The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR's primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The type and amount of personal data a company/organisation may process depends on the reason for processing it (legal reason used) and the intended use. The company/organisation must respect several key rules, including:
personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed (‘lawfulness, fairness and transparency’);
there must be specific purposes for processing the data and the company/organisation must indicate those purposes to individuals when collecting their personal data. A company/organisation can’t simply collect personal data for undefined purposes (‘purpose limitation’);
the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose (‘data minimisation’);
the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not (‘accuracy’);
the company /organisation can’t further use the personal data for other purposes that aren’t compatible with the original purpose;
the company/organisation must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected (‘storage limitation’);
the company/organisation must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technology (‘integrity and confidentiality’).
With work now happening in Microsoft 365, then Microsoft 365 has to be configured to ensure GDPR compliance.
Microsoft 365 comes with a GDPR Dashboard and ToolBox that include the following tools to help discover, govern, protect and monitor the personal data in your organization.
Identify what personal data in your org is related to GDPR.
Find personal data - Use content search to find and export personal data to help facilitate compliance in your org.
Manage how personal data is classified, used, and accessed.
Auto-apply labels - Automatically classify content containing personal data to help ensure it's retained as needed.
Create a disposition label - Trigger disposition reviews so you can decide if personal data should be deleted when it reaches a certain age.
Use Compliance Manager - Access your org's compliance posture for GDPR and get recommended actions for improvement.
Establish security policies to prevent, detect, and respond to cyberthreats.
Create a data loss prevention (DLP) policy - Detect content containing personal data to help ensure it's protected.
Apply cyberthreat policies - Protect your users from cyberattacks like phishing, malware, malicious links, and more.
Monitor & respond
Track label usage, stay on top of data breaches, and respond to data subject requests (DSRs) and legal investigations.
Respond to DSRs - Create DSR cases to find and export Office 365 data related to a data subject request.
Respond to legal investigations - Use eDiscovery cases to respond to legal investigations.
Review and explore label usage - Get insights into how labels are being used and take action if needed.
Set up alert policies - Track and get notified about user and admin activities related to GDPR.
Review pending dispositions - Review items that have reached the end of their retention period and decide if they should be deleted.
View reports - Drill down on activity related to policy matches, threat detections, and more.
Visit Service Assurance - Learn how Microsoft helps meet the security, privacy, and compliance needs of your org.
Please contact us if you want to ensure your M365 is GDPR compliant.