SOLVED

Office365 and GDPR - how to choose the right plan

%3CLINGO-SUB%20id%3D%22lingo-sub-192644%22%20slang%3D%22en-US%22%3EOffice365%20and%20GDPR%20-%20how%20to%20choose%20the%20right%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192644%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20to%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20a%20manufacturing%20private%20company%20about%20200%20employeers%2C%20we%20are%20thinking%20to%20introduce%20365%20for%20a%20lot%20a%20good%20reasons%20not%20last%20the%20GDPR.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20understand%20if%20we%20can%20go%20with%20Business%20Premium%20or%20we%20need%20to%20choose%20E3.%20A%20counsultant%20tells%20us%20that%20Business%20Premium%20doesn't%20encrypt%20data%2C%20so%20he%20suggest%20to%20choose%20E3%20(more%20expansive%20as%20you%20know)%20to%20be%20compliant%20to%20GDPR.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20right%3F%20We%20are%20not%20a%20public%20company%2C%20we%20don't%20even%20need%20to%20have%20a%20DPO%20(according%20to%20our%20core%20business).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20appreciated%2C%20thanks%20a%20lot!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-192644%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGDPR%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192789%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20and%20GDPR%20-%20how%20to%20choose%20the%20right%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192789%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20to%20make%20sure%20you%20are%20compliant%20with%20all%20the%20requirements%20of%20GDPR%2C%20you%20might%20need%20to%20be%20able%20to%20take%20care%20of%20things%20such%20as%26nbsp%3Bdata%20retention%2C%20data%20subject%20requests%2C%20DLP%26nbsp%3Band%20more%2C%20for%20which%20you%20will%20need%20the%20advanced%20data%20governance%20features%20offered%20by%20E3.%20That's%20generally%20speaking%20though%2C%20it's%20best%20to%20check%20requirements%20exactly%20you%20need%20to%20meet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192674%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20and%20GDPR%20-%20how%20to%20choose%20the%20right%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192674%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20a%20good%20question%2C%20the%20bit%20about%20encrypting%20data%20isn't%20that%20simple%2C%20there%20is%20encryption%20as%20part%20of%20the%20Office%20365%20service%20to%20protect%20data%2C%20this%20is%20known%20as%20encryption%20at%20rest%20and%20in%20transit%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Office%20365%20services%20for%20consumers%20and%20businesses%20follow%20industry%20cryptographic%20standards%20such%20as%20TLS%2FSSL%20and%20AES%20to%20protect%20the%20confidentiality%20and%20integrity%20of%20customer%20data.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhich%20means%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EFor%20data%20in%20transit%2C%20all%20customer-facing%20servers%20negotiate%20a%20secure%20session%20by%20using%20TLS%2FSSL%20with%20client%20machines%20to%20secure%20the%20customer%20data.%20This%20applies%20to%20protocols%20on%20any%20device%20used%20by%20clients%2C%20such%20as%20Skype%20for%20Business%20Online%2C%20OneDrive%2C%20Outlook%2C%20and%20Outlook%20on%20the%20web.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EFor%20data%20at%20rest%2C%20Office%20365%20deploys%20BitLocker%20with%20AES%20256-bit%20encryption%20on%20servers%20that%20hold%20all%20messaging%20data%2C%20including%20email%20and%20IM%20conversations%2C%20as%20well%20as%20content%20stored%20in%20SharePoint%20Online%20and%20OneDrive.%20BitLocker%20volume%20encryption%20addresses%20the%20threats%20of%20data%20theft%20or%20exposure%20from%20lost%2C%20stolen%2C%20or%20inappropriately%20decommissioned%20computers%20and%20disks.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20are%20right%20to%20point%20out%20there%20are%20additional%20features%20available%20in%20the%20E3%2FE5%20plans%20that%20can%20help%20further%20protect%20data%20or%20mitigate%20unauthorized%20access%2C%20data%20exfiltration%2C%20data%20leakage%20etc.%20This%20poster%20shows%20whats%20available%20to%20all%20enterprise%20customers%20and%20what%20capabilities%20only%20comes%20with%20E3%20or%20E5%20-%20%3CA%20href%3D%22https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F2%2F3%2FD%2F23D91386-8349-4F7A-9470-FD5AED861F16%2FMSFT_cloud_architecture_informationprotection.pdf%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EInformation%20Protection%20for%20Office%20365%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20examples%20of%20features%20that%20are%20available%20with%20E3%20that%20could%20help%20with%20your%20GDPR%20goals%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EProtection%20features%20provided%20by%20Azure%20Information%20Protection%3C%2FLI%3E%3CLI%3EOffice%20365%20Message%20Encryption%3C%2FLI%3E%3CLI%3EData%20loss%20prevention%3C%2FLI%3E%3CLI%3ELitigation%20Holds%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThis%20is%20a%20good%20place%20to%20start%20for%20learning%20more%20about%20GDPR%20and%20Office%20365%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-info-protection-for-gdpr-overview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EOverview%20of%20Office%20365%20Information%20Protection%20for%20GDPR%3C%2FA%3E.%26nbsp%3B%20There%20is%20also%20-%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2FTrustCenter%2FCloudServices%2Foffice365%2FGDPR%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EOffice%20365%20helps%20enable%20data%20privacy%20for%20GDPR%20compliance%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20looks%20at%20the%20wider%20implications%20of%20GDPR%2C%26nbsp%3Bhow%20prepared%20the%20company%20is%20for%20these%20regulations%20and%20how%20Office%20365%20can%20fit%20into%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-192652%22%20slang%3D%22en-US%22%3ERe%3A%20Office365%20and%20GDPR%20-%20how%20to%20choose%20the%20right%20plan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-192652%22%20slang%3D%22en-US%22%3E%3CP%3ETake%20a%20look%20under%20Security%20further%20down%20on%20this%20page%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fproducts.office.com%2Fen-us%2Fbusiness%2Foffice-365-business-premium%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fproducts.office.com%2Fen-us%2Fbusiness%2Foffice-365-business-premium%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi to all,

 

we are a manufacturing private company about 200 employeers, we are thinking to introduce 365 for a lot a good reasons not last the GDPR. 

 

I can't understand if we can go with Business Premium or we need to choose E3. A counsultant tells us that Business Premium doesn't encrypt data, so he suggest to choose E3 (more expansive as you know) to be compliant to GDPR.

 

Is it right? We are not a public company, we don't even need to have a DPO (according to our core business). 

 

Any help appreciated, thanks a lot!

3 Replies
Highlighted
Highlighted
Solution

It's a good question, the bit about encrypting data isn't that simple, there is encryption as part of the Office 365 service to protect data, this is known as encryption at rest and in transit 

 

"Office 365 services for consumers and businesses follow industry cryptographic standards such as TLS/SSL and AES to protect the confidentiality and integrity of customer data."

 

Which means

 

"For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Skype for Business Online, OneDrive, Outlook, and Outlook on the web.

 

For data at rest, Office 365 deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive. BitLocker volume encryption addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks."

 

You are right to point out there are additional features available in the E3/E5 plans that can help further protect data or mitigate unauthorized access, data exfiltration, data leakage etc. This poster shows whats available to all enterprise customers and what capabilities only comes with E3 or E5 - Information Protection for Office 365.

 

Some examples of features that are available with E3 that could help with your GDPR goals:

 

  • Protection features provided by Azure Information Protection
  • Office 365 Message Encryption
  • Data loss prevention
  • Litigation Holds

This is a good place to start for learning more about GDPR and Office 365: Overview of Office 365 Information Protection for GDPR.  There is also - Office 365 helps enable data privacy for GDPR compliance

 

Perhaps looks at the wider implications of GDPR, how prepared the company is for these regulations and how Office 365 can fit into this.

Highlighted

Well, to make sure you are compliant with all the requirements of GDPR, you might need to be able to take care of things such as data retention, data subject requests, DLP and more, for which you will need the advanced data governance features offered by E3. That's generally speaking though, it's best to check requirements exactly you need to meet.