Microsoft 365 can simplify GDPR-compliance - saving valuable time and resources. Find out how
This article makes multiple references to Microsoft 365 and Office 365 subscriptions. You can find more information on what each subscription entails here.
The EU’s General Data Protection Regulation (GDPR) imposes a number of obligations that UK organisations including charities have to comply with, despite the UK having left the EU.
These include obligations to:
This will continue to be the case after the Brexit transition period on 31 December 2020, after which organisations including charities will also have to ensure that they comply with almost identical UK GDPR regulations.
Ensuring GDPR compliance can be expensive and time-consuming. But the good news for charity leaders is that Microsoft 365 online subscription service includes tools which can help.
Eligible nonprofits and charities can receive discounted subscriptions to Microsoft 365 through Charity Digital Exchange programme.
Here are five ways that charity leaders can use Microsoft 365 to help with GDPR compliance:
Microsoft 365’s Advanced eDiscovery tool gives you a powerful way to take stock of the digital data you are holding.
it also makes it easy to filter it. For example, you can find all the data relating to EU citizens. This lets you focus on key documents from Microsoft 365 applications including Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business and Microsoft Teams.
It can also help with data optimisation by finding duplicated files, thus reducing the quantity of data that you hold, and ensuring that all copies of data that is scheduled for deletion are in fact deleted.
An important part of GDPR compliance is and will continue to be ensuring that data about individuals is stored within the EU, the UK, or in a country where the EU has issued an "adequacy decision." This means that it confirms that the country’s laws ensure that there is an adequate level of data protection.
Charities can now click on a "Where is my data?" button to find out where it is, and move it quickly and easily if necessary.
A charity may choose to use Microsoft’s cloud to store data about EU citizens while keeping other digital data in their own data centre on their premises. Microsoft 365 provides a service to extract the right data (for example relating to EU customers only) and move it online into Exchange Online, SharePoint Online, and OneDrive for Business.
GDPR does not specifically mandate the use of encryption for data protection purposes. Nevertheless, encryption is the obvious way to secure data in storage facilities. Few organisations will attempt to comply with GDPR without the use of encryption for data protection.
This encrypts large chunks of stored data, known as "volumes", while they are "at rest" (as opposed to data "in transit" over a network, usually while it is being used by a particular application.)
Microsoft 365 E3/Office 365 E3 also offers an added layer of encryption for data used by an application such as Exchange Online, Skype for Business, SharePoint Online, or OneDrive for Business using a system called Customer Key. This provides additional protection against viewing of data by unauthorised systems or personnel and allows you to explicitly authorise Microsoft 365/Office 365 services such as eDiscovery to use your encryption keys.
An added benefit of Customer Key is that if you decide to stop using Microsoft 365 you can cancel your key. This makes the data unreadable on the service, which in effect is the same as deleting it – but without the risk of leaving some data undeleted inadvertently.
Sometimes a problem (such as a user being unable to access their email box) may require that a Microsoft 365 engineer accesses the data in question in order to troubleshoot and fix the issue.
To ensure that you maintain control over who can access your data, and to help remain in compliance with the GDPR, Microsoft offers a tool called Customer Lockbox for Microsoft 365. This enables a Microsoft engineer to access your data only after they have issued a request for access, and that request has been approved by someone appropriate within your organisation. If the request is not approved within 12 hours it is automatically rejected.
Explore Microsoft 365 Subscriptions At A Discounted Charity Rate