How do you configure sharepoint to be GDPR compliant?

Occasional Visitor

How do you configure sharepoint to be GDPR compliant?

3 Replies
best response confirmed by Deleted

That's an interesting question, I am not aware of any specific steps right now to take for GDPR compliance in SharePoint.  Saying that, here is some related information, Office 365 and GDPR -


How our products help with GDPR compliance - Office 365


Also from Accelerate your GDPR compliance with the Microsoft Cloud:

"In February of this year, we announced that Microsoft cloud services will comply with GDPR by May 25, 2018, across Office 365, Dynamics 365, Azure, including Azure data services, Enterprise Mobility + Security, and Windows 10. We’ve backed this up with our contractual commitments to customers.

The Microsoft Cloud also has a range of compliance controls, audited by third parties. Through these investments, we will also help you validate that when you are using the Microsoft Cloud, you are using services compliant with the GDPR."


Later in the year, there will be new dashboard that allows you to check your GDPR compliance, similar to Office 365 Secure Score:




Keep an eye of the Microsoft Office 365 Trust Center (plus Office Blogs) for updates as there is more news, which I imagine there will be lots and the main Microsoft GDPR site is a good resource including readiness assessment.


Also, by the way, there is a semi-related resource available that you might want to check out - 


Starter kit for building a management hub for EU GDPR.jpg


@Steve Howlett Just to say I have edited my answer a few times!

Are you talking about On-premises or Office 365? On-premises you would have to elimanate certain types of personally identifiable information (PII) of European citizens (let's include UK in that too) from any non EU environment. It's also possible that some of that data shouldn't even reside in SharePoint on-premises within the EU either. GDPR is less about technology than it is about document classification.

Answers in this French slide deck :

And this interview :

And just in case you don't read french (just in case ;) ), few main points to get in mind (the topic may need a book) :

- If you're using O365, Microsoft has already modified his contract to assume his role as sub contractor (role described in GDPR)

- First thing to do is to get a clear map of all sources of personal information stored in your SharePoint (is there specific site collection /doc libs/list/contenttype / fields containing personal info of european citizen? Which one? Why?). It's not technical, but it may irequest you to modify your classification plan (adding a column to get name and first name of passport copies for instance. Doing so, you will be able to quickly retreive this document in case passeport owner ask you to delete all his personal data)

- If you're onPrem with enterprise license, you have eDiscovery centers. For O365, it's included by E3. With this feature, you can quickly search among all your mailboxs/onedrives/sharepoints to retreive content (by ex : the name of a european citizen asking you to update/export/delete his personal data). eDiscovery will definitively be helpful to be compliant with GDPR.

- If you are using O365, have also a look about "Labels" and "DLP" (by E3 I think) which allow you to "tag" any content and apply retention policies on content (document or email)

- Retention policies (by content type, by document library, by label) will be helpful as you have to retain documents only during the minimum necessary period.

- Microsoft has also annouced many features on O365 as security audit, Disclaimer for external users, etc.

- And, as mentioned before by Cian, have a look on Compliance manager. This new feature is currently available in preview.

Be prepared... May 25 2018, GDPR is coming ;)