Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
New GDPR sensitive information types help you manage and protect personal data
Published Jun 19 2018 04:39 PM 20.5K Views
Microsoft

In February we announced several new capabilities coming soon to help organizations protect their sensitive data – across devices, apps, cloud services and on-premises. Today we’re announcing the general availability of several new sensitive information types and a new template that helps you discover, classify, protect and manage personal information that is relevant to GDPR obligations.

 

The addition of the new personal information data types adds to the existing built-in sensitive information types that are available in the Office 365 security & compliance center. You can use these sensitive information types in defining your data governance and data protection policies – there are now 87 different data types to choose from. While many of the previous sensitive information types were relevant to GDPR, the new sensitive information types help provide a more complete and consolidated set. The new personal information data types include:

  • EU passport number
  • EU national identification number
  • EU driver’s license number
  • EU tax identification number (TIN)
  • EU social security number (SSN) or equivalent ID

For each of these information types, the service detects data that matches the specific patterns used by the 28 EU countries. For example, configuring your policy to include “EU driver’s license number” will detect driver’s license numbers used by any of the 28 covered EU countries.

New EU personal information data types in the Office 365 Security & Compliance CenterNew EU personal information data types in the Office 365 Security & Compliance Center

When configuring data governance or data loss prevention policies, you can now scan Office 365 locations (e.g. Exchange Online, SharePoint Online, OneDrive for Business) for personal information that matches the new EU data types, and then apply the desired data retention or protection actions. You can customize your policies to look for any combination of these new personal data types or use in conjunction with any of the other existing sensitive information types. For example, you can detect EU national identification numbers and EU passport numbers (both of which are new information types), in combination with US passport numbers (a previously available information type). We’ve also made it easy to detect any of the EU personal information data types by providing a GDPR template that consolidates these new information types into a single group that you can use in your policy configuration.

The GDPR template consolidates the new EU personal information data types into a single group – this can be used when configuring your data governance or data loss prevention policiesThe GDPR template consolidates the new EU personal information data types into a single group – this can be used when configuring your data governance or data loss prevention policies

As with all the other sensitive information types, there is a lot of flexibility to customize and fine-tune the parameters to meet your specific needs. Learn more about the built-in sensitive information types or even create your own custom sensitive information types (such as employee ID numbers that are unique to your company).

 

We’re excited to release the new EU sensitive information types and GDPR template – this should help make it easier to discover, classify, protect and manage GDPR related personal information. Our support articles have also been updated with details on the specific detection methods and patterns associated with each of the data types. These new sensitive information types are available now in the Office 365 security and compliance center, and we are targeting these to also be available in Azure Information Protection in Q3 CY18. We are also investigating adding more EU personal information data types in the future and will provide more details as plans get formalized.

11 Comments
Deleted
Not applicable

Are the updated/new templates available for E3 subscriptions ?

Iron Contributor

Hi @Deleted sensitive information types are not hooked to a license. If you have the Security & Compliance center you get the sensitive information types. I checked our environment (First release) and there I can see them already. It's great to see new out of the box sensitive information types. Hope they bring the functionality from CAS over to S&C to easily create new Sensitive information types.

Copper Contributor

This is a great addition which will be very useful for us, thanks for your update

Iron Contributor

Hi, what is with people / human based information like religion, color, sex and so on?

Thanks

Iron Contributor

Hi @Michael Kirst-Neshva,

 

Information like religion, color and sex are not things that identify a person. They are not unique for you as an individual. My credit card, Passport number, Adres is unique for me. When you say a Christian, black, male you can't find anyone. But if you say Location x, ID 1234, CC 75239 then it will trace back to me as a person. That's why there is no sensitive information type for that. 

 

Should you want to include other sensitive information types you can create them yourselves. See: https://support.office.com/en-us/article/create-a-custom-sensitive-information-type-82c382a5-b6db-44...

 

Does this answer your question?

 

Check this website for more info: https://eugdprcompliant.com/personal-data/

Iron Contributor

Hi @Alexander Broere, thanks for your answer.

But with an "all-in-one" View... See here https://gdpr-info.eu/art-9-gdpr/ or here https://www.loyensloeff.com/en-us/news-events/news/gdpr-processing-of-sensitive-personal-data.

I understand the term "unique for you as an individual".

But what is with normal working use cases like in a company / school / club?

- Collecting personal information's for a newsletter or quiz?

- Data processing as HR, as human doctor, as teacher?

 

See at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-...

When a data process collect these data, how we can:

- search for documents to encrypt these (O4B, SPO, EXO,File Share) files?

- how we can collect these documents as an individual export for the person? (Remember the right for the individual to know what data are stored and the right to delete them)?

- control that no email goes out with a list like "Name, address, political opinions, color" (as an example) (inside as HTML Table, inside Excel, Word etc.)?

 

Many customers are working with SPO and / or Dynamics CRM for HR and customer data.

Internal applications could be generated lists or documents with these content for uploading to O4B or send by email.

 

and so on.... I hope, my declaration is understandable for you what i mean.

 

Thanks for your time and answer,

Regards

Michael

Iron Contributor

Hi @Michael Kirst-Neshva,

 

The trick with GDPR is informing users about what you are going to do with data and how you are storing it. When the users wants to have insights into what data you have about him/her you can show it quick and easy. Requesting data is not an issue but you need to make it clear to the submitter what you are doing with the data and give them a chance to approve that they share data with you. Transparency is key here!

 

Your comment for example:

But what is with normal working use cases like in a company / school / club?

- Collecting personal information's for a newsletter or quiz? - Users have to approve that their info can be used in receiving newsletters. If you can't show this you are not allowed to randomly send newsletters. A check-box somewhere stating they approve is needed. More about Email marketing can be found: Here

- Data processing as HR, as human doctor, as teacher? - For HR take a look at this overview: HR Example

 

Within Office 365 there are lot of tools to help you with the data storage and security and search of user data:

 

- AIP (Azure information protection) for securing data/ encryption. This can be done automatically based on labels or certain words

- AIP Scanner (for data on file shares)

- DSR cases (for when someone wants to know what data is stored of them). 

- GDPR Toolbox

- DLP

- eDiscovery

- Audit log

 

Microsoft is spending a lot of time/money for GDPR tools in Office 365, see: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx 

 

Hope this answers some of your questions.

 

Cheers,

Alexander

 

Bronze Contributor

Hi @Adam Jung,

 

I've activated (in audit mode) the new gdpr policy to see what happens.

About 99% are false positives. Is this normal? I've never worked with DLP Policies before as I didn't have any Sensitive information types to work with.

 

Microsoft

@Ivan Unger this definitely does not sound like the intended behavior. You may want to increase the confidence level % of the matches and see if that reduces the false positives, or if this continues there may be some other data element that is triggering the policy that is not intended, and you may want to contact support and open a support case to help resolve.  

Bronze Contributor

@Adam Jung where is that "Confidence Level %" Setting? I haven't seen that anywhere. Do you mean "Match accuracy" ?

Microsoft

@Ivan Unger yes, this is the "Match accuracy" setting :)

Version history
Last update:
‎Jun 19 2018 04:39 PM
Updated by: