GDPR Compliance in Office 365
The EU’s General Data Protection Regulation (GDPR) will be in full effect come May 25th 2018, and it brings several changes to data protection for EU citizens. Although it can be expensive and take up a lot of time, you might as well get this out of the way. While it may be viable for smaller companies with few-to-none EU customers bite the bullet and cut their business within the EU to avoid compliance costs, such an option isn’t sustainable for companies with many EU clients. The EU GDPR compliance is here to stay, so might as well embrace it as soon as possible to avoid a headache later on.
Here are some of our tips to make sure your Office 365 Applications fully comply with it.
1. Check your GDPR compliance by taking Microsoft’s Assessment
Microsoft offers a free GDPR Assessment that will help you understand if your organization complies with the new EU laws for citizen data protection. This short assessment will tell you where your organization falls, as well as providing information on the next steps you should take to make your organization fully compliant with the GDPR.
In addition to the assessment, Microsoft also has a free whitepaper you can download, as well as an ebook on how to accelerate your compliance to the GDPR. Both provide a more in-depth look to the GDPR compliance and what it implies for your organization, and how Microsoft 365 can help you with your compliance approach.
2. Check your Data Center’s Location
To help comply with the GDPR, Microsoft now lets Office 365 users change the location of their data centers in the event they have specific data residency requirements. To find our where customer data is stored in Office 365, Microsoft has made a “Where is my data?” map available here.
3. Create Data Loss Prevention policies to monitor sensitive data
The GDPR compliance centers around the protection of the personal data of EU citizens. By better understanding what falls under the umbrella of personal data, you can better protect your customers’ information. Sensitive information such as names, home addresses, credit card numbers, health records, or social security numbers can be managed using Microsoft’s Data Loss Prevention policies (DLPs), which allows you to identify, monitor, and automatically protect sensitive information across Office 365.
4. Use Advanced Data Governance in Office
First introduced to Office 365 in 2016 (when the EU’s GDPR compliance directive was first adopted), Advanced Data Governance is a feature that reduces your risk profile while making it easier to retain high value data and ensure business continuity. By using Advanced Data Governance, you can achieve organizational compliance to the GDPR—the machine-assisted insights help you find, classify, set policies on, and take action on your chosen data.
5. Use Encryption Keys to Control Access
By pairing Customer Key for Office 365 with Azure, you can configure Office encrypt your data at rest in Microsoft’s data centers. Once you’ve set up Azure to use Customer Key, you can determine which encryption keys you want to assign to mailboxes and files across your organization. You also control when their access is revoked, and once that happens, said data becomes unreadable, and its deletion is initiated.
Note that you don’t have to dish out encryption keys yourself. Any mailbox and file without an assigned policy will use encryption controlled and managed by Microsoft themselves.
6. Control Access to Data with Lockbox
To meet compliance standards for explicit data authorization, look no further than Customer Lockbox for Office 365, which lets you control, grant, and deny access to your data when requested by a Microsoft support engineer. In the event the request takes more than 12 hours to approve, the request will automatically be denied.
7. Migrate on-premises and non-Office 365 data
Office 365 provides a data import service to facilitate the move between on-premises email and files into Exchange Online, SharePoint Online, and OneDrive for Business. With intelligent capabilities, this migration system lets you filter data so you only import what you need into Office 365, making it easier to separate EU customers from non-EU ones.
8. Supervise Employee Communications with Advanced Data Governance
In addition to previously mentioned features Office 365 Advanced Data Governance also comes with a Supervision feature that gives officers a practical way to comply with regulations. You can define policies for when and how to monitor employee communications, as well as who can monitor them across various platforms such as email, Facebook, Twitter, and more.
9. Find Relevant Data with Advanced eDiscovery
Office 365 Advanced eDiscovery provides an intelligent analysis and searches relevant unstructured data for review. By finding near-duplicate files, reconstructing email threads, and identifying themes and relationships among the data, Advanced eDiscovery reduces the amount of retainable data across Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business, Office 365 Groups, and Microsoft Teams. Extraction of text from images is enabled via Optical Character Recognition, which applies eDiscovery’s text analysis to images.
Advanced eDiscovery lets you focus on key documents, as well as allowing you to make quick, informed decisions on which data to cull or prioritize for review—so, if you’re looking solely for data from the EU, Advanced eDiscovery will make your live easier.
10. Monitor and Investigate Data with Microsoft Audit
In addition, as part of Microsoft’s Compliance Center, Office 365 has an Auditing feature to better your transparency, and to let you monitor and investigate actions taken on your data, identify risks, contain and respond to threads, and protect your valuable intellectual property. The RESTful Management Activity API provides a great level of visibility into all user and admin transactions across Office 365, and simplifies the way other software providers can integrate Office 365 data into their security and compliance monitoring solutions.
With this, you can filter your results by Activity, by its start and/or end date, by which users modified them, or simply by the file’s name or folder. These results can be filtered and then exported into a CSV file.
Want more security insights like this? Get notified of our Office 365 updates!