GDPR and Microsoft 365

gdpr-microsoft-365

Since 2018, the GDPR frenzy has settled down somewhat. 

With most companies having put the relevant policies and contractual terms in place, and comforted by the low number of prosecutions (37 monetary penalties issued to date*) it’s tempting to think that it’s ‘job done’ and put data protection on the back burner.

I was heavily involved in getting AMT ready for GDPR, and more recently I’ve been putting the structures that we need in place for our ISO 27001 Information Security Certification. 

The biggest thing that I’ve learned is that good security and data protection practices aren’t just box ticking exercises that cause lots of pain for no clear benefit. 

Most of the improvements that we’ve made make total business sense and have improved not just our security, but also have improved how we do our work. 

That’s because the main requirements for good data security are simply to do with good housekeeping and organisation.

When we talk to clients about protecting their data, the first question that we ask is “so tell me, where is your sensitive data stored?”. 

A simple question, but also normally a killer one. 

The answer is normally something along the lines of “well, it’s everywhere”. 

On the file server, on USB drives, in emails, on local hard-drives – to be honest, nobody really knows, and its too big a job to sort out. 

Even when we have a look at a folder where sensitive data is clearly stored, there are often multiple copies of documents with poor labelling, and almost no retention or disposal routines in place. 

Even if the company has identified information types and associated retention and disposition policies, these are generally to complex to be effectively implemented on a day-to-day basis.

So how can Microsoft 365 help?

Recap

For any personal data that you store, you have to ensure the following:

    1. Transparent and lawful use
    2. Limit processing
    3. Minimise collection
    4. Ensure accuracy
    5. Limit storage
    6. Ensure security and confidentiality

 

On top of personal data, you will also no doubt have commercially confidential data that you need to look after –  Price Lists, Product Designs, Templates, Contracts, Board Minutes etc.

You also have various people who you need to consider:

    1. Hackers – more the domain of network security than data security.
    2. Yourself – how do you ensure you don’t have access to things you shouldn’t, or don’t accidentally send things to the wrong people?
    3. Your colleagues – like yourself, can they see things they shouldn’t, can you protect them from mistakes, can they take things when they get hired by a competitor?
    4. Contractors – how do you make sure they have what they need to do their job but no more, and protect this from being taken to their next job?
    5. Clients/suppliers – it’s great to share and collaborate – how do you do this safely?
    6. Family/house guests – important in the new home-working world.

A unique opp

Firstly, there is a unique, once in a generation, opportunity at the moment to regain control of your data. 

There is a massive shift going on, moving from in-house file servers that have been used to hold documents probably for the last 30 years onto cloud storage. 

Once your company’s files have been moved onto whichever cloud service you choose, they may well be there for the next 30 years and beyond. 

Get things wrong now, and you’ve made life significantly harder for everybody in your organisation for decades. 

If you take this opportunity and go through some short term pain to get things organised now, you’ve a fighting chance to make a significant impact on people’s day-to-day working lives, and improve data integrity at the same time.

So take time to reorganise

Ask each team to think about what types of information they’re storing, and how they can be better organised. 

Don’t let people ‘lift-and-shift’; only allow files that are genuinely needed to be moved onto your lovely new storage.

Identify and copy these files to a temporary area on your file server, and then move them in one go to the cloud, making the original file-store read-only immediately. Your nightmare scenario is to have people using both the new cloud storage and the old file server at the same time – a mess you’ll spend weeks sorting out.

Work out a new structure in SharePoint or Teams. Using many Teams/Sites each containing many Channels/Libraries is far better than having a single massive Document Library holding everything. 

These need to be well designed to reflect your organisation in a way that people will understand, and so that security groups can be easily created at a high level.

Then create a page on your intranet that explains where everything is so that people don’t need to use guesswork to figure out where to store things.

Don't be overly-restrictive

Another mistake that companies make is to try to put tight, bespoke security on every document. Complicated security is really hard to maintain, and security that is so tight that people are prevented from doing what they need to do will simply force them to bypass it to get their job don’t (“I don’t have access to that document” “oh don’t worry, I’ll email it to you….:( )

Keep it simple – use Active Directory Groups – never give individual permissions – secure at a site/library level, never at a folder/document level – be open rather than overly-restrictive.

Follow these simple rules and in 10 years time you may have a chance of still being in a good place.

Understand and use technology

There are a number of tools that can make a big impact on your document management.

SharePoint Metadata absolutely has a place in organising your formal document stores. Adding a few columns to track the type of information a document holds, who is responsible for it, and when it needs to be reviewed can make the management of records simple. 

Version Control, properly understood, removes the need to store multiple copies of documents (version 2, version 2a, 2a-1, final, final final…. You know the type of thing!)

Sharing rather than attaching is a massive culture shift, but once it’s embedded drastically reduces the number of documents stored, means that there is only ever 1 version of the truth, and gives you the ability to remove a document or content at source if needed.

Retention Labels allow you to prevent a document from being accidentally deleted before its time, and then will add a document to a Disposition Review list when it needs to be deleted. A simply amazing tool for any Data Protection Officer…

Security Labels will add headers to documents that tell people how to treat them, and can automatically encrypt key documents so that they cannot be viewed outside of your organisation. You can even track a document so that you can see where in the world it is being viewed, and rescind it if anything looks suspicious.

Data Loss Prevention automatically scans emails and documents for known patterns – credit card numbers, national insurance numbers etc – and takes action to prevent these being accidentally sent to the wrong people.

Train

OK, you’ve done a brilliant job of defining your new structures, set up your metadata, added your retention policies into labels, designed your security, then you let your lovely new system loose on your users.

You’ve just asked them to make a major change to how they do their day-to-day work, and they’re going to hate it!

You need to do a proper Change Management exercise – work out how to get people on board, sell the benefits, introduce the changes gradually, give people sufficient but not overwhelming training, support them in their transition perhaps by training up Champions – members of their team who can help them day-to-day.

Make sure that they know that you understand that this is a big deal for them, and give them the support that they need.

The success of this phase will be largely reliant on your senior team buying in to what you do. Get them on board, and everybody else will follow.

Audit and Review

This Change Management project isn’t a single quick fix. You need to audit how people are engaging, check that they’re following the rules, find out what’s not working for people and make changes.

If you want your data storage to keep tidy, organised and secure, this will be an ongoing process forever – unfortunately even the best designed file stores don’t look after themselves and need constant care and attention.

This all takes time. But the benefits to the organisation can be massive. Working in an environment where documents are properly filed, where people can quickly find the information that they need and be confident that its the current version, where protections are in place to stop people from sending the wrong thing to the wrong place – this takes time and money to set up, but can only be of great long-term benefit.

 

 

* https://ico.org.uk/action-weve-taken/enforcement/?facet_sector=&facet_date=&date_from=&date_to=