Microsoft is committed to helping our business customers comply with the General Data Protection Regulation (GDPR). Last month, and how we help businesses around the world, not just in Europe, take control, manage compliance, and avoid risk. Today we wanted to share how the OneDrive For Business and SharePoint have approached meeting these GDPR requirements.
Given the buzz around this significant new regulation, I sat down with several of our customers over the past few weeks and asked if they had any questions about how OneDrive for Business and SharePoint in Office 365 is helping them be compliant with GDPR. Here are some of the common questions they had.
How does Microsoft, with OneDrive and SharePoint, ensure that we have granular control over personal data including what is held, where the data is located, and how it will be used?
Office 365 with OneDrive and SharePoint allows people to store, share and work together on content. That content as well as end user information remains in the direct control of administrators and end users. This data is owned solely by the customer. Microsoft is only its custodian in providing the service as outlined in the Online Service Terms (OST) - more information here https://www.microsoft.com/en-us/licensing/product-licensing/products.asp. Administrators can set policies that control the lifecycle of this information independently of the lifecycle of the user account that the OneDrive is associated with. For example, this includes the ability to retain or delete OneDrive files after a user leaves the organization. Administrators can also set access and share policies that control how OneDrive content is accessed or used.
Administrators and users are also in direct control of user account and contact information. This information can be modified at-will using in-product functionality. For example, admins can force password updates or update a user's login information. This information is used to control access to OneDrive and can power experiences within SharePoint and all of Office 365.
Multi-Geo enables OneDrive in your tenant to span across multiple datacenter geographies and gives you the ability to store your employee's data at rest, on a per-user basis, in your chosen geo. Microsoft will not move the data unless directed by you. You can control where data resides on a granular level, specifically, on a per-user basis. Each user connects to the closest service front door, and always interacts with data in the geo where it’s stored at rest, whether they’re interacting with their own data in their own geo, or with someone else’s data stored in a different geo. This means even the smallest subsidiaries of a multinational organization can adopt Office 365 and still meet data residency requirements.
Finally, Microsoft is providing functionality to identify and manage data for the purposes of compliance with the GDPR. We offer a wide variety of features that organizations can use to implement their own policies for data access and management, including OneDrive and SharePoint data. For example, the Compliance Manager in Office 365 (https://servicetrust.microsoft.com/ComplianceManager) helps guide customers through preparatory steps they can take to improve their own GDPR readiness. Microsoft will provide detailed guidance on how to leverage Office 365, OneDrive and SharePoint functionality to manage and honor GDPR data subject requests (DSRs) by the GDPR deadline.
How do we ensure no data is held beyond retention and that once deletion of a record is requested that all copies of it, as well as backups, are in fact destroyed?
Simply put, the customer is in control:
The customer maintains control of the lifecycle of customer data and user-generated content. Admins and end users can add, modify, and delete data explicitly via well-known user interfaces or admin tools. Admins can set retention policies on OneDrive/SharePoint content (on a per-user basis). Data can be removed aggressively or preserved for longer periods.
Account data synchronized from Office 365 is used to determine, based on licenses, what experience the end user is entitled to. This data follows the lifecycle of the user. Admins can add, modify and delete user accounts, and those changes will be promptly reflected in OneDrive for Business.
Product and service usage data follows a controlled lifecycle designed to comply with GDPR data subject requests.
Finally, with Advanced Encryption with Customer Key, administrators can be confident that when they have offboarded their data, that Microsoft no longer has any access.
What is a DPIA and how do we ensure the security of the customer data?
A Data Protection Impact Assessment (DPIA) is a mandatory requirement according to Article 35 of the GDPR. In short, a DPIA serves to determine, for new assets or projects in the company, if compliance with 'privacy by design' and 'privacy by default' is met. Privacy by default simply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. In other words, no manual change to the privacy settings should be required on the part of the user. There is also a temporal element to this principle, as personal information must by default only be kept for the amount of time necessary to provide the product or service.
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organization needs to be able to show that they have adequate security in place and that compliance is monitored. In practice, this means that an IT department must take privacy into account during the whole life cycle of the system or process development.
Microsoft regularly conducts DPIAs of Office 365, inclusive of OneDrive and SharePoint.
We have designed tight controls and measures, technical and organizational, to protect customer data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction. Some examples include:
We restrict physical data center access to authorized personnel and have multiple layers of physical security, such as biometric readers, motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.
We enable encryption of data both at rest and in transit between data centers and users. End User Pseudonymous Information (EUPI) is hashed following FIPS140-2 requirements.
We conduct internal privacy, compliance, security and legal review of all new commercial features, services, and processes.
Finally, services are independently verified to meet the applicable compliance framework set forth in our Online Services Terms (OST). This includes FedRAMP, SOC, and ISO, and many more.
What if there is a breach?
In the event of a breach, Microsoft will notify your organization’s admin to ensure as soon as a breach is detected. Organizations should also designate a privacy contact alias in Azure Active Directory who we may email in addition to notifying the admin. Office 365’s security and incident response program is in place to keep customers' data safe and to meet various requirements, including those set forth in the GDPR.
To learn more about GDPR and how Office 365 is helping protect you and your data visit the following resources: