Managing Office 365 GDPR Data the Sherlock Holmes Way
Managing GDPR data requests can be very difficult in the multiple applications, file types, and storage locations that make up the Office 365 ecosystem. Finding and acting on data can take large amounts of detective work. So why not use the best detective, namely Sherlock Holmes, to provide a unique way to manage Office 365 GDPR data requests?
What you’ll learn by watching:
- The 5 steps to effectively manage GDPR data
- Tips for easily completing GDPR requests
- Tools for efficient, successful GDPR compliance
This 10 minute video will teach you how to manage Office 365 GDPR data the Sherlock Holmes Way. The full video transcript is below for those of you wishing to read the interesting and informative Sherlock Holmes way. Enjoy!
Welcome to Managing Office 365 Data the Sherlock Holmes Way. I’m Bob – and I’m pleased you’ve joined us for this video.
Just a brief word about Dropsuite. We are a publicly traded company listed on the Australian Securities Exchange as DSE. We provide industry-leading backup, archiving and recovery solutions delivered at scale to power your business defense. We simplify data protection so you can focus on delivering what your business does best; providing value and growth.
Are you using Microsoft Office 365? If yes, complying with GDPR can be daunting. Managing GDPR data requires the ability to Discover, Classify, Review, Take Action and Report.
Office 365 does include some tools to help with GDPR compliance, but more than likely you’re going to need more.
With data spread across multiple ecosystems and applications like; Exchange Online, SharePoint, OneDrive, Groups, Teams, calendar, contacts, tasks and more – this could be daunting – where to begin?
Do It Like SHERLOCK HOLMES.
Let’s start by identifying three very typical GDPR use cases.
The first is the case of the Erasing EU User.
Your company was contacted by an EU customer with a “Right To Erasure” request. The GDPR article 17-1 states a data controller must comply to an erasure request “without undue delay”. Technological or budgetary shortcomings cannot be used to delay an erasure request. You must act quickly. What do you do?
Hint – do it the Sherlock Holmes Way!
The second typical GDPR USE CASE is the Data Desiring EU Customer
Your firm was contacted by an EU customer who wants a copy of all data stored by your firm. GDPR Article 15-1 stipulates the EU user must receive a copy of all data on file for that person. But how do you find it in the maze of systems, databases and file formats that exist in Office 365?
Hint – do it the Sherlock Holmes Way!
The third typical USE CASE is the Information Requesting Regulator
GDPR maintains a team of supervisory regulators per Article 31, and one of them has contacted your firm for data related to a reported rules transgression that occurred 10 months ago (GDPR Article 31). You have to quickly gather data and information detailing the who, what, when, why, where and to whom of that potential transgression. How do you search for, find and provide all this data going back so many months?
Hint – do it the Sherlock Holmes Way!
So let’s break down how to comply with each of those common GDPR uses cases using the Sherlock Holmes Way. There are five key elements, and we’ll cover each of them in more detail shortly.
The five elements are:
- Discover: Find GDPR data using advanced search with dozens of meta data filters
- Classify: Create an eDiscovery Saved Search with keywords, tags and enable alerts
- Review: Mark for review GDPR data for compliance or DPO (Data protection officer) evaluation
- Take Action: Data sharing or deletion can be done by the DPO or authorized Admin
- Report: Use audit logs to confirm the data request was fulfilled and you are in compliance
We’ll review each of these in more detail. But first, it’s very important to remember that failure to comply with GDPR regulations could cost you!
- FINES can be up to 20,000,000 Euros or
- 4% of revenue, whichever is greater
Let’s look at each of the Sherlock Holmes GDPR elements in more detail.
First up is Discover.
You must know whom in your Office 365 data GDPR applies to. You must discover and identify GDPR users based on their primary location.
Sherlock Holmes was a master of discovering data, and you can be too.
Advanced search tools, like those found in Dropsuite’s Cloud Backup and Archiving for Office 365 product, will make it easy to locate any type of data across all applications and data sets and environments. You can use saved searches along with dozens of meta data filters to make discovery faster.
The second element is Classify
Once you have discovered your GDPR user data, you’ll need to classify it using “Tags”, which are labels added to help identify data – just like Sherlock Holmes tags, classifies and
corroborates his discoveries.
Classify your users and data as GDPR, or not. A key part of classify is to use saved searches as new users and data come in, to continuously classify GDPR data. Create an eDiscovery saved search with keywords and enable alerts to ensure your classification is always current.
The third element in the Sherlock Holmes way to manage GDPR data is Review.
Sherlock Holmes would review his discoveries with Dr. Watson. Likewise, you must mark the discovered GDPR data for compliance or Data Protection Officer review.
A very helpful tool to use for this is the eDiscovery saved search results. You can mark identified data for review or for compliance by the Data Protection Officer. The DPO can make the final determination and confirmation of GDPR data.
The fourth element is to Take Action.
Sherlock Holmes would take action to bring the case to a close. You must take action on your data, depending on the need.
Data export and sharing may be required if a GDPR user requests copies of all data on file.
Data deletion and confirmation of deletion may be required if a GDPR user asks for all data to be removed. Finally, data compliance actions may be needed if the DPO or GDPR regulators require it.
The fifth and final element of the Sherlock Holmes way of managing GDPR data is to Report.
After taking action, its case closed, right?
Just like how Sherlock Holmes would debrief and review the results of the case, you have to report on GDPR results and confirm action was taken.
Use audit logs to confirm the data was shared and/or deleted once a request was fulfilled. And if requested by 3rd party legal or regulatory agencies, your audit logs will be the source of proof of action.
So those are the five elements of managing your Office 365 GDPR data the Sherlock Holmes way.
To summarize the five elements:
- First – Discover: Find GDPR data using advanced search with dozens of meta data filters
- Second – Classify: Create an eDiscovery Saved Search with keywords, tags and enable alerts
- Third – Review: Mark for review GDPR data for compliance or DPO (Data protection officer) evaluation
- Fourth – Take Action: Data sharing or deletion can be done by the DPO or authorized Admin
- Fifth – Report: Use audit logs to confirm the data request was fulfilled and you are in compliance
For Office 365 admins, complying with GDPR regulations can be daunting. But by managing GDPR Data the Sherlock Holmes Way and using Dropsuite Backup and Archiving, you can eliminate burden, hassle and effort out of managing GDPR data.
Use Dropsuite Office 365 Backup and Archiving and the Sherlock Holmes Way to discover, classify, review, take action and report on results for GDPR data.
Managing GDPR Office 365 data with Dropsuite is elementary my dear Watson!
You can successfully fulfil ‘right to be forgotten’ requests ‘without undue delay’ with Dropsuite backup and archiving – and avoid costly non-compliance penalties.
For additional information about managing GDPR data or if you have any questions about email backup and archiving feel free to contact one of our experts by email at firstname.lastname@example.org, or visit us at our website: dropsuite.com, we’re happy to help!
Thanks for watching.