4 Office 365 Features which Support Your GDPR Compliance

Unless you having been living on the moon, you’ve probably heard of the European Union’s General Data Protection Regulation (GDPR).The new regulation has implications for several functions across organisations such as HR, Marketing, IT and Data Management. GDPR requires businesses to look hard at their overall data strategy and to ensure that they are responsible with the data of individuals.   Fortunately, Microsoft Office 365 users needn’t worry. Microsoft has a suite of tools to help you to comply. Let’s look at some of the key provisions within Microsoft Office 365 for identifying, protecting and managing personal and sensitive data.

GDPR comes into effect on the 25th May 2018.

GDPR means enhanced personal privacy rights with more flexible controls for individuals to access and interact with their personal data. It increases the duty of organisations for protecting data, including stricter guidelines for confidentiality, data record keeping, and enhanced transparency for data handling and management.

GDPR requires mandatory breach reporting, privacy personnel training, and in some cases the appointment of a Data Protection Officer (e.g. in Public Authorities). There are significant penalties for non-compliance, including substantial fines that can be enforced whether or not an organisation has intentionally failed to comply with the regulations.

GDPR affects any data you have stored within Office 365 and related applications so Exchange, SharePoint, One Drive and Teams will be impacted so it’s important to understand how that data can be protected and controlled post May 25th both as an organisation and education piece for your users. Microsoft do provide GDPR-related assurances in the contractual commitments.

Step 1: Identify the personal data you have and where it resides (this could be data sch as HR data, passport information, credit card numbers etc
Step 2: Govern how personal data is used and accessed.  Again HR data might exist in an HR system however, it may also exist on word documents, spreadsheets or be contained within email.
Step 3: Establish security to prevent, detect, and respond to data breaches
Step 4: Keep required documentation, manage data requests and breaches notifications

Personal data can be protected by applying information rights templates to email and documents. Rights management uses protection templates to define a set of rights that a recipient has for a file or message. When you enable rights management for a tenant, three default templates are available: Do Not Forward, Confidential, and Confidential – View Only. For instance, if you receive a message stamped as Confidential, you cannot print or copy its content. IRM also protects attachments, if they are in a format that supports IRM (like Word, PowerPoint, or Excel). This is a really excellent way of providing security for an SME but please do seek some assistance as it can affect accessing business data and confuse and frustrate end users. It really does need to be managed appropriately.

In November 2017, Microsoft responded to the new regulations by providing its customers with a new tool called Compliance Manager. It helps assess and manage compliance risk. Microsoft describes it as a cross-Microsoft Cloud service solution to help users meet complex compliance obligations such as GDPR. Compliance Manager performs a real-time risk assessment that reflects your compliance position against data protection regulations when using Microsoft Cloud Services. It also provides recommendations and a step-by-step guidance. Microsoft have designed  an online GDPR assessment tool  which is helpful for businesses to  understand their overall level of readiness.
With the recommendations, you will figure out how to protest and control that data. The data can exist in repositories used by applications such as SharePoint, OneDrive and Exchange. You will need to consider:
• Data type
• Who uses the data
• How the data is used
• Existing data protection
• Potential ways to improve data protection

The Microsoft Office 365 Information Protection for GDPR guide is a valuable solution for discovering classifying, protecting and monitoring personal data. This guide is meant to help organisations that might be subject to GDPR. Therefore, the first step is to assess whether the GDPR applies to your organisation, and if so, to what extent. Your organisation also ned to understand the data it holds and where it resides within the company. This step consists of using:

• Compliance Manager to view the regulation regulations and track your progress then
• Content Search (a feature of Microsoft 365 eDiscovery) and sensitive information types to find personal data
• When you identify the personal data in Microsoft 365, classify, protect, and monitor the data and associated SaaS apps. You need to:
• Decide if you want to use labels in addition to sensitive information types
• Protect personal data in Microsoft 365
• Monitor for leaks of personal data

See the Microsoft website for a full  example using this solution.

Microsoft Office 365 only keeps audit records for up to 90 days. New GDPR rules mean, however, that you must keep records longer than that in case someone sues your company for misusing their personal data. The retention period for data depends on the type, purpose and legal basis, so there isn’t a set period as it’s unique to the data and the business. It’s worth getting your appointed Data Protection Officer to advise you what this is during your data audit and then make sure to  define/document it within your Data Protection documents.
There are solutions on the market which you could consider for longer retention.  Cloud App Security stores audit data for up to 180 days and Radar for Security and GSX Audit store audit data for long as you keep up with your subscription. GSX 365 Security Audit is also a good option for users although it is unclear how long it keeps audit records.

[js-disqus]

Every company is different and Office 365 as a system comes in many different guises. If you would like more information, I found the Microsoft Office 365 Information Protection guide to be a good source of information for site admins. But…. There are limitations within the document.

But the document does have some limitations. It focuses on document protection within SharePoint Online and OneDrive for Business and doesn’t comment the personal data that can be held within email, Teams or Yammer. Teams and Yammer are vulnerable within Office 365 when it comes to GDPR. You can argue that users won’t post personal information, but users can surprise all the time. User adoption education is a vital mix when looking to introduce these tools within your organisation. Microsoft continues to provide advice in how to use Office 365 and a broad portfolio of services to help make your path to compliance easier. Given how much work may be involved in getting yourself prepared, I would recommend you begin reviewing your privacy and data governance policies now.

What are you waiting for?