In this article I want to showcase the new Privacy Management component for Microsoft 365. This is a (still in preview) component which brings together three major parts for managing and protecting privacy sensitive information: detecting policy violations | answering data subject requests | informing your end users. Hope you enjoy. Estimated reading time: 5 minutes
Compliance with national and international privacy regulations is no small feat to accomplish. The EU General Data Protection Regulation alone has 99 official articles and 173 so-called recitals. Some of these articles are widely known – mostly the ones in chapter 3: Rights of the Data Subject. You’ve probably heard of the “Right to be forgotten” and the “Right to Data Portability”. But there’s lots more and most refer to the ability to protect and safeguard privacy sensitive information.
To be fair, enterprises have had plenty of time to prepare for this compliance. GDPR itself was proposed in 2012 and came into force in May 2016. But with the amount of information exploding and the adoption of cloud-technology skyrocketing (250 Million monthly Microsoft Teams users, for example), adherence to these regulations becomes even more difficult.
Most enterprises have the right processes and expertise available to processes and protect privacy sensitive information and to comply with the rights of the data subject. But when working with unstructured data like e-mails, documents, and conversations, this might get complex. And during the first usage of SharePoint and Exchange Online, we really needed to bring many functions together in order to be compliant.
In this three part series, I will be looking at the new Privacy management dashboard for Microsoft 365. This dashboard is now in preview and is really comprehensive. More information on this new function can be found here: https://docs.microsoft.com/en-us/microsoft-365/compliance/privacy-management-setup?view=o365-worldwide
This part details the history of data privacy and the new dashboard.
Part 3 – Subject rights requests
Early Office 365
In the earli(er) days of Office 365, compliance officers and admins were able to comply with some of the GDPR regulations. We needed to bring these together to create a complete compliance solution. Part of this solution were records management, eDiscovery (search, exports, holds), basic sensitive information types (only the ones Microsoft offered), data loss prevention, the auditlog and Azure Information Protection. Although AIP was added later.
Great solutions, but only parts of a bigger puzzle. Later Microsoft added the Data privacy component to the Security & Compliance Center.
Security & Compliance Center
This was a great addition. To be fair – some of the components here provide insights. And you still needed to use the other components (like the auditlog and data loss prevention) to complete the puzzle. But it did offer one new option: Data subject requests.
The data subject request component made it easier for a compliance officer or admin to get to the required information requested by a person. By simply adding information on the requestor (the username or e-mail address), Office 365 started a search for information using core eDiscovery.
This search was based on a specific query and several default search-locations (e-mail, documents, and conversations/chats). For example, the typical query would be:
participants:<e-mail address> OR author:<Display Name> OR createdby: <Display Name>
This query provides the compliance officer/admin with an overview of e-mails, documents, and conversations/chats where the information was stored. The information could be exported and/or a report (well, and Excel-file) generated. One nice fact: you needed a specific browser in order for the secure download to work 🙂
In the meantime, Microsoft introduced the Compliance Manager and Compliance Score. And GDPR related articles could be directly linked to Office 365 technology, process, and people.
Ok, now what?
Why this bit of history? Firstly: because I like to see how a functionality has evolved over time. And second: because some of the earlier functionality is still part of the new Privacy Management portal. So, let’s look.
First off: when you go to the Privacy management section, you will be notified that you will need to activate the preview function. That’s no problem at all. Just add the trial licenses to the tenant to get started. Next, grant access to the dashboard. Yes, this is important. Even Global Admins need to be part of the new Privacy Management role group.
Now things are set-up for you to continue. This will take some time. When done, the dashboard will be displayed.
My first reaction
One of my first reactions was: not another dashboard 🙂 But to be fair, it really is comprehensive and straight forward. Multiple widgets show aspects like the amount of personal data found in the organization and the status of active data subject requests. It’s the sort of dashboard (I feel) that would make a privacy/data officer in the enterprise happy.
Another thing I noticed – new enhancements. For example:
Classification Groups. The build-in sensitive information types (which now also include the physical address) are grouped according to regulation. For example: GDPR. You can select these in the policies section and add more sensitive types to the policy. Great!
The Privacy management dashboard is the one stop shop for insights into the storage, usage and sharing of personal information. It’s also the place to start a data subject request or create a new policy for managing personal information.
The term “Personal information” is somewhat broad – if you are using the defaults. By default, Microsoft 365 uses the build-in sensitive information types to determine if there is sensitive data stored and shared within Microsoft 365. During the configuration of policies (see below), this can be made very specific.
So, let’s look at the settings, data profile, policies, and data subject requests parts of the Privacy management dashboard. That’s for part two and three of this blog series.
The settings page of the dashboard contains functions like the anonymization of personal details, the connection with Microsoft Teams for a data subject request and data matching. Data matching allows you to use specific data schemes which you can use when searching for personal data. Although I’m not sure, I like to compare this to the exact data match sensitive information types.
A specific part of the settings is the ability to “empower your workforce”. This is simply the option to set-up tips and e-mail notifications for your users. Very nicely done. It’s not part of the settings-page itself though. You will see a banner asking you to set this up.
The data profile section of Privacy management is basically a dashboard within a dashboard. You can compare this with the content explorer of the Data classification part of the compliance dashboard. Well, to be honest: that’s where you end-up when you click “Explore” 🙂
The regional view is cute, though it only displays information based on the data transfer regions/countries which are part of Privacy management (Europe, Middle East, and Africa | Asia-Pacific | Australia | Canada | France | Germany | India | Japan | Korea | North America | Norway | South Africa | Switzerland | United Arab Emirates | United Kingdom).
In part two of this series, I’ll be looking at privacy policies. Part three will detail the new subject request options.