How Office 365 Can Help You to Meet Your GDPR Obligations

Posted on 31 July 2017

Want to achieve GDPR compliance and reduce risk? Office 365 is a great place to start.

By now, organisations have had plenty of time to settle into life post-GDPR – and we’ve already seen big players getting hit with fines and warnings over their handling of data.

Keeping their names out of the headlines and staying on the ICO’s good side has become a top priority for organisations, but one that’s much trickier without some top-shelf assistance. That’s where Microsoft Office 365 comes into play.

Why Office 365?

Microsoft Office 365 features industry-leading security measures and privacy policies to safeguard data within the cloud, including the categories of personal data identified by GDPR.

One essential step to meeting GDPR obligations is discovering and controlling what personal data you hold and where it resides. Thankfully, there are a number of Office 365 solutions that can help you identify or manage access to personal data:

  • Data Loss Prevention (DLP) can identify over eighty common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows organisations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organisation.
  • Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets, including SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help to identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
  • Customer Lockbox for Office 365 can help organisations to meet compliance obligations for explicit data access authorisation during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.

Another core requirement of the GDPR is protecting personal data against security threats. Yep, you guessed it: Office 365 has you covered there too. Current data safeguarding features include:

  • Advanced Threat Protection in Exchange Online Protection, which helps protect email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
  • Threat Intelligence proactively uncovers and protects against advanced threats in Office 365. Deep insights into threats – provided by Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters – also help to quickly and effectively enable alerts, dynamic policies, and security solutions.
  • Advanced Security Management identifies high-risk and abnormal usage, alerting organisations to potential breaches. In addition, it allows for activity policy set up, enabling teams to track and respond to high risk actions.
  • Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.

As we continue to navigate the post-GDPR landscape and adapt to learn lessons from those drawing the ICO’s ire, it’s essential for organisations to do everything in their power to ensure compliance. This is the ideal first step.

To find out more about how identity and access management solutions can strengthen your GDPR undertaking, get in touch with our team.

A few people we've already done it for