GDPR Compliance: Essential tools and features in Office 365

Author: Ajay Ram Posted In: Cloud, Strategy

By now, many of us have heard about General Data Protection Regulation (GDPR), the regulation that dictates how data of EU residents are collected and analyzed. The regulations apply to all companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.

GDPR went into effect May 25 this year. Microsoft has made it a priority and in the last year, has released tools and features designed to help companies using Office 365 become GDPR compliant.

Let’s look at 4 of the key tools/features that in my view need to be considered when planning for GDPR:

  1. Compliance Manager
  2. Office 365 Labels
  3. Azure Information Protection
  4. Data Subject Request

Compliance Manager:

The compliance manager is designed to help companies plan and assess compliance initiatives for GDPR. Some of the other standards it helps evaluate are HIPAA, ISO and NIST standards.

The compliance manager tracks controls based on two categories:

  1. Microsoft managed controls (controls managed by Microsoft in its capacity as the provider of Office 365 service)
  2. Customer managed controls (relates to controls managed by the Organization using Office 365)

In the case of GDPR, the compliance manager evaluates a total of 114 controls (49 Microsoft managed controls and 65 customer managed controls). Each control is mapped to a specific GDPR regulation and the details such as implementation date, related documents, and test results for each control are tracked by the dashboard.

Figure 1: Tracking controls in Compliance Manager

A few things to note before using the compliance dashboard is that any documents or data uploaded is:

  1. accessible to your entire organization by default. To restrict access to specific users, refer the support article.
  2. not accessible by Microsoft personnel.
  3. is stored in the US on Microsoft’s cloud storage.

The compliance manager can be accessed by navigating to https://servicetrust.microsoft.com/ and signing in using the organization’s Office 365 credentials.

Office 365 Labels:

Office 365 Labels is the native data classification solution for personal and sensitive data maintained in SharePoint Online and OneDrive for Business. Labels can also be associated with DLP policies allowing for the classification of data across the organization and enforcing their corresponding data retention rules.

Labels can be either manually applied (explicit label) or auto-applied (implicit label). Explicitly assigned labels take precedence over implicitly assigned labels. Labels can be assigned in one of the following ways:

  1. SharePoint and Office 365 group sites: Labels can be assigned at either at a document library level (which then gets applied to all the documents contained in the library) or individually on each item
  2. Records management across Office 365 (including both email and documents): A label can be used to classify content as a record. In this scenario
    1. the label assigned to the content cannot be changed or removed
    2. content declared as records cannot be edited or deleted

Some of the considerations that need to be reviewed carefully during planning are the following:

  1. The Office 365 Label feature like other compliance tools in Office 365 is reliant on the search index. Once a label is configured, it will take up to 7 days to automatically apply the label to all items that match the conditions.
  2. Auto- applying of Office 365 Labels only works on content in Exchange emails and documents in OneDrive and SharePoint sites. Note that it’s not yet possible to select just the mailboxes of specific users. Specific SharePoint and OneDrive sites can either be included or excluded from the label policy
  3. Labels on Group/ Teams sites can be applied only manually. Auto applying of labels is not currently supported on these sites.
  4. Auto-applying of labels is not supported on Team chats and Team channel messages. Microsoft did recently roll out the capability to create retention policies for chats and channel messages (link) in Teams, which (although does not provide the same functionality as Labels) does provide some data governance control over content generated in Teams.

Azure Information Protection (AIP):

AIP like Office 365 Labels is a cloud-based solution that allows for the classifying documents and emails. It is recommended for classifying Exchange Online emails, files in other SaaS services, files in on-premises datacenters, and files in other cloud providers. In addition, it provides the capability to encrypt files in Office 365 through Azure Rights Management (Azure RMS) encryption for additional data protection.

AIP labels applied to mail in Exchange Online is compatible with Office 365 Data Loss Prevention service.

Note: Office 365 services currently cannot read into RMS-encrypted files. Therefore, applying Azure RMS encryption on files subject to GDPR is currently not supported in Office 365.

Figure 2: Data Classification tools (Courtesy: Microsoft)

Microsoft is working on a unified classification and labeling schema designed to ensure the compatibility of AIP and Office 365 Labels.

Hybrid Deployments:

Hybrid deployments include Office 365 tenant integrated with one or more on the on-premises technologies such as Exchange, SharePoint, OneDrive, and On-Premises Active Directory sync of identities. AIP is recommended solutions for identifying and labeling sensitive content located on-premises.

Data Subject Requests:

One of the key requirements of GDPR is that it provides EU residents the right to access, retrieve, correct, erase, and restrict processing of their personal data. A formal request by a person to an organization to act on their personal data is called a Data Subject Request (DSR).
Office 365 has extensive inbuilt capability to initiate and track the collection of data specific to a DSR case. The DSR dashboard can be accessed by navigating to Security & Compliance Center à Data Privacy tab à Data Subject Requests (https://protection.office.com/?rfr=AdminCenter#/dsrcases )
Depending on type and scope of the DSR’s can be classified as follows:

  1. DSRs for Customer Data
  2. DSRs with respect to insights generated by Office 365
  3. DSRs for System-generated Logs

Detailed instructions on responding to different types of DSR requests can be found here.