Office 365, GDPR, Data Spillage, and the Right to be Forgotten
GDPR Coming Soon
As the May 25 introduction of the EU’s General Data Protection Regulations (GDPR) approaches, companies are busily getting their ducks in a row to handle their GDPR responsibilities. Technology suppliers like Microsoft offer help like the Information Protection Guide for Office 365 or the Compliance Manager. These are generic tools that give Office 365 tenants a framework to work within, but at the end of the day, the devil is in the detail and companies need to understand where potential data problems lurk in their IT systems.
PII in Office 365
The move to Office 365 means that companies store a lot of PII data in cloud databases. To be fair to Microsoft, they do their best to master detail on behalf of customers and communicate that information. A good example is the long support article covering data spillage into the Recoverable Items folders of user mailboxes.
I bet you never knew that data spillage can happen in mailboxes. As defined in the article, this means that Office 365 unintentionally keeps email with sensitive information because one or more holds exist on mailboxes.
The Effect of Holds
When a hold exists, Exchange Online keeps copies of messages that match the hold criteria until the hold elapses. In the case of some holds, the entire mailbox might be in scope, and that hold might be indefinite. The net effect is that Exchange will never allow the permanent removal of a message from the mailbox while a hold exists. The array of holds available within Office 365 means that tenants have great flexibility about how to keep data for compliance purposes, but it also creates some problems.
Sensitive information includes PII data covered by article 17 of GDPR (the “right to be forgotten”), where people can ask a data controller to erase data concerning them without undue delay. Holds might cover email about a person with some PII data, such as their address or date of birth. When the time comes to remove the email to meet a GDPR request, tools like the Search-Mailbox cmdlet can find and try to remove the items from mailboxes, but the holds ensure that copies of the messages stay in the Recoverable Items folder.
Mopping up Spillage
The support article explains the steps necessary to remove items held in mailboxes. You disable user access to the mailbox, remove all the holds in place on the mailbox, excise the offending messages from the mailbox, restore the holds, and finally resume normal access. It is a long and complicated process that disrupts normal work and needs administrators to be familiar with PowerShell.
Being careful, which is always necessary when erasing data, it might take 30 minutes or so to process a mailbox, including documenting the steps taken. If PII data for an applicant exists in tens of mailboxes, it’s easy to see how you can absorb hours of valuable time to satisfy a GDPR request.
At least Office 365 includes the tools and the procedures to track down PII data, even if some manual effort is needed. Content searches, for instance, can now quickly look through mailboxes, public folders, Office 365 Groups, and SharePoint Online and OneDrive for Business sites to check where PII data might be present.
The Problem of Downloads
What is more concerning is offline data downloaded from cloud repositories. PSTs are an obvious issue. Exchange Online mailboxes have 100 GB quotas (and more in Recoverable Items and archives), but it is amazing how many people continue to stuff confidential and sensitive data away in PSTs. This action removes the data from oversight by any Office 365 compliance or data governance functionality. And while companies have suffered great pain in the past when hackers penetrated their systems and stole data in PSTs (the Sony example is one case), the large fines that the EU can impose under GDPR make PSTs even more of a business risk, Perhaps the advent of GDPR will be the prompt needed to convince companies that it is long past the time to eradicate these hangovers from the low mailbox quotas of the 1990s.
You should look at the use of the OneDrive sync client in any GDPR review. There is no doubting the usefulness of the client in allowing users to take offline copies of documents from OneDrive and SharePoint sites and synchronize changes made locally to document libraries. The “next generation” OneDrive sync client works well and is dependable (both statements are untrue for the older Groove.exe sync client). However, you end up with copies of documents on local drives. Removing the online copies of relevant documents (like a job review or CV) in response to a GDPR request should replicate the deletion to offline copies, but it is possible for users to disable synchronization if they want.
Protect Sensitive Data
Microsoft has invested heavily to make Rights Management more approachable for Office 365 than it is on-premises, and recent changes should help more tenants adopt IRM protection to secure content. Microsoft has announced that they will integrate Azure Information Protection labels with Office 365 classification labels (part of the data governance framework), so that you will be able to apply a single label to classify content and impose protection through rights templates.
You can protect SharePoint document libraries with rights templates and a recent build for the OneDrive sync client supports synchronization of protected libraries for the first time. Together with revocation of permissions to access protected documents, the parts seem to be coming together to allow Office 365 tenants control access to sensitive document-based content too.
Teams is the outlier. SharePoint and Exchange control the content generated by Teams using those workloads, but Teams has its Azure services to store conversations and media. We cannot yet search and remove data from all teams in a tenant, which you might want to do to satisfy a GDPR PII request, but this might come when Teams supports more of the Office 365 data governance framework.
Office 365 includes many features to help tenants deal with GDPR. What Office 365 cannot deliver is processes and procedures for a company to deal with things like requests to remove PII data belonging to individuals. Each company is different, and each must understand its own exposure under GDPR and how it can best respond. That’s the work that companies are doing now as that May 25 deadline looms.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.