Insights
INSIGHTS
All Topics
Five ways Microsoft 365 can help with GDPR compliance
05 Sep 2020by Aidan Paterson
Microsoft 365 can simplify GDPR-compliance - saving valuable time and resources. Find out how
This article makes multiple references to Microsoft 365 and Office 365 subscriptions. You can find more information on what each subscription entails here.
The EU’s General Data Protection Regulation (GDPR) imposes a number of obligations that UK organisations including charities have to comply with, despite the UK having left the EU.
These include obligations to:
- Discover – know what data about individuals you have
- Protect – ensure that data that is kept secure through encryption or other measures
- Manage – comply with requests to correct data which is incorrect, incomplete or inaccurate, restrict its use, or delete it, (but subject to some restrictions (such as retaining data to establish a legal claim)
- Report – document and report on compliance procedures, and track and report on data movements
This will continue to be the case after the Brexit transition period on 31 December 2020, after which organisations including charities will also have to ensure that they comply with almost identical UK GDPR regulations.
Ensuring GDPR compliance can be expensive and time-consuming. But the good news for charity leaders is that Microsoft 365 online subscription service includes tools which can help.
Eligible nonprofits and charities can receive discounted subscriptions to Microsoft 365 through Charity Digital Exchange programme.
Here are five ways that charity leaders can use Microsoft 365 to help with GDPR compliance:
Related Articles
1.) Discover and explore your data
Microsoft 365’s Advanced eDiscovery tool gives you a powerful way to take stock of the digital data you are holding.
it also makes it easy to filter it. For example, you can find all the data relating to EU citizens. This lets you focus on key documents from Microsoft 365 applications including Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business and Microsoft Teams.
It can also help with data optimisation by finding duplicated files, thus reducing the quantity of data that you hold, and ensuring that all copies of data that is scheduled for deletion are in fact deleted.
2.) Control where your data is stored
An important part of GDPR compliance is and will continue to be ensuring that data about individuals is stored within the EU, the UK, or in a country where the EU has issued an "adequacy decision." This means that it confirms that the country’s laws ensure that there is an adequate level of data protection.
A subscription to Microsoft 365 E3 (or Office 365 E3) or above will enable charities to check where in the world their digital data is stored. You can change the location of the data centres that they use in order to comply with the GDPR’s data residency requirements.
Charities can now click on a "Where is my data?" button to find out where it is, and move it quickly and easily if necessary.
3.) Migrate your data to the cloud
A charity may choose to use Microsoft’s cloud to store data about EU citizens while keeping other digital data in their own data centre on their premises. Microsoft 365 provides a service to extract the right data (for example relating to EU customers only) and move it online into Exchange Online, SharePoint Online, and OneDrive for Business.
4.) Secure your data through encryption
GDPR does not specifically mandate the use of encryption for data protection purposes. Nevertheless, encryption is the obvious way to secure data in storage facilities. Few organisations will attempt to comply with GDPR without the use of encryption for data protection.
Microsoft 365 E3/Office 365 E3 and above subscriptions provide you with a baseline level of encryption using its BitLocker encryption tool.
This encrypts large chunks of stored data, known as "volumes", while they are "at rest" (as opposed to data "in transit" over a network, usually while it is being used by a particular application.)
Microsoft 365 E3/Office 365 E3 also offers an added layer of encryption for data used by an application such as Exchange Online, Skype for Business, SharePoint Online, or OneDrive for Business using a system called Customer Key. This provides additional protection against viewing of data by unauthorised systems or personnel and allows you to explicitly authorise Microsoft 365/Office 365 services such as eDiscovery to use your encryption keys.
An added benefit of Customer Key is that if you decide to stop using Microsoft 365 you can cancel your key. This makes the data unreadable on the service, which in effect is the same as deleting it – but without the risk of leaving some data undeleted inadvertently.
5.) Control how Microsoft can access your data
Sometimes a problem (such as a user being unable to access their email box) may require that a Microsoft 365 engineer accesses the data in question in order to troubleshoot and fix the issue.
To ensure that you maintain control over who can access your data, and to help remain in compliance with the GDPR, Microsoft offers a tool called Customer Lockbox for Microsoft 365. This enables a Microsoft engineer to access your data only after they have issued a request for access, and that request has been approved by someone appropriate within your organisation. If the request is not approved within 12 hours it is automatically rejected.
Find Out More
Explore Microsoft 365 Subscriptions At A Discounted Charity Rate
Aidan Paterson
Aidan Paterson
More on this topic
Recommended Products
Our Events
Charity Digital Academy
Our courses aim, in just three hours, to enhance soft skills and hard skills, boost your knowledge of finance and artificial intelligence, and supercharge your digital capabilities. Check out some of the incredible options by clicking here.
© 2022 Charity Digital Trust. All rights reserved
