In the last few months, and for sure in the upcoming ones, there has been a lot of talking about the EU GDPR. In this article we will try to clarify the role of GDPR from an IT viewpoint, in particular with a Microsoft Office 365 perspective. Moreover, we will introduce an open source tool called GDPR Activity Hub, which is available for free to help partners and customers to process the most common IT tasks related to GDPR.
What is the EU GDPR? Does it matter for you?
The first question to give an answer to is: “What is the EU GDPR?”. GDPR stands for General Data Protection Regulation (ref. Regulation EU 2016/679), and it is a regulation from the European Union with the scope to protect data of all individuals living in the EU.
The fact that it is a regulation implies that it will become immediately applicable and enforceable by law in all Member States, without the need for a specific transposed national law in each Member State. The go live of the GDPR will be May 25th, 2018. Thus, since that date all the businesses, all over the world and not only in the EU, that will manage any personal data of any data subject living in EU will have to adhere to the rules of GDPR, and will have to be compliant with the regulation.
As you can see, from an IT perspective, organizations will need to train privacy personnel and employees, to audit and update data policies, eventually to employ a Data Protection Officer, which is a new job role introduced by the GDPR, and to create and manage compliant vendor contracts.
Moreover, still from an IT perspective, businesses will need to keep track of events and requests related to personal data of data subjects. For example, the GDPR states that every single EU citizen has the right to access, correct, or erase her/his data that is stored by a third party. From an IT perspective you will have to keep track of such requests related to personal data, through whatever kind of logging system of your choice.
Furthermore, in case of any issue (like a Data Breach) or any potential issue (like an Identity Risks/Theft) you will have to keep track of these events and behave accordingly to the GDPR requirements. For example, in case of any Data Breach event, the GDPR states that: “as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.” A supervisory authority can be a Data Protection Authority (DPA).
Thus, the GDPR introduces some new requirements, which can become a challenge for customers and a new business opportunity for partners. In fact, customers will need to have internal processes to manage those requirements, and they will need to have workflows to manage those processes.
Microsoft Office 365 and the GDPR
Considering that most businesses nowadays have some of their data and processes on the cloud, leveraging Software as a Service (SaaS) offerings like Microsoft Office 365, it’s worth trying to figure out what can be done out of the box with Office 365 (and Microsoft 365), from a GDPR requirements perspective.
First of all, it is important to highlight that in February 2017 Microsoft announced that its cloud services will comply with GDPR by May 25, 2018. This is so true, that in Microsoft Office 365 we already have a bunch of services and tools that help businesses verify their compliancy and their level of security, to monitor events, and to prevent data leaks. In the following schema you can see, divided by category, the most useful services and tools available out of the box in Microsoft Office 365.
Notice that some of the above services require specific subscription plans (like E3 or E5) or dedicated SKUs (product licenses). However, covering licensing is out of context for this article.
For example, the Office 365 Secure Score functionality, which is available under the “Security & Compliancy Center” gives you a measure of how secure your tenant is, comparing your services settings with a baseline provided by Microsoft. Moreover, it gives you “actions” that you can accomplish to improve your score. Clearly, whatever will be your score, there is no guarantee that you will not be breached. Nevertheless, a high score can let you be more confident about the strength of your environment.
Services like Data Loss Prevention (DLP) enable you to identify sensitive/personal data as it travels through Exchange Online, SharePoint Online, and OneDrive for Business. You can eventually prevent accidental sharing of sensitive information and you can help users stay compliant. Moreover, you can collect useful data about DLP, which can be used to report events and content matching policies.
For example, using DLP you can prevent users to share specific categories of documents, using content-based rules or labels applied to content (manually or automatically). In case a user shares sensitive or classified content, DLP will prevent him or her from having a data leak and will show an informative message that explains why the action is forbidden.
Services like “Customer Lockbox” ensures that Microsoft engineers do not get access to the customer’s content without customer’s explicit approval. In fact, all access is obtained through a rigorous access control technology and administrators of the tenant can approve or reject the access request.
Services like Advanced Threat Protection (ATP), Threat Intelligence, Cloud App Security, Advanced Data Governance (ADG), etc. provide proactive and intelligent capabilities that will protect your users and prevent data leaks from your company perspective.
Moreover, the Office 365 Unified Audit Logging system allows administrators to search for users’ activities and events, which can be useful to keep track of all of the happenings from a GDPR perspective. For example, using the Office 365 Unified Audit Log you can determine who deleted a file, or who shared a file with someone else, etc. At the time of this writing, the areas and services that you can inspect through the Office 365 Unified Audit Log are:
- Sharing and Access Requests
- Site Administration
- Exchange Mailboxes
- User Administration
- Azure AD Group Administration
- Application Administration
- Role Administration
- Directory Administration
- Power BI
- Microsoft Teams
- Dynamic 365
- Microsoft Flow
Last but not least, from a SharePoint Online perspective, you can configure your tenant to support classification of sites. Sites classification allows you to apply a policy level (classification) to every modern site that you create, so that you can create custom policies and automation/governance rules based on the classification level of a site. Just for the sake of making an example, whenever users create a site classified as “GDPR” maybe you want to automatically enforce security rules and custom policies to protect data stored in that site.
GDPR Activity Hub
If you are a big enterprise with an internal development team, or if you are a Microsoft partner selling solutions to third parties, most likely you will be interested in discovering the new GDPR Activity Hub. The GDPR Activity Hub is an open source project, hosted under the SharePoint & Office 365 Patterns & Practices (PnP) umbrella, which allows you to handle the most common activities related to collecting requests and events that are GDPR related.
The project is fully open source and can be downloaded from GitHub. It is a showcase of Microsoft technologies like:
- SharePoint Online modern sites
- SharePoint Framework client-side web parts
- Office 365 Groups/Microsoft Teams
- Remote provisioning
- Power BI
Out of the box, the functionalities offered by the GDPR Activity Hub are:
- GDPR Dashboard: a dashboard based on Microsoft Power BI that you can use to measure your performances about GDPR events and requests (see the GDPR Activity Hub home page in the above figure).
- Data repository based on SharePoint Online: it uses SharePoint online as the default repository for data, but you can customize it and replace SharePoint with a regular DBMS, if needed.
- Custom pages for data management: a bunch of custom pages for data entry of events and requests that need to be monitored and logged from a GDPR perspective.
- Client-side web parts: few client-side web parts, built using the new Microsoft SharePoint Framework, useful to insert requests and events, to design a GDPR hierarchy for the current company, and to manage tasks related to any GDPR process.
- Sample workflows to process data breaches and some other sample events/requests.
The project can be installed automatically in your own Office 365 tenant, just by following the step by step setup guide provided here. However, the project is not meant to be a “ready to go” product, rather a starter kit to help you build your own products. Thus, aside from playing with it in your own environment, you should start building your own solution on top of it.
Please, notice that installing the GDPR Activity Hub in your tenant does not mean that you will be GDPR compliant. Moreover, because it is not a product, do not expect to have any kind of Service Level Agreement (SLA) or guarantee. It just works based on community efforts, and your feedbacks and your contribution will be more than welcome, if any!
To wrap up this article, first of all you need to be aware of GDPR and to be prepared for GDPR. Whatever your business is, whatever the size of your business is, and wherever your business is located, be prepared and start figuring out how to collect and monitor data relevant from a GDPR perspective. Consider an assessment tool provided for free by Microsoft at the following URL (https://assets.microsoft.com/en-us/gdpr-detailed-assessment.zip), and keep an eye on the GDPR area for partners (http://aka.ms/gdprpartners).
Evaluate moving to the cloud and in particular into Microsoft Office 365, in order to leverage a bunch of out of the box services and capabilities that will help you be compliant with GDPR.
Give a chance to the GDPR Activity Hub, too, and let us know your feedback and your needs. We will try to do our best to improve the starter kit in the upcoming months.
This blog post has been originally published on Paolo’s blog