Microsoft is committed to helping our business customers comply with the General Data Protection Regulation (GDPR). Last month, and how we help businesses around the world, not just in Europe, take control, manage compliance, and avoid risk. Today we wanted to share how the OneDrive For Business and SharePoint have approached meeting these GDPR requirements.
Given the buzz around this significant new regulation, I sat down with several of our customers over the past few weeks and asked if they had any questions about how OneDrive for Business and SharePoint in Office 365 is helping them be compliant with GDPR. Here are some of the common questions they had.
How does Microsoft, with OneDrive and SharePoint, ensure that we have granular control over personal data including what is held, where the data is located, and how it will be used?
How do we ensure no data is held beyond retention and that once deletion of a record is requested that all copies of it, as well as backups, are in fact destroyed?
Simply put, the customer is in control:
What is a DPIA and how do we ensure the security of the customer data?
A Data Protection Impact Assessment (DPIA) is a mandatory requirement according to Article 35 of the GDPR. In short, a DPIA serves to determine, for new assets or projects in the company, if compliance with 'privacy by design' and 'privacy by default' is met. Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. In other words, no manual change to the privacy settings should be required on the part of the user. There is also a temporal element to this principle, as personal information must by default only be kept for the amount of time necessary to provide the product or service.
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organization needs to be able to show that they have adequate security in place and that compliance is monitored. In practice, this means that an IT department must take privacy into account during the whole life cycle of the system or process development.
Microsoft regularly conducts DPIAs of Office 365, inclusive of OneDrive and SharePoint.
We have designed tight controls and measures, technical and organizational, to protect customer data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction. Some examples include:
What if there is a breach?
In the event of a breach, Microsoft will notify your organization’s admin to ensure as soon as a breach is detected. Organizations should also designate a privacy contact alias in Azure Active Directory who we may email in addition to notifying the admin. Office 365’s security and incident response program is in place to keep customers' data safe and to meet various requirements, including those set forth in the GDPR.
To learn more about GDPR and how Office 365 is helping protect you and your data visit the following resources:
Finally, make sure to check out the Safeguarding individual privacy rights with the Microsoft Cloud webinar with the Director of Microsoft 365, Alym Rayani on May 25th at 12 pm PST.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.