In this article I want to showcase the new Privacy Management component for Microsoft 365. This is a (still in preview) component which brings together three major parts for managing and protecting privacy sensitive information: detecting policy violations | answering data subject requests | informing your end users. Hope you enjoy. Estimated reading time: 5 minutes
Compliance with national and international privacy regulations is no small feat to accomplish. The EU General Data Protection Regulation alone has 99 official articles and 173 so-called recitals. Some of these articles are widely known – mostly the ones in chapter 3: Rights of the Data Subject. You’ve probably heard of the “Right to be forgotten” and the “Right to Data Portability”. But there’s lots more and most refer to the ability to protect and safeguard privacy sensitive information.
In this three part series, I will be looking at the new Privacy management dashboard for Microsoft 365. This dashboard is now in preview and is really comprehensive. More information on this new function can be found here: https://docs.microsoft.com/en-us/microsoft-365/compliance/privacy-management-setup?view=o365-worldwide
In this second part of the series, I’ll be looking at data privacy policies.
This function I really like. You can use build-in policies to track specific privacy related activities and acts on these. The dashboard comes with three types of policies, which you can either modify or create new ones.
All three policy templates use the workflow: what data do you want to monitor | which users does this apply to | what locations need to be included (Exchange, SharePoint, OneDrive and Teams conversations) | what conditions apply and what do you want to do?
All policies use the same sensitive information types or classification groups. Also, all available actions are the same: informing the end-user and sending alerts (if needed).
Every policy has an overview page, showing the details of the policy and the found personal information. The page will show you which sensitive information type or specific data scheme was triggered. You also get an overview of the matched information, so you can view any individual item.
Policy 1 – Data overexposure
This policy only works for SharePoint Online and OneDrive for Business. It detects when specific information has been shared anonymously (Public), Internally and/or Externally.
Policy 2 -Data transfers
This one is very interesting. You can check if specific information is being accessed from either any country/region or across departments which are part of the user’s Azure AD account.
Policy 3 -Data minimization
A very effective and simple policy. Find any sensitive information which has not been modified in 30, 60, 90 or 120 days. No clean-up, just a notification.
In the third and last post in this series, I’ll be looking at the subject request functions and give my thoughts on this new functionality.