Jul 18 2017 01:44 AM
Jul 18 2017 01:44 AM
How do you configure sharepoint to be GDPR compliant?
Jul 18 2017 02:11 AM - edited Jul 18 2017 02:31 AMSolution
That's an interesting question, I am not aware of any specific steps right now to take for GDPR compliance in SharePoint. Saying that, here is some related information, Office 365 and GDPR -
"In February of this year, we announced that Microsoft cloud services will comply with GDPR by May 25, 2018, across Office 365, Dynamics 365, Azure, including Azure data services, Enterprise Mobility + Security, and Windows 10. We’ve backed this up with our contractual commitments to customers.
The Microsoft Cloud also has a range of compliance controls, audited by third parties. Through these investments, we will also help you validate that when you are using the Microsoft Cloud, you are using services compliant with the GDPR."
Later in the year, there will be new dashboard that allows you to check your GDPR compliance, similar to Office 365 Secure Score:
Keep an eye of the Microsoft Office 365 Trust Center (plus Office Blogs) for updates as there is more news, which I imagine there will be lots and the main Microsoft GDPR site is a good resource including readiness assessment.
Also, by the way, there is a semi-related resource available that you might want to check out -
@Steve Howlett Just to say I have edited my answer a few times!
Sep 22 2017 10:13 AM
Are you talking about On-premises or Office 365? On-premises you would have to elimanate certain types of personally identifiable information (PII) of European citizens (let's include UK in that too) from any non EU environment. It's also possible that some of that data shouldn't even reside in SharePoint on-premises within the EU either. GDPR is less about technology than it is about document classification.
Nov 28 2017 01:52 PM - edited Nov 28 2017 01:55 PM
Answers in this French slide deck : https://www.slideshare.net/SbastienPaulet/rgpd-comment-o365-va-vous-aider-26102017-aoslarunion
And just in case you don't read french (just in case ;) ), few main points to get in mind (the topic may need a book) :
- If you're using O365, Microsoft has already modified his contract to assume his role as sub contractor (role described in GDPR)
- First thing to do is to get a clear map of all sources of personal information stored in your SharePoint (is there specific site collection /doc libs/list/contenttype / fields containing personal info of european citizen? Which one? Why?). It's not technical, but it may irequest you to modify your classification plan (adding a column to get name and first name of passport copies for instance. Doing so, you will be able to quickly retreive this document in case passeport owner ask you to delete all his personal data)
- If you're onPrem with enterprise license, you have eDiscovery centers. For O365, it's included by E3. With this feature, you can quickly search among all your mailboxs/onedrives/sharepoints to retreive content (by ex : the name of a european citizen asking you to update/export/delete his personal data). eDiscovery will definitively be helpful to be compliant with GDPR.
- If you are using O365, have also a look about "Labels" and "DLP" (by E3 I think) which allow you to "tag" any content and apply retention policies on content (document or email)
- Retention policies (by content type, by document library, by label) will be helpful as you have to retain documents only during the minimum necessary period.
- Microsoft has also annouced many features on O365 as security audit, Disclaimer for external users, etc.
- And, as mentioned before by Cian, have a look on Compliance manager. This new feature is currently available in preview.
Be prepared... May 25 2018, GDPR is coming ;)