SharePoint and GDPR compliance – Classify, prepare and protect

During the last couple of months, you have probably heard a lot about the new European Union General Data Protection Regulation which will apply from 25th May 2018. The GDPR is all about data classification, so you need to prepare SharePoint properly.

The clock is ticking for all companies with operations in the European Union or employees or customers who are residents of the EU. If they have not already done so, they need to make a start on their GDPR strategies immediately and prepare properly!

GDPR – Terminology and the Core Pillars

As more business processes are moving to the digital world, this regulation will allow individuals to get more control over their personal data. It also protects all EU citizens’ privacy from data breaches, malicious usage and illegal distribution.

Defining personal data – it is basically any information that can be used, directly or indirectly, to identify the person. It can be anything from a name, a photo, an email address, bank account details, posts on social networking websites, medical information, or a computer IP address.

Scope and Obligations

GDPR applies to any company that markets and processes goods or services to EU residents, regardless of the company’s location or industry sector (Article 3).

Here is a brief overview of the core pillars of GDPR:

• Consent – any request for consent must be given in an intelligible and easily accessible form. This obliges companies to ask consumers for their explicit consent whenever they want to process their data (Article 7). It should be easy for a consumer to withdraw consent. Companies should keep a record of the giving and withdrawing of consents.
• Right to access + Right to be forgotten + Data portability – the company must be able to provide a copy of all the personal data, free of charge, in an electronic format. Data subjects also have the right to know how, where and for what purpose their personal data is being processed. It should be in a machine-readable format, able to be transmitted easily. When an individual no longer wants his or her data to be processed, and provided that there are no legitimate grounds for retaining it, companies will have to delete it (Articles 15, 17, 20).
• Breach notifications – consumers have the right to know when their personal data has been hacked and leaked! When a data breach occurs, companies have 72 hours to inform the regulator and are also required to inform individual data subjects of data breaches (Articles 33, 34).

Your organization has to provide a stable and secure environment for your EU customers and employees, and their personal data, otherwise you might end up facing huge fines: 4% of annual global turnover or €20 million (whichever is greater). You should also check if your company needs a Data Protection Officer.

We recommend that companies examine the Regulation thoroughly: https://www.eugdpr.org/gdpr-faqs.html and https://gdpr-info.eu/

SharePoint and GDPR compliance 

More than 200 000 organizations use SharePoint today, so there are a lot of professionals wondering what should they do to prepare their SharePoint environment to be GDPR compliant.

First, training is essential to help everyone in your organization understand the GDPR principles. Let’s consider this simple example: uploading a file to SharePoint is a very easy thing to do, and you can easily end up having personal data scattered all around. Not to mention sending files around via email. Because of all these problems, the first step for your company should be to set up some security and governance rules and educate the teams!

How to prepare?

What can you do regarding SharePoint administration?

You should minimize data security risks by:

• enforcing strong records management,
• being aware of who has access to what,
• tracking who has changed or accessed personal data,
• enforcing governance policies,
• detecting malicious behavior,
• classifying your SharePoint objects to know where is the private data is stored.