What GDPR means to Office 365

GDPR from Microsoft

GDPR Affects All European Businesses

From May 25, 2018, companies with business operations inside the European Union must follow the General Data Protection Regulations (GDPR) to safeguard how they process personal data “wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” The penalties set for breaches of GDPR can be up to 4% of a company’s annual global turnover. For companies like Microsoft that have operations within the EU, making sure that IT systems do not contravene GDPR is critical. And as we saw on August 3, even the largest software operations like Office 365 can have a data breach.

Because many applications can store data that might come under the scope of GDPR, the regulation has a considerable influence over how tenants deal with personal data. The definition of personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

GDPR goes on to define processing of personal data to be “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

In effect, individuals have the right to ask companies to tell them what of their personal data a company holds, to correct errors in their personal data, or to erase that data completely. Companies need to know what personal data they hold, make sure that they obtain consents from people to store that data, protect the data, and notify authorities if data breaches occur.

On first reading, this might sound like what companies do – or at least try to do – today. The difference lies in the strength of the regulation and the weight of the penalties should anything go wrong. In other words, GDPR deserves your attention.

Putting GDPR into Context

The definitions used by GDPR are quite broad. To move from the theoretical to practicality, an organization needs to understand what personal data it holds for its business operations and where they use the data within software applications. However, it is easy to imagine examples of where personal information might be inside Office 365 applications, including:

  • Annual reviews written about employees stored in a SharePoint or OneDrive for Business site.
  • A list of applicants for a position in an Excel worksheet attached to an email message.
  • Tables holding data (names, employee numbers, hire dates, salaries) about employees in SharePoint sites.

Other examples might include contract documentation, project files that includes someone’s personal information, and so on.

Data Governance Helps

Fortunately, the work done inside Office 365 in the areas of data governance and compliance help tenants to satisfy the requirements of GDPR. These features include:

  • Classification labels and policies to mark content that holds personal data.
  • Auto-label policies to find and classify personal data as defined by GDPR. Retention processing can then remove items stamped with the GDPR label from mailboxes and sites after a defined period, perhaps after going through a manual disposition process.
  • Content searches to find personal data marked as coming under the scope of GDPR.
  • Alert policies to detect actions that might be violations of the GDPR such as someone downloading multiple documents over a brief period from a SharePoint site that holds confidential documentation.
  • Searches of the Office 365 audit log to discover and report potential GDPR issues.
  • Azure Information Protection labels to encrypt documents and spreadsheets holding personal data by applying RMS templates so that unauthorized parties cannot read the documents even if they leak outside the organization.

Let’s explore some of the technology that exists today within Office 365 that can help with GDPR.

Using Classification Labels

As mentioned above, you can create a classification label to mark personal data coming under the scope of GDPR and then apply that label to relevant content. If you have Office 365 E5 licenses, you can create an auto-label policy to stamp the label on content in Exchange, SharePoint, and OneDrive for Business found because documents and messages hold sensitive data types known to Office 365.

Figure 1 shows how to select from the set of sensitive data types available in Office 365. The set is growing steadily as Microsoft adds new definitions. At the time of writing, 82 types were available, 31 of which are obvious candidates to use in a policy because they are for sensitive data types such as country-specific identity cards or passports.

GDPR sensitive data types
Figure 1: Selecting personal data types for an auto-label policy (image credit: Tony Redmond)

Figure 2 shows the full set of sensitive data types that I selected for the policy. You can also see that the policy applies a label called “GDPR personal data” to any content found in the selected locations that matches any of the 31 data types. Auto-apply policies can cover all Exchange mailboxes and SharePoint and OneDrive for Business sites in a tenant – or a selected sub-set of these locations.

GDPR Policy
Figure 2: The full set of personal data types for a GDPR policy (image credit: Tony Redmond)

Using classification labels to mark GDPR content has another benefit in that you can search for this content using the ComplianceTag keyword (for instance, ComplianceTag:”GDPR personal data”).

It can take up to a full week before auto-label policies apply to all locations. In addition, an auto-label policy will not overwrite a label that already exists on an item. These are small issues. The big problem here is that classification labels only cover some of Office 365. Some examples of popular applications where you cannot use labels are:

  • Teams.
  • Planner.
  • Yammer.

Microsoft has plans to expand the Office 365 data governance framework to other locations (applications) over time. Given the interest in GDPR, hopefully some or all of the locations mentioned above will support data governance by May 2018.

Right of Erasure

Finding GDPR data solves one problem. A further challenge is posed by article 17 of GDPR (the “right of erasure”), which says: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” In other words, someone has the right to demand that an organization should erase any of their personal data that exists within the company’s records. Content searches can find information about someone using their name, employee number, or other identifiers as search keywords, but erasing the information is something that probably needs manual processing to ensure that the tenant removes the right data and just that data.

You can find and then remove documents and other items holding someone’s name or another identifier belonging to them using tools such as Exchange’s venerable Search-Mailbox cmdlet or Office 365 content searches. However, if the data is on-hold because the company needs to keep items for regulatory or legal purposes, can you then go ahead and remove the items? Remember that the purpose of placing content on-hold is to ensure that no-one, including administrators, can remove that information from Exchange or SharePoint.

The GDPR requirement to erase data on request means that administrators might have to release holds placed on Exchange, SharePoint, and OneDrive for Business locations to remove the specified data. But once you release a hold, you weaken the argument that held data is immutable. The danger exists that background processes or users can then remove or edit previously-held data and so undermine a company’s data governance strategy.

The strict reading of GDPR appears to leave no doubt that organizations must process requests to erase personal data upon request, unless it is needed to exercise or defend legal claims under article 17.3e. But what if the company needs to keep some of the data to satisfy regulations governing financial transactions or other interactions? This is not something that IT can solve. Lawyers will have to interpret requests and understand the consequences before making decisions and it is likely that judges will have to decide some test cases in different jurisdictions before full clarity exists.

Hybrid is More Difficult

No doubt exists that Microsoft is working to help Office 365 tenants with GDPR. However, not quite the same effort is going to help on-premises customers. Some documentation exists to deal with certain circumstances (like how to remove messages held in Recoverable Items), but the feeling I have picked up is that on-premises customers feel they have to figure things out for themselves.

In some respects, this is understandable. After all, every on-premises deployment is slightly different and exists inside specific IT environments. Compared to the certainty of Office 365, developing software for on-premises deployment must take the foibles of individual customers into account.

On-premises software is more flexible, but it is also more complicated. Developing solutions to help on-premises customers deal with GDPR might be more of a challenge than Microsoft wants to take on now, especially given their focus of moving everything to the cloud.

Solutions like auto-label; policies are unavailable for on-premises servers. Those running on-premises SharePoint and Exchange systems must therefore come up with their own ways to help the businesses that they serve deal with personal data in a manner that respects GDPR.

SharePoint Online GitHub Hub

If you work with SharePoint Online, you might be interested in the SharePoint GDPR Activity Hub. At present, work is only starting, but it is a nice way to share information and code with similarly-liked people.

ISV Initiatives

Every week I seem to receive an announcement about an ISV-sponsored white paper on GDPR and how their technology can help companies cope with the new regulations (here is an example from Forcepoint). There is no doubt that these white papers are valuable, if only for the introduction and commentary by experts that the papers usually feature. But before you resort to an expensive investment, ask yourself whether the functionality available in Office 365 is enough. If not, then look at the ISV offerings more closely.

Technology Only Part of the Solution

GDPR will effect Office 365 because it will make any organization operating in the European Union aware of new responsibilities to protect personal data. However, technology seldom solves problems on its own. The nature of regulations like GDPR is that training and preparation are as important if not more important than technology to ensure that users recognize and properly deal with personal data in their day-to-day activities. You can deploy Office 365 features to support users in their work, but do not expect Office 365 to be a silver bullet for GDPR.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.