gdpr & sharepoint - business agility€¦ · • building industry-specific solutions 3. ! /...

A Business Agility eBook

GDPR & SharePoint

Business Agility is expert in the delivery of solutions built on Office 365 and SharePoint.

We build solutions to both the common and the uncommon. This can be anything from:

• Intranets, Document Management Systems, workflow processes

• Migrating you to a new version of SharePoint

• Planning your information architecture around SharePoint

• Hosted SharePoint, SharePoint Online and Office 365

• Building industry-specific solutions

3

Business Agility Consulting Ltd

What is GDPR?GDPR stands for General Data Protection Regulation and it is a new law that will replace the EU’s existing data protection and privacy regulation. It was agreed in April 2016 and will come into force in May 2018.The GDPR will apply to all companies that process personal data of European Union (EU) citizens. Individuals will be able to request a copy of all personal data held by a company that relates to them as an individual and have the right to have their personal data erased from the records of an organisation. An individual must explicitly agree to a company retaining personal data relating to them.

GDPR & SharePoint

What about Brexit?The UK’s decision to leave the EU will not affect the commencement of the GDPR. After the UK leaves the European Union the GDPR will still be in effect and organisations are still at risk of a penalty if they do not comply. The data doesn’t even need to be stored within the EU to comply. If it partains to EU citizens, it can be stored anywhere and must be GDPR compliant.

Whether personal data is held in a single

repository or across thousands of disparate

systems, SharePoint can be employed help you interact and control it in

the most efficient and scalable way.

So, what now?Many organisations today are careful with their data; more and more companies rely on digital methods to manage their it. However, this highlights risks if secure methods aren’t adopted. Data breaches happen every day, and the consequences of having unsecure data can be costly. Therefore, GDPR requires your consideration – not just because of the consequences you may incur for not following the regulation, but the other penalties in case of a data breach, cyber-attack or lost data.

It’s not just information pertaining to external contacts that needs to be considered for GDPR compliance either. Employee data (old and new) must be treated the same way. This can be anything from details about employees who have now left the company to a list of potential candidates for a role (and everything in between!)

Your organisation needs to ensure that it’s GDPR ready in time for May 2018. Meaning, your organisation needs to identify what data it has and where it is kept. Once this has been established then you can move on to leveraging SharePoint to help you get your data in order (this is what SharePoint is REALLY good at!).

5


Microsoft’s SharePoint can help you become GDPR compliant regarding data management and control. Whether you’re using Office 365 on-premises or in the Cloud, there are secure ways to ensure your data is well-governed and compliant.

There are three main points you need to think about when using SharePoint for your data needs:

1. Information/ Content Management 2. Retention Policies3. DiscoveryAs said previously, once you have identified what data you have and where it’s located, you can use SharePoint to help you with managing your documents, your retention policies and can also assist with data discovery.You may even have SharePoint access right now and not even know it!

6

business-agility.com

Use SharePoint for Document and Content ManagementDocument management is a huge part of dealing with data. It can involve locating documents, moving them and storing them in a new place. On top of this, correct permissions need to be ensured as well as data security measures. SharePoint can help you in this process from A-Z.

There will be a difference between document management and content management. But it depends on what kind of data is collected. The GDPR is specific to each individual company. It depends on what you’re collect and how you store it. Document and content management in SharePoint go hand in hand – they’re essentially treated the same way. However, you must be able to prove that the documents or content are safe and compliant.

Firstly, the most important thing to do is to identify what data/documents need to be managed and how they need to be managed. Microsoft like to say that you ought to “keep what you need and get rid of the rest” when it comes to data governance. It’s a good strategy to start off with, especially if you have a lot of documents that need managing.

Once you have identified where your documents are and whether you still need them, you can then use SharePoint to help you manage the process to being GDPR compliant. Being able to govern how data is used and processed is vital in your document management strategy.

Metadata tagging is available throughout SharePoint, and allows you to more accurately categorise your data, make it easier to find and useful to keep. One of the many management features available in SharePoint is centrally managed metadata -a hierarchy taxonomy that allows you to create terms that your company uses regularly and use them when you create your new lists or libraries to collect info. This therefore, gives you a central pool of terms to choose from rather than having to create it fresh each time. Centralised managed metadata is useful in being GDPR compliant because you’ll be able to show that you have set terms that you use to categorise your data collection.

Using classification labels can help you keep track of your documents as well as find out more about them and where they fit into your GDPR strategy. Classification labels in SharePoint enable you to generate a label to

Recommended GDPR uses for Microsoft SharePoint

7


mark personal data coming under the general umbrella of GDPR and then apply that label to appropriate documents.

Certain versions of Office 365 allow you to create auto-label policies to name the record in Exchange SharePoint and OneDrive. This helps record data types and their locations – a big part of the discovery and management requirements of the GDPR.

SharePoint allows you to use document management as a way of collecting data. Once you’ve designed a data collection platform then you can collect information about individuals and have it in a framework that’s built by design. You can design your collection method to match what you need to collect – and that’s what the GDPR requires. For example, you can run content management on Lists – for potential clients or a contacts list.

As long as you design your lists or libraries in SharePoint to match the way you want to collect information, then you’ll be compliant. SharePoint gives you the platform to customise the List to allow you to make it what you need it to be. The structure of your List becomes your proof that you have thought about how this data is going to be collected and what you’re going to do with it. You can then put a retention policy on the List to show that you’ve thought about the destruction of the data as well. For example, if you’re a marketing company in the possession of a potential clients List in SharePoint, you can set it by design to delete records after three months if no contact is made with that potential contact.

Policies

You can get various kinds of policies that will look at your data and search for security risks. For example, there’s a policy that looks for sequences of numbers in your data that look like a credit card number. If someone tries to save a number like that into their OneDrive, then the policy will pick this up and encrypt it – or, it can send an email to the data admin to let them know so they can follow this up. Policies will take care of users who may be saving things they shouldn’t be saving to assist your organisation on an internal level.Microsoft is currently developing a GDPR policy – which may not be ready until early 2018, but it’s worth knowing what current policies in Office 365 and SharePoint can do when it comes to sensitive data (which can be anything really – from a name to a street address).

Policies are an effective way of taking the challenging work out of surveying your data. The policies will do it for you – rather than have someone do it manually. The GDPR does want someone in charge of your company’s personal data so they hold the responsibility for it, but luckily it doesn’t need to be their full-time job if correct policies are in place.

8


Use SharePoint for Retention Policies The idea behind retention policies is that every piece of data has a limited lifetime. Once it reaches the end of the lifetime, the retention policy will take some action against that data. Retention policies are important for GDPR as they’re a failsafe for when you design data collection, you’ll also need to design full lifecycle. If at the end of the lifecycle the data needs to be deleted, then the retention policy will take care of that for you automatically.

Retention policies are slightly different in SharePoint to policies in general. A retention policy is a more localised item. For any library or list, you can set up a retention policy just for that library or list that says, “look for something” – which tends to be an expiry date. When an expiry date is reached, then SharePoint can automatically (without any other intervention) take action against that data – be it a document or a list item. It doesn’t necessarily just ‘delete’ that item. The trigger action can be almost anything, such as moving the data, checking the document, running a workflow against the document and more.

If you have identified the data you need to keep and the data which needs to be removed, it’s vital to review how long you need to retain the data for. This is useful in general for auditing purposes – but it’s also important in being GDPR compliant. Your retention policy must include how you move data and content from one location to another, how it’s stored, how long for, and how you’re going to destroy it at the end of its lifecycle.

9


Use SharePoint for DiscoveryIf your organisation has data disparately held, e.g:

• in customer databases• in feedback forms• in email content• in photos• in CCTV footage• in loyalty program records• in HR databases

or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed or stored outside the EU if the data relates to EU citizens.

Leverage a rich contextual Search function

Search is second to none in SharePoint. You can set up your data collection to allow search to find different elements associated with pieces of data. i.e. a content type defining a person. One of the big pieces with GDPR is that anyone can contact a company and request what data is held about them. Therefore, companies must be able to provide (in a friendly format such as text or a JPEG) all information associated to a person. That person also has the right to be forgotten and ask that everything about them gets deleted. Search is very important here. You want to be able to search for a person’s details and be able to find everything associated with them. SharePoint can do this for you – it’s very sophisticated when it comes to discovery of data. As long as you set it up correctly and by design, SharePoint can be very useful for you.

10


Use SharePoint for Data Security and ProtectionData security is one of the most prevalent aspects of the GDPR. To be able to store data securely and to have suitable permissions to certain data will help you ensure you’re GDPR compliant. SharePoint is an exceptionally collaborative platform – where you can co-author documents at the same time as well as freely share documents internally and externally. These features sound great when it comes to enabling productivity in your organisation; however, they come with substantial risks too. It can be as simple as sharing a link to a document that wasn’t meant for the recipient, or allowing someone to co-author a document that they weren’t supposed to have access to. This is how data breaches start, and unless you have stringent policies and procedures, your data isn’t 100% safe and secure.

Luckily, you can flexibly administer a level of control to your system; setting permissions and access abilities. If you’re an administrator or owner of a library, list, or survey, you can change permissions to let the right people access the data they need data while restricting others.

11


It’s important to have policies in place for when people leave your company and what data they may still have access to. Be sure to remove access permissions of their internal accounts. Remember: if you have data in the Cloud, it can be accessed from anywhere – so an employee doesn’t have to be on company property to be able to access it! Removing permissions is just as simple as adding them in. It’s also a good idea to check the permissions on a regular basis, just in case.

12


Use SharePoint for ReportingReporting breaches – hopefully, you will never need to report a data breach at your company. However, GDPR requires that an organisation must notify the authorities within 72 hours of discovering a data breach.

Whether it’s in the Cloud or on-premises, you have the security area in central administration which will allow you to monitor what’s going on with your environment. You can keep track of data – not just for hacking, but it’s more about knowing what your employees are doing. You can use central admin to use policies that report on what people are doing. For example, if someone within your company is downloading lots of sensitive data, central admin will be notified by email of this (thanks to the policies you’ve set up!)

When it comes to data requests, SharePoint allows you to use search and consolidate all the information you hold on somebody and put it into a report for them. Again, this is important where GDPR is concerned because you want to be able to be responsive to data requests and give the recipient a report in a timely manner.

13


ConclusionSharePoint is a brilliant tool for ensuring your company is GDPR compliant before May 2018. Due to the hefty fines you can incur as a result of not being completely compliant with your GDPR processes internally, it’s recommended that you pay attention to those processes as soon as you can.

SharePoint really can be your friend when it comes to improving your data management. Whether it’s creating a bespoke policy for an unusual document type or record, to being able to search through all of your data,

SharePoint is a valuable and flexible tool. There are things of course that as a company you need to address internally – and that’s the processes of your employees. How much data do they actually have access to? How easy would it be for them to breach internal data and share it externally? If an employee suddenly downloads an entire list of potential clients, how long until somebody realises and can do something about it? SharePoint can of course help you with notifications and permissions – but work processes need to be addressed on a wider scale first. A huge advantage to using SharePoint in this way is that you may already have access to it. If you have Office 365, then you’ll be able to access SharePoint. Therefore, you don’t have to look at purchasing expensive alternatives to be GDPR compliant.

If you’d like further advice on how you can use SharePoint to cure your business headaches, just get in touch with us.

14


Contact us for support and [email protected]

15


Business Agility Consulting LtdSpirella Building

Bridge RoadLetchworth Garden City SG6 4ET

01462 470 [email protected]

images created by Freepik

gdpr & sharepoint - business agility€¦ · • building industry-specific solutions 3. ! /...

Documents