Microsoft Office 365
Ensure data privacy, compliance, and cybersecurity with Office 365. Built-in features that support the General Data Protection Regulation compliance, privacy by design, and transparent operations safeguard your organization’s data.
Office 365 helps enable data privacy for GDPR compliance
The journey to General Data Protection Regulation (GDPR) compliance begins with a set of defined steps. The information here is designed to help both compliance professionals and IT implementers understand how Microsoft Office 365 can assist you in discovering, managing, and protecting your data in the cloud, and compile the necessary reports and documentation to help meet GDPR requirements.
Sensitive personal data can be contained in email messages, documents, spreadsheets, notes, and local databases, and saved in individual cloud storage accounts. Restricting access to that data is an important element in protecting the privacy of individuals. Office 365 incorporates privacy by design, and Microsoft has robust policies, controls, and systems built into Office 365 to help keep personal data private.
Compliance is an on-going process and a shared responsibility. Microsoft is investing in additional features and functionality to help organizations achieve their GDPR compliance goals. Whether you’re a compliance officer, a decision-maker considering Office 365 as a business productivity solution, a current Office 365 administrator seeking help with a specific GDPR-compliant implementation, or an interested party looking for general information on how the GDPR relates to Office 365 and related products, the information here can provide a starting point for your journey.
Your path to GDPR compliance begins with focusing on four key steps, and Microsoft Office 365 products and services provide powerful tools and solutions for tackling each step. Learn more about how Microsoft products and services can help you on the road to GDPR compliance.
Learn more about Shared Responsibilities for Cloud Computing.
Learn how to Get Started with GDPR.
The first step towards GDPR compliance is to assess whether the GDPR applies to your organization, and, if so, what data under your control is subject to the GDPR. This analysis includes understanding what data you have and where it resides. Adopting a classification scheme that applies throughout your organization helps you respond to data subject requests because it enables you to more readily identify and process personal data requests.
Microsoft Office 365 and related tools help you discover and classify personal data.
- Use Content Search to query for and identify personal data using relevant keywords, file properties, or built-in templates.
- Use Advanced eDiscovery, which is built on machine learning technologies, to perform more efficient searches.
- Use Office 365 Advanced Data Governance (ADG), in conjunction with Content Search, to identify, classify, and manage personal data, and set and implement retention policies for personal data across Office 365 environments.
- Use Office 365 Data Loss Prevention (DLP) policies to identify personal data as it travels through Exchange Online, SharePoint Online, and OneDrive for Business. Use DLP policies to classify personal data in SharePoint Online, OneDrive for Business, Outlook, Outlook Web Access, and Office 365 Groups.
The GDPR provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Microsoft Office 365 enables data governance practices and processes using multiple tools that enable you to manage personal data to help keep it secure and private.
Microsoft Office 365 and related tools that help you manage personal data include:
- Advanced Data Governance. Use this tool to manage personal data with proactive policy recommendations and data classifications that help you act on system alerts to flag risks, and filter and migrate data to Office 365.
- Labels. Use Labels to classify personal data across the organization for governance, and enforce retention rules based on that classification.
- Information Rights Management. Use this technology to prevent unauthorized persons from accessing personal data in Office 365.
- eDiscovery and Advanced eDiscovery. Use these tools to manage eDiscovery cases in your organization.
- PowerShell. Use this command line shell and scripting language to disable data subject access to target services to prevent additional processing of personal data.
- SharePoint Online. Use SharePoint Online to manually track and manage data subject rights requests.
- Exchange Online mail flow rules. Use mail flow rules to route mail to specific mailboxes to help with a customized client process for receiving, managing, and responding to data subject rights requests.
- PowerShell for the Office 365 admin center. Use these to rectify inaccurate or incomplete personal data and to erase personal data upon request.
- Advanced eDiscovery and PowerShell, and Exchange Online. Use these to export personal data to be provided to data subjects in a common, structured format.
- Office 365 Data Loss Prevention (DLP) policies. Use these policies to set limits on the processing of the personal data of specific data subjects and use PowerShell to identify and place restrictions on files that match specific personal data types or match keyword queries.
Managing access and controlling how personal data is used and accessed are fundamental to GDPR compliance. Office 365 services provide management capabilities from the cloud to help you meet data governance requirements.
The GDPR requires that organizations incorporate data privacy and protection principles into their products and services. To support customers’ efforts to protect their sensitive personal data, Microsoft Office 365 solutions are developed using the Microsoft Secure Development Lifecycle, which defines the privacy principles and standard privacy features that inform product development and incorporates privacy-by-design and privacy-by-default methodologies.
Microsoft Office 365 and related tools enable you to protect personal data in the following ways:
- Adjust privacy settings in Word, Excel, and PowerPoint to limit Office applications’ connection to the internet, make hidden markup visible, and inspect and remove personal data from documents with Document Inspector.
- Limit access to shared files or folders in OneDrive for Business and manage who can view or edit the files.
- Use the option to encrypt Word, Excel, and PowerPoint documents with password protection.
- Use Azure Information Protection for encryption and rights management.
- Use the encryption option during the PST Import Service.
- Encrypt messages when transferring personal data to external parties via email with Office 365 Message Encryption (OME).
- Use Threat Intelligence to help proactively uncover and protect against advanced threats in Office 365.
- Protect email against unknown, sophisticated malware attacks in real time by using Advanced Threat Protection for Exchange Online (which requires an Office 365 E5 subscription).
- Identify high-risk and abnormal usage by getting alerts to potential breaches, enabling you to track and respond to high risk actions with Advanced Security Management.
- Monitor and capture all activity that occurs within your tenant using the Management Activity API.
By default, personal data in transit and at rest is encrypted in Exchange Online, OneDrive for Business, SharePoint Online, and Skype for Business (in Skype-to-Skype voice, video, file transfers and instant messages). To further protect personal data, Office 365 uses multi-engine antimalware scanning to protect incoming, outgoing, and internal messages from malicious software transferred through email. Also by default, Exchange Online uses transport Layer Security (TLS) to encrypt communications between Office 365 and Exchange Online servers and between Exchange Online customers.
Microsoft uses platform-level security controls to help ensure the confidentiality, integrity, and availability of customer data, including physical controls, logical controls and data access practices. All access to customer data is monitored, logged, audited, and reviewed by Microsoft. For data breaches on systems governed by Microsoft, Microsoft has a Security Incident Response management and notification process for Office 365.
Office 365 is audited at least annually against many global data privacy and network security standards, including ISO/IEC 27001 and 27018. Microsoft regularly tests Office 365 security measures using third-party penetration testing and security audits, as well as industry-standard framework-aligned assessments. Microsoft also operates an Online Services Bug Bounty program, and provides users with development/test environments.
The GDPR sets new standards in transparency, accountability, and record-keeping. Organizations processing personal data will need to keep detailed records to be compliant.
Microsoft Office 365 provides tools to help meet data reporting requirements.
- Use the Unified Audit log to track and record processing activities across the Office 365 environment and record the resolution of data subject rights requests and log events associated with amending, erasing, or transferring personal data, and to provide insight into data that has transferred to third parties through email or shared using SharePoint Online and OneDrive for Business.
- Use Exchange Message tracking to determine the recipient of an email and if it was received, rejected, deferred, or delivered.
- Use the Office 365 Management Activity API to identify user sharing activities in Exchange Online and SharePoint Online.
The GDPR requires you to track and record flows of personal data into and out of the European Union (EU), and flows of personal data to third-party service providers. To help you track and record flows of personal data into and out of the EU, and to reduce customer exposure to unnecessary cross-border data transfer, Microsoft uses a regionalized datacenter strategy for Office 365 products.
Microsoft also limits access to personal data by third-party subcontractors, and discloses the names of third-party service providers who have access to customer data via the Microsoft Online Services Subcontractor List and the Microsoft Professional Services Contractors list.
To help customers who are seeking information that may help perform a Data Protection Impact Assessment (DPIA) addressing their use of Office 365, Microsoft provides detailed information regarding its processing of customer data and the security measures used to protect that data. This information is accessible via the Microsoft Trust Center.
- What data Microsoft collects and processes from customer systems and end users
- How and where Microsoft sends customers' data, including geo locations
- Sub-contractors who have access to customers' data
- Details on Azure security measures administered by Microsoft
- Details regarding Microsoft's privacy reviews process, conducted for all products, including all Azure services
Streamline GDPR Data Subject Requests (DSRs) in Office 365
Office 365 now previewing the ability to quickly and easily fulfill requests to correct, amend, delete, or export the personal data of individuals that are at the core of GDPR compliance.