How Office 365 can help with GDPR compliance
19 Mar 2020by Paul Rubens
Office 365 can simplify GDPR-compliance - saving valuable time and resources. Find out how.
The EU’s General Data Protection Regulation (GDPR) imposes a number of obligations that UK organisations including charities have to comply with, despite the UK having left the EU.
These include obligations to:
- Discover – know what data about individuals you have.
- Protect – ensure that data that you have is kept secure through encryption or other measures.
- Manage – comply with requests to correct data which is incorrect, incomplete or inaccurate, restrict its use, or delete it, all without undue delay, but subject to some restrictions (such as retaining data to establish a legal claim).
- Report – document and report on compliance procedures, and track and report on data movements.
- This will continue to be the case after the Brexit transition period on 31 December 2020, after which organisations including charities will also have to ensure that they comply with almost identical UK GDPR regulations.
Ensuring GDPR compliance can be expensive and time-consuming. But the good news for charity leaders is that Microsoft’s Office 365 online subscription service includes tools which can help. (Eligible nonprofits and charities can receive discounted subscriptions to Microsoft 365 through Charity Digital Exchange).
Here are five ways that charity leaders can use Office 365 to help with GDPR compliance:
- Discover and explore your data. Office 365’s Advanced eDiscovery tool gives you a powerful way to take stock of the digital data you are holding, and provides a way to filter it so that, for example, you can find all the data relating to EU citizens. This lets you focus on key documents from Office 365 applications including Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business and Microsoft Teams. By finding duplicated files it can also help with data optimisation by reducing the quantity of data that you hold, and ensuring that all copies of data that is scheduled for deletion are in fact deleted.
- Control where your data is stored. An important part of GDPR compliance is and will continue to be ensuring that data about individuals is stored within the EU, the UK, or where the EU has issued an "adequacy decision." This means that it confirms that the country’s laws ensure that there is an adequate level of data protection.
Office 365 now allows charities check where in the world their digital data is stored, and to change the location of the data centres that they use in order to comply with the GDPR’s data residency requirements. Charities can now click on a "Where is my data?" button to find out where it is, and move it quickly and easily if necessary.
- Migrate your data to the cloud. A charity may chose to use Microsoft’s cloud to store data about EU citizens while keeping other digital data in their own data centre on their premises. Office 365 provides a service to extract the right data (for example relating to EU customers only) and move it online into Exchange Online, SharePoint Online, and OneDrive for Business.
- Secure your data through encryption. GDPR does not specifically mandate the use of encryption for data protection purposes, but none the less encryption is the obvious way to secure data in storage facilities. Few organisations will attempt to comply with GDPR without the use of encryption for data protection.
Office 365 provides you with a baseline level of encryption using its BitLocker encryption tool. This encrypts large chunks of stored data, known as "volumes", while they are "at rest" (as opposed to data "in transit" over a network, usually while it is being used by a particular application.)
Office 365 also offers an added layer of encryption for data used by an application such as Exchange Online, Skype for Business, SharePoint Online, or OneDrive for Business using a system called Customer Key. This provides additional protection against viewing of data by unauthorised systems or personnel, and allows you to explicitly authorise Office 365 services such as eDiscovery to use your encryption keys.
An added benefit of Customer Key is that if you decide to stop using Office 365 you can cancel your key. This makes the data unreadable on the service, which in effect is the same as deleting it – but without the risk of leaving some data undeleted inadvertently.
- Control how Microsoft can access your data Sometimes a problem (such as a user being unable to access their email box) may require that a Microsoft Office 365 engineer accesses the data in question in order to troubleshoot and fix the issue.
To ensure that you maintain control over who can access your data, and to help remain in compliance with the GDPR, Microsoft offers a tool called Customer Lockbox for Office 365. This enables a Microsoft engineer to access your data only after they have issued a request for access, and that request has been approved by someone appropriate within your organisation. If the request is not approved within 12 hours it is automatically rejected.