Processing GDPR Data Subject Requests with Office 365

GDPR Splash

GDPR Data Subject Access Requests

With GDPR taking effect on May 25, any company operating in the European Union must be able to deal with Data Subject Access Requests (DSRs). Section 3 of Article 15 says that “The controller shall provide a copy of the personal data undergoing processing [to the data subject].”

In the context of Office 365, the controller is the administrator of an Office 365 tenant while the personal data is anything held in an Office 365 data store relating to the data subject (a person). An organization has up to 30 days to respond to a request, which might come from a current or former employee, or someone who does business with the organization. Here’s an interesting blog post describing the kind of request you might receive.

Office 365 Data Governance

Fortunately, Microsoft has done a lot of work to index Office 365 data and make the data easily discoverable and retrievable. Some applications still need work, notably Planner and Yammer, but email, documents, and Teams messages are covered by the Office 365 data governance framework.

In addition, Microsoft has prepared documentation to assist tenant administrators to handle data subject requests covering Office 365, Azure, and other cloud services, which administrators can download from the Service Trust portal.

Content Searches

The Office 365 Data Subject Request Guide focuses on content searches as a method to retrieve and export information belonging to someone who makes a request. According to the guide, “Microsoft estimates that over 90% of an organization’s data that is stored in Office 365 is authored in Word, Excel, PowerPoint, OneNote, and Outlook.” This information is likely stored in Exchange, Teams, SharePoint, or OneDrive for Business, all of which are searchable by content searches.

You can certainly create a content search to retrieve all items in a user’s mailbox, their personal OneDrive for Business site, and any items in public folders plus any document that mentions the user. Separate arrangements must be made to recover information held in Yammer, Sway, Planner, Dynamics 365, and Azure, but the content search will deliver most of the relevant information necessary to respond to the request.

Easier with the DSR Case Tool

Content searches are available to all Office 365 tenants now. To make things easier, Microsoft has a “DSR Case Tool” in preview. Essentially, the tool creates a special type of Office 365 eDiscovery case holding a content search designed to retrieve the information for a data subject.

Like regular eDiscovery cases, the DSR Case Tool is accessed through the Security and Compliance Center as part of a new GDPR Dashboard (also in preview). The idea is that the GDPR dashboard will be a one-stop shop for Office 365 functionality that helps tenants deal with their responsibilities under GDPR. As you can see from Figure 1, some of the functionality isn’t working yet, but that’s typical of preview software.

GDPR Dashboard
Figure 1: GDPR Dashboard in the Office 365 Security and Compliance Center (image credit: Tony Redmond)

Running a DSR Case

To create a new DSR Case, your account must be a member of the eDiscovery Managers role group. All you need to create a new DSR case is the name of the user who made the request. Click Create a DSR case and you’ll be asked to input the name of the data subject. If the data subject doesn’t have an account in the tenant, you must input their SMTP address.

Office 365 then creates a case with a content search already configured to retrieve data from the user’s mailbox (if one exists in the tenant), public folders, SharePoint sites, and OneDrive for Business. Unlike a regular eDiscovery case, you cannot create an in-place hold for a DSR.

After running the preconfigured search, you check the results with the preview option (Figure 2). At this point, you could go ahead and export the search results and assume that this will satisfy the request. However, it is important to make sure that the results returned by the search are accurate and tweak the search keywords and conditions if necessary to adjust the results. As Microsoft points out, the DSR tool is a “best-effort method” and “the results are subject to specific admin and data subject usage scenarios.” In other words, don’t assume that the results are perfect without checking.

GDPR DSR Results
Figure 2: Previewing search results for a DSR case (image credit: Tony Redmond)

For example, the preconfigured search locations include the user’s mailbox, which means that the compliance records captured for personal chats in Teams are included. To cover all Teams communications, the search locations would have to include every group mailbox belonging to a team. In fact, because the data subject might be mentioned or involved in email conversations in Office 365 Groups, it is best to include all group mailboxes in these searches.

[Update May 11: Microsoft says that they will tweak the preconfigured searches to find more material. That’s good, but it doesn’t remove the need for you to check the locations and the search results.]

For more complicated cases, you can use the regular eDiscovery case functionality to create other searches that use different search criteria to uncover further information. When you’re happy that all relevant data has been found, you can then export the results of the combined searches. Exports of email data can be in PST or ZIP files or as individual MSG files, while exported documents are always individual files. It all works in the same way as exports for regular content searches or eDiscovery cases.

Caution Before Handover

Typical search results are exported when the need exists for an internal or external review. Before handing over the exported DSR results to a data subject, it is wise to review the contents to ensure that the data is accurate, relevant to the data subject, and does not disclose commercially-sensitive material. For example, if the data subject’s name is common (like John Smith), it is possible that the search picked up documents that mention the name but are not relevant to the data subject. Technology won’t know the difference between John Smith from the Accounts Department and John Smith who works in Sales in Alaska, so a manual review of the information is the only way to be sure that the package eventually handed over is correct.

GDPR Won’t Go Away You Know

Creating a solution for GDPR DSRs using a customized version of out-of-the-box Office 365 components is a sensible approach. Anyone who has worked with content searches or eDiscovery cases through the Security and Compliance Center will understand how DSR cases work and how to process them. It’s a much better way to proceed than to create a brand-new method.

GDPR won’t disappear in a puff of smoke at midnight on May 25, 2018. The new regulations will be an ongoing and pervasive influence on Office 365 and other IT applications that have the capability to process personal data. It will be interesting to see how the Office 365 GDPR Dashboard develops.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.