Less Than Five Months to GDPR
The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25. Any company doing business in the EU or EEA needs to follow GDPR, and with the countdown towards the May deadline, companies are busy reviewing their exposure and understanding where they need to make changes to achieve compliance. Remember, GDPR dictates how to collect, store, process, and share personal data, so there’s a lot to think about.
GDPR Tools from Microsoft
Microsoft’s Compliance Manager breaks down GDPR into a set of tasks. Some of the tasks might not apply to your tenant, but it’s better to be safe than sorry, so consider them all. In addition, Microsoft has an online GDPR assessment tool designed to help companies understand their overall level of readiness.
Potential GDPR Impact on Office 365 Applications
Once you understand how GDPR affects data stored in Office 365, you can figure out how to protect and control that data. And, very importantly, how to educate users to deal with personal data correctly. Data that might come under the scope of GDPR can exist in repositories used by applications like Exchange, SharePoint, OneDrive, and Teams. The need therefore exists to understand:
- What types of personal data exists inside your Office 365 tenant (passport numbers, credit card numbers, other identifiers).
- How users gather and use personal data. For example, the HR department is likely to store tax identifiers for employees. Although this information is probably in a HR data system, it might also exist in spreadsheets, documents, and email.
- The protection currently applied to personal data. You might already protect personal data with techniques such as applying rights templates to email and documents. If so, the question might be how to improve protection through new software capabilities available in Office 365 or recent upgrades (like the changes made to Office 365 Message Encryption).
Information Protection Guide for GDPR
As the countdown to GDPR continues, you can expect to hear more advice from Microsoft covering ways to use Office 365 technology to achieve compliance. A recent example is the release of the Office 365 Information Protection for GDPR guide (or solution), offering “ prescriptive recommendations for discovering, classifying, protecting, and monitoring personal data.”
Like any guide, this document has some limitations. In this case, a large part of the guide focuses on how to protect documents stored in SharePoint Online and OneDrive for Business with classification labels. It ignores the circulation of personal data within email, Teams, or Yammer. Of course, the reason is that classification labels are much more useful in SharePoint and OneDrive today. You can use classification labels with Exchange, but only as personal retention tags, and auto-label policies don’t work for email.
Teams and Yammer are weak spots inside Office 365 when it comes to GDPR. Although you can argue that people won’t post personal information to Teams or Yammer conversations, the simple fact is that users surprise administrators all the time in what they do. Where technology cannot help, user education must step in. If you use Teams or Yammer, make sure that you coach people about the proper use of personal data.
Using Sensitive Data Types
Even though the guide only partially covers Office 365, its content is valuable. The section about using sensitive data types with content searches to scan SharePoint and OneDrive libraries for documents that potentially hold personal data might help some companies understand how much GDPR-relevant data they have. Some of the examples illustrate the power of Keyword Query Language queries when looking for personal data.
The guide has some sensible recommendations for developing a classification schema for personal data and how to apply the classification labels that flow from the schema. Of course, if you want to use the auto-label policies to find and apply classification labels to documents, you need Office 365 E5 or the Advanced Data Governance add-on.
Data Loss Prevention
Other tips include using Data Loss Prevention policies to detect when users try to share documents with sensitive data with people outside the company. Be aware that two forms of DLP policies exist inside Office 365 – one for Exchange based on transport rules and one designed to work across multiple Office 365 workloads that is best for SharePoint and OneDrive. Again, Teams and Yammer don’t support this capability.
When it comes to checking up on leaks, the guide reviews the Office 365 audit log and notes that Office 365 only keeps audit records for 90 days. This probably isn’t long enough if someone sues your company for misuse of personal data. Litigation often starts well after the date of a purported offense and it is not good to admit in court that all your audit records for the period in question are unavailable because Office 365 flushes them after 90 days. The guide underlines that other solutions are available. For example, Advanced Security Management (part of Office 365 E5 and available as an add-on) stores audit data for 180 days while third-party solutions like Security & Audit from Quadrotech will store tenant audit data for as long as you pay your bills.
No guide will ever tell you all you need to do to prepare for something like GDPR. Every company is different, and Office 365 is a huge software suite that comes in many flavors. All a guide can do is pose questions and get you thinking. Microsoft’s Office 365 Information Protection guide is helpful in that respect.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.