Is Office 365 A Data Processor Gdpr

In the last few months, and for sure in the upcoming ones, there has been a lot of talking most the EU GDPR. In this article we will try to clarify the part of GDPR from an It viewpoint, in item with a Microsoft Office 365 perspective. Moreover, we will introduce an open source tool called GDPR Activity Hub, which is available for costless to help partners and customers to process the well-nigh common IT tasks related to GDPR.

What is the European union GDPR? Does information technology matter for you lot?

The first question to give an respond to is: "What is the EU GDPR?". GDPR stands for General Data Protection Regulation (ref. Regulation EU 2016/679), and it is a regulation from the European union with the scope to protect data of all individuals living in the European union.

The fact that information technology is a regulation implies that information technology will become immediately applicable and enforceable by law in all Fellow member States, without the need for a specific transposed national law in each Member State. The become live of the GDPR will be May 25^th, 2018. Thus, since that appointment all the businesses, all over the world and not only in the EU, that will manage any personal data of any data subject area living in EU will accept to adhere to the rules of GDPR, and will have to be compliant with the regulation.

As y'all can come across, from an IT perspective, organizations volition need to train privacy personnel and employees, to audit and update information policies, eventually to employ a Data Protection Officer, which is a new task role introduced by the GDPR, and to create and manage compliant vendor contracts.

Moreover, still from an Information technology perspective, businesses will demand to keep track of events and requests related to personal data of data subjects. For example, the GDPR states that every unmarried EU denizen has the right to access, correct, or erase her/his data that is stored past a third political party. From an Information technology perspective you lot will have to continue track of such requests related to personal data, through whatsoever kind of logging organization of your choice.

Furthermore, in case of any issue (like a Data Breach) or whatever potential event (like an Identity Risks/Theft) you will take to keep track of these events and behave accordingly to the GDPR requirements. For example, in case of any Information Breach event, the GDPR states that: "every bit soon as the controller becomes aware that a personal data alienation has occurred, the controller should notify the personal information breach to the supervisory authorisation without undue delay and, where viable, not later than 72 hours later having get aware of it." A supervisory potency can be a Data Protection Authority (DPA).

Thus, the GDPR introduces some new requirements, which can become a challenge for customers and a new business opportunity for partners. In fact, customers will need to have internal processes to manage those requirements, and they will demand to take workflows to manage those processes.

Microsoft Part 365 and the GDPR

Considering that virtually businesses nowadays accept some of their data and processes on the cloud, leveraging Software as a Service (SaaS) offerings like Microsoft Function 365, it's worth trying to figure out what can exist done out of the box with Office 365 (and Microsoft 365), from a GDPR requirements perspective.

Kickoff of all, it is important to highlight that in February 2017 Microsoft announced that its cloud services will comply with GDPR past May 25, 2018. This is so true, that in Microsoft Office 365 we already accept a bunch of services and tools that help businesses verify their compliancy and their level of security, to monitor events, and to prevent information leaks. In the following schema you lot can run into, divided by category, the nearly useful services and tools available out of the box in Microsoft Office 365.

Observe that some of the above services require specific subscription plans (like E3 or E5) or dedicated SKUs (product licenses). However, covering licensing is out of context for this article.

For example, the Office 365 Secure Score functionality, which is available under the "Security & Compliancy Eye" gives you a measure of how secure your tenant is, comparing your services settings with a baseline provided by Microsoft. Moreover, information technology gives yous "deportment" that you tin can attain to meliorate your score. Clearly, whatsoever will be your score, there is no guarantee that yous will non be breached. Nevertheless, a high score can let you be more confident almost the strength of your surround.

Services like Data Loss Prevention (DLP) enable you to identify sensitive/personal information as information technology travels through Commutation Online, SharePoint Online, and OneDrive for Business. You can somewhen foreclose accidental sharing of sensitive information and you tin help users stay compliant. Moreover, yous tin collect useful information about DLP, which tin can exist used to report events and content matching policies.

For example, using DLP yous can preclude users to share specific categories of documents, using content-based rules or labels applied to content (manually or automatically). In instance a user shares sensitive or classified content, DLP will prevent him or her from having a data leak and will testify an informative bulletin that explains why the activity is forbidden.

Services like "Customer Lockbox" ensures that Microsoft engineers practise non get admission to the customer's content without customer's explicit approval. In fact, all admission is obtained through a rigorous access command technology and administrators of the tenant can corroborate or reject the admission request.

Services similar Avant-garde Threat Protection (ATP), Threat Intelligence, Cloud App Security, Advanced Information Governance (ADG), etc. provide proactive and intelligent capabilities that volition protect your users and prevent information leaks from your visitor perspective.

Moreover, the Office 365 Unified Inspect Logging system allows administrators to search for users' activities and events, which tin be useful to keep track of all of the happenings from a GDPR perspective. For example, using the Office 365 Unified Audit Log you can make up one's mind who deleted a file, or who shared a file with someone else, etc. At the time of this writing, the areas and services that you can inspect through the Office 365 Unified Audit Log are:

Files
Folders
Sharing and Access Requests
Synchronizations
Site Assistants
Exchange Mailboxes
Sway
User Administration
Azure Advertising Group Assistants
Application Assistants
Office Administration
Directory Assistants
eDiscovery
Ability BI
Microsoft Teams
Dynamic 365
Microsoft Menstruation

Last merely not least, from a SharePoint Online perspective, you can configure your tenant to support classification of sites. Sites classification allows you to use a policy level (classification) to every modern site that you create, then that you tin create custom policies and automation/governance rules based on the classification level of a site. Just for the sake of making an example, whenever users create a site classified every bit "GDPR" maybe you want to automatically enforce security rules and custom policies to protect information stored in that site.

GDPR Activity Hub

If yous are a big enterprise with an internal evolution team, or if y'all are a Microsoft partner selling solutions to third parties, most probable you will be interested in discovering the new GDPR Action Hub. The GDPR Activity Hub is an open up source project, hosted under the SharePoint & Part 365 Patterns & Practices (PnP) umbrella, which allows y'all to handle the about mutual activities related to collecting requests and events that are GDPR related.

The project is fully open source and tin can be downloaded from GitHub. It is a showcase of Microsoft technologies like:

SharePoint Online modern sites
SharePoint Framework client-side spider web parts
Office 365 Groups/Microsoft Teams
Remote provisioning
Power BI

Out of the box, the functionalities offered by the GDPR Action Hub are:

GDPR Dashboard: a dashboard based on Microsoft Ability BI that you tin can employ to measure your performances well-nigh GDPR events and requests (see the GDPR Activeness Hub home page in the in a higher place figure).
Information repository based on SharePoint Online: it uses SharePoint online as the default repository for data, but you can customize information technology and supplant SharePoint with a regular DBMS, if needed.
Custom pages for data management: a bunch of custom pages for data entry of events and requests that demand to be monitored and logged from a GDPR perspective.
Customer-side web parts: few customer-side spider web parts, built using the new Microsoft SharePoint Framework, useful to insert requests and events, to design a GDPR hierarchy for the current visitor, and to manage tasks related to whatever GDPR process.
Sample workflows to process data breaches and another sample events/requests.

The project can be installed automatically in your own Function 365 tenant, only by following the footstep by pace setup guide provided hither. However, the projection is not meant to be a "set to go" production, rather a starter kit to assist yous build your own products. Thus, aside from playing with information technology in your ain environs, you should start edifice your own solution on top of it.

Please, discover that installing the GDPR Activeness Hub in your tenant does not hateful that yous volition be GDPR compliant. Moreover, because it is not a product, do not expect to have any kind of Service Level Understanding (SLA) or guarantee. It just works based on customs efforts, and your feedbacks and your contribution will exist more than welcome, if whatsoever!

Wrap up

To wrap upwards this article, first of all you need to be aware of GDPR and to exist prepared for GDPR. Whatever your business organization is, whatever the size of your business is, and wherever your business is located, be prepared and starting time figuring out how to collect and monitor information relevant from a GDPR perspective. Consider an assessment tool provided for free by Microsoft at the following URL (https://assets.microsoft.com/en-us/gdpr-detailed-assessment.zip), and keep an eye on the GDPR area for partners (http://aka.ms/gdprpartners).

Evaluate moving to the deject and in item into Microsoft Office 365, in gild to leverage a bunch of out of the box services and capabilities that will help you exist compliant with GDPR.

Give a chance to the GDPR Activity Hub, too, and allow us know your feedback and your needs. We will try to practice our best to improve the starter kit in the upcoming months.

Cheers!

This web log post has been originally published on Paolo's blog

Would you like to find out more well-nigh EU GDPR from an Office 365 Perspective? Yous can view a recording of Paolo'south Rencore webinar. Simply click the push beneath and fill in the short form. We will send you the link to the webinar recording via email.

Paolo Pialorsi

Paolo Pialorsi is a consultant, trainer, and writer who specializes in developing Microsoft Role 365 and Microsoft SharePoint-based enterprise solutions. Paolo works in a company of his ain (www.piasys.com), and has a great bargain of experience on Office 365 and SharePoint. He is a Microsoft Certified Solutions Chief – Charter SharePoint, as well as a Microsoft Office Servers and Services MVP. He is a regular speaker at international It conferences. Paolo is the author for Microsoft Press of many books about .NET, Windows 8, SharePoint, and Function 365. Since January 2015, Paolo is a proud member of the SharePoint Developers Patterns & Practices Core Squad (http://aka.ms/SharePointPnP).