Microsoft Purview and Microsoft Priva serve different use cases. They complement each other's capabilities to enable organizations to respect privacy rights and build a trusted business.
Hopefully, I have managed to clear some of the confusion. Please let me know in the comments.