Office365 and GDPR Compliance

Office365 and GDPR Compliance Microsoft Partner Valto

Ensuring compliance with industry regulations is vital for any business. With so much of your company and personal data held within Office 365, it’s important to know how Microsoft protects you and fulfills GDPR requirements.

At Valto, our team of Microsoft specialists are experts in Office 365 GDPR compliance and other regulatory requirements. We can help with specific security measures and everything from advanced threat protection to putting processes in place to help you discover compliance solutions to keep your business protected and efficient.

What is EU GDPR and why is it important?

The EU General Data Protection Regulation ruling effectively dictates how businesses handle personal data. While it’s an EU law, it affects any company whose website or services are available to any EU citizens. 

‘Personal data’ is defined as any data or information relating to an identifiable person. Within GDPR Article 4, this is defined as when a person “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

If your company collects, stores or uses any such personal data, it’s vital that you have a solution for GDPR compliance in place to avoid hefty fines.

Is Office 365 GDPR compliant?

Provided that it is used correctly, Office 365 is GDPR compliant. From an Office 365 perspective in particular, Microsoft has put significant measures in place to ensure privacy and data protection according to GDPR. 

There are a number of tools within the Office 365 suite to help protect against any potential data breach. These tools provide robust data protection for your business, essentially functioning as a GDPR compliance checklist to keep your customer data safe.

Office 365 compliance tools

Microsoft Security Score

Microsoft has its own measuring system called the Secure Score, designed to help businesses assess their own security systems and highlight any potential personal data breach risks. 

You can access your Secure Score from the Microsoft 365 security dashboard, and see any recommended actions. You can then start to build compliance into place, with things like a data protection impact assessment, GDPR checklist or actions for your in-house GDPR data protection officer.

GDPR Portal

One of the key areas that is required for Office365 and GDPR compliance is the ability to track the day-to-day activities that relate to GDPR. 

The GDPR Activity Hub is a centralised place to keep track of all the fundamental events, requests, tasks and activities required to be compliant with the GDPR. The main features of the GDPR Activity Hub are:

  • Home page with a dashboard showing all of the latest events.
  • Tracking of events and incidents such as Data Consent, Data Withdrawal Request, Data Breaches, etc.
  • Tracking of requests such as Personal Data Access, Data Erasure, Data Requests, etc.
  • Tasks and To-Dos for the management for GDPR processes
  • Hierarchy of GDPR roles in the company

Compliance Manager

Office365 and GDPR Compliance Manager

Microsoft’s Compliance Manager assists users with the compliant use of products like Office 365. It offers various compliance checks and regulatory lists, including GDPR personal data requirements and ISO standards. 

The Compliance Manager tool includes a list of checks that have been completed by Microsoft, with all of the relevant information and a list of checks that should be completed by the user. 

Within the tool you can assign data 

protection tasks to users within the Office365 platform, create due dates, update statuses and upload documents. This tool is very useful for any large organisations looking to comply with GDPR and ISO, but might be overkill for smaller organisations due to the level of detail within it.

Office365 Security & Compliance

One of the key tools for Office365 and GDPR compliance is the Security & Compliance area within Office365. Here you’ll find a number of tools that can assist with GDPR and overall data protection, including a newly added GDPR Toolbox.

Office365 and GDPR Compliance GDPR Toolbox

Within the Security & Compliance section you can access a set of tools that allow you to classify data in SharePoint Online, OneDrive & Exchange. You can manage this data either manually or automatically based on keywords that you define, or use a selection of built-in rules that you can use – i.e. detecting National Insurance Numbers of Debit Card Numbers. Labels can be created within the platform and criteria such as Retention & Automatic Deletion can be configured.

These tools allow you to easily classify data that is being stored within Office365 and then retain or delete that data automatically on a time period defined by you. There are some functions that allow you to specify rules for Data Loss Prevention.

Data Loss Prevention

Microsoft 365 DLP allows you to define a set of rules either automatically – for example, you could set up a personal data rule for credit card details or National Insurance numbers and perform an automated action if this content is detected. In this example, if National Insurance numbers are detected when a user is sending an email the system will automatically warn or block the mail from being sent. 

It’s important to note that these rules can only protect data that is held within Office365, and nothing prevents a user from downloading information from SharePoint and sharing this outside of the platform. For better protection in or out of Office365, Azure Information Protection is required.

Content Search

The content search allows you to set up a specific search within Office365 for any keywords – for example, you could search for a user that has requested their information be deleted for data protection reasons. The Content Search will find all references to the keywords specified and you can download, preview or delete the content (any content that has a retention policy will be kept).

This can be useful if you are trying to adhere to the GDPR policy of deleting all data from a particular user from the system if they have requested it.

Audit Log Search & Alerts

Office365 keeps an audit of everything that happens in the tenant from document views to administration privilege changes, which can be really useful for staying on top of GDPR data.

Best practice and applying to some of the prerequisites around the security of data in GDPR means when roles of administrators are changed – for example, a new administration is assigned to a SharePoint Site or Mailbox – that this should notify a team to ensure this change should have occurred. Within the audit, log alerts can be configured that will notify relevant teams and flag any  potential data breaches before they occur.

Azure Information Protection

Office365 and GDPR Compliance Azure Information Protection

Azure Information Protection is part of Enterprise Mobility + Security and can also be purchased separately. The product allows for the protection of data regardless of what platform it’s stored in. 

Azure Information Protection allows you to create labels similar to those mentioned in the Security & Compliance section. The labels allow you to define policies for emails and documents. Policies allow you to define who can access the content (internal only, a certain group or just certain people), what can be done with the content (view, print, read, disable copy & paste) and how long the content is accessible for (apply an expiry date or revoke the access an ad-hoc basis). 

Azure Information Protection is an industry-leading security tool for content in your organisation and can be a great stride forward in protecting personal data in your organisation.


At Valto, we offer a host of Microsoft training options. If you’d like a demonstration of any of the Office365 and GDPR compliance tools call now on 03308 181 569, contact us or book your own bespoke Office 365 training course today.