MicrosoftPieter365 I agree. If data is on the MS 365 platform then there is a contract in place etc, though Microsoft have had a past habit of sometimes releasing features in US data residency first irrespective of your organisational agreement on that. (Planner was one so it took us a while to turn it on). I am GDPR qualified (for my sins) however there is no *quick* way to assess apps in the way an organisation's information security team would conduct an assessment on a third-party supplier. Guess it's all about the risk of the data. We've developed simple risk classification that we intend to reduce again (looks dated even now but in the interest of sharing! www.gla.ac.uk/inforiskcats ) and will encouage Team Owners to think about their data and have a conversation with us. The support overhead is a concern....but then so is shadow IT. Answers on a postcard anyone?
