blog.frederique.harmsze.nl my world of work and user experiences

February 28, 2019

Office 365 security and compliance GDPR dashboard – Yes please

Filed under: Governance,Office365 — Tags: — frederique @ 23:57

These days, our project managers and site owners are aware that they have to be very careful to store no personal data, except data that are necessary to do the job, only accessible to the people who need to use it, only for the time they are needed, only for the purpose for which they were gathered. But are we sure that there were no personal data hidden somewhere in SharePoint 2007, dating from more than a decade ago, that we now risk exposing SharePoint Online after migration? Let us MAKE sure!

I am working on a project for a construction company that has been using SharePoint for ages. They have over 8.000 SharePoint sites for our Operating Company alone, most of them SharePoint 2007 sites. Currently, we are migrating these old sites to SharePoint Online, as “archive sites”, as part of our transition to Office 365. So we see a lot of old stuff passing by…

  • We want to make sure we keep all information that is still relevant for the company, such as construction details on the buildings they constructed, information needed for maintenance and guarantees.
  • But we also want to make sure that we do not have personal data that we are not allowed to have according to the privacy rules, GDPR (General Data Protection Regulation).

I am not worried about the remains in SharePoint 2007; those servers will be decommissioned and emptied soon. What I want to know: are compliant in our Office 365 environment, including SharePoint Online, where we are migrating all of that old information. The advantage of asking that question, is that we can use the modern tooling offered by Office 365 itself to check!

Tools in Office 365: GDPR dashboard and toolbox

Recently, I made our privacy officer very happy by showing him the GDPR Dashboard in the Office 365 security & compliance center. It is part of the admin toolbox which we already have in our tenant. So let’s comfigure it and use it to our advantage.

Security & Compliance center: GDPR dashboard

Security & Compliance center: GDPR dashboard (in a demo tenant, nothing going on…)

It took me a moment to find it, because I was looking in the Microsoft 365 admin center. You need to go to a different url: https://protection.office.com/ (at least, in the admin center of my tenant I see no link at this time)

And this dashboard comes with a toolbox:

GDPR toolbox

GDPR toolbox

Discover
Identify what personal data in your org is related to GDPR.
• Import data: Bring data into Office 365 to help safeguard it for GDPR.
• Find personal data: Use content search to find and export personal data to help facilitate compliance in your org.

Govern
Manage how personal data is classified, used, and accessed.
• Auto-apply labels: Automatically classify content containing personal data to help ensure it’s retained as needed.
• Create a disposition label: Trigger disposition reviews so you can decide if personal data should be deleted when it reaches a certain age.
• Use Compliance Manager: Access your org’s compliance posture for GDPR and get recommended actions for improvement.

Protect
Establish security policies to prevent, detect, and respond to cyberthreats.
• Create a data loss prevention (DLP) policy: Detect content containing personal data to help ensure it’s protected.
• Apply cyberthreat policies: Protect your users from cyberattacks like phishing, malware, malicious links, and more.

Monitor & respond
Track label usage, stay on top of data breaches, and respond to data subject requests (DSRs) and legal investigations.
• Respond to DSRs: Create DSR cases to find and export Office 365 data related to a data subject request.
• Respond to legal investigations: Use eDiscovery cases to respond to legal investigations.
• Review and explore label usage: Get insights into how labels are being used and take action if needed.
• Set up alert policies: Track and get notified about user and admin activities related to GDPR.
• View reports: Drill down on activity related to policy matches, threat detections, and more.
• Visit Service Assurance: Learn how Microsoft helps meet the security, privacy, and compliance needs of your org.

Data Loss Prevention Policy for GDPR

One of the items in the GDRP toolkit is to create a DLP (Data Loss Prevention) Policy to detect content containing personal data. You can create one starting from the shortcut in the GDPR toolbox or from the DLP section of the security & compliance center.

Data Loss Prevention policy: GDPR

Data Loss Prevention policy: GDPR

This will detect personal information in our environment:

  • EU Debit Card Number
  • EU Driver’s License Number
  • EU National Identification Number
  • EU Passport Number
  • EU Social Security Number (SSN) or Equivalent ID
  • EU Tax Identification Number (TIN)

You can select where it should apply. I want it to protect all content in all locations Office 365, including Exchange email and OneDrive and SharePoint documents (Hey, not SharePoint lists? And how about Yammer Groups, Teams conversations? Maybe it is assumed that nobody would put, for instance, a passport number in there. I have seen scans of passports in SharePoint documents and in email attachments, before they were removed as soon as possible…).

GDPR Policy: select the locations it should protect

GDPR Policy: select the locations it should protect

But for a test it is more practical to limit its scope and choose specifc locations.

GDPR policy limited to one test site collecton

GDPR policy limited to one test site collecton

You can customize what it should detect, for example: content shared with outsiders or only insiders?

GDPR Policy: tweak the details of what it should detect

GDPR Policy: tweak the details of what it should detect

And then what action should it take if it detects personal data? For example, email a report to the person who set the policy, the global admin, some specific mail address.

GDPR Policy: what action should it take with what it has detected?

GDPR Policy: what action should it take with what it has detected?

As a result, you get reports like these, in a csv file:

GDPR policy: report from demo tenant, converted from csv to columns to make it more readable

GDPR policy: report from demo tenant, converted from csv to columns to make it more readable

 

Ok, to be honest, in our first test it did not seem to detect any of our own examples of personal information we added in a SharePoint testsite, while it found a lot of false positive. But still, it looks very useful, once we get it to work properly.

Powered by WordPress