Office365 and GDPR Compliance
Is Office 365 GDPR compliant?
Provided that it is used correctly, Office 365 is GDPR Compliant. Microsoft have been working hard for Office365 and GDPR Compliance. Are you wondering which tools in the Office365 tool-set can help your company with GDPR Compliance and Security? Microsoft have committed to providing a set of tools that can help with GDPR and Security & Compliance in General. A very useful link is Microsoft own “Get Started with GDPR”
One of the key areas that is required for Office365 and GDPR Compliance is the ability to track the day to day activities of GDPR. The GDPR Activity Hub is a centralised place to to keep track of all the fundamental events, requests, tasks and activities required to be compliant with the GDPR. The main features of the GDPR Activity Hub are:
- Home Page with a Dashboard showing all of the latest events.
- Tracking of events and incidents such as Data Consent, Data Withdrawl Request, Data Breaches, etc.
- Tracking of requests such as Data Access, Data Erasure, Data Requests, etc.
- Tasks & To Dos for the management for GDPR processes
- Hierarchy of GDPR roles in the company
Compliance Manager is a tool that has been created by Microsoft to assist with their products and various compliance checks including GDPR and ISO standards. The compliance manager tool includes a list of checks that has been completed by Microsoft and all of the relevant information and a list of checks that should be completed by the customer. Within the tool you can assign tasks to users within the Office365 platform, create due dates, update statues and upload documents. This tool is very useful for any large organisations looking to comply with GDPR and ISO but will be overkill for smaller organisations due to the level of detail within it.
Office365 Security & Compliance
One of the key tools for Office365 and GDPR Compliance is the Security & Compliance area within Office365 has a number of tools that can assist with GDPR including a newly added GDPR Toolbox.
Within the Security & Compliance section of Office365 a set of tools allow you to classify data in SharePoint Online, OneDrive & Exchange either manually or automatically based on keywords that you can define or there are some built in rules that you can utilise i.e. detecting National Insurance Numbers of Debit Card Numbers. Labels can be created within the platform and criteria such as Retention & Automatic Deletion can be configured.
These tools allow you to easily classify data that is being stored within Office365 and then retain or delete that data automatically on a time period you can define. There are some functions that allow you to specify rules for Data Loss Prevention.
Data Loss Prevention
Microsoft 365 DLP allows you to define a set of rules either automatically i.e Credit Card Details or National Insurance Numbers and perform an automated action if this content is detected. For example, if National Insurance numbers have been entered into the rules and these are detected when a user is sending an email the system will automatically warn or block the mail from being sent. This can only protect data that is within Office365 and nothing prevents a user from downloading information from SharePoint and sharing this outside of the platform. For better protection in or out of Office365 Azure Information Protection is required.
The content search allows you to setup a search within Office365 for any keywords for example you could search for a user that has requested their information be deleted. The Content Search will find all references to the keywords specified and you can download, preview or delete the content (any content that has a retention policy will be kept).
This can be useful if you are trying to adhere to the GDPR policy of deleting all user’s data from the system if they have requested it.
Audit Log Search & Alerts
Office365 keeps an audit of everything that happens in the tenant from document views to administration privilege changes.
Best practice and applying to some of the prerequisites around security of data in GDPR means when roles of administrators or changed for example a new administration is assigned to a SharePoint Site or Mailbox that this should notify a team to ensure this change should have occurred. Within the audit log alerts can be configured that will notify relevant teams and flag up potential data breaches before they occur.
Azure Information Protection
Azure Information Protection is part of Enterprise Mobility + Security and can also be purchased separately. The product allows for the protection of data regardless of what platform its stored in. Azure Information Protection allows you to create labels similar to those mentioned in the Security & Compliance section (these in the future will be merged together). The labels allow you to define policies for emails and documents. Policies allow you to define who can access the content (internal only, certain group or just certain people), what can be done with the content (view, print, read, disable copy & paste) and how long the content is accessible for (apply an expiry date or revoke the access an ad-hoc basis). Azure Information is the de facto security the best in market security for content in your organisation and can be a great stride forward in protecting personal data in your organisation.
TALK TO US
At Valto, we’re committed to helping our clients get the most out of Office365 & SharePoint. If you’d like a demonstration of any of the Office365 and GDPR Compliance tools call now on 03335 779 009 or Contact Us.