Data minimization policies in Privacy Risk Management

Data minimization policies focus on the age of your content and how long it has been since it was last modified. Monitoring for personal data that's still being retained in older, unused content can help you better manage your stored data and reduce risks.

Privacy Risk Management allows you to create policies to monitor data that hasn't been modified within a timeframe that you select. When a policy match is detected, you can send users email notifications with remediation options include marking items for deletion, notifying content owners, or tagging items for further review.

Our policy setup process makes it easy to set policy conditions. You have full control over alert timing and frequency of emails that bring users' attention to safe data handling practices.

There are two ways you can create a policy: from a template, which is our quick "out-of-box" option using default settings; or the custom option, which is a guided process for setting conditions, alerts, and notifications.

Quick setup: Use a template with default settings

The default data minimization policy detects content containing personal data that was created or modified at least 30 days ago.

Follow these steps to create a default data transfer policy:

  1. In the Microsoft Purview compliance portal, find Priva Privacy Risk Management in the left navigation and select Policies.

  2. Select Create a policy at the upper right corner of the screen, which displays a flyout pane listing all policy creation options.

  3. In the Data minimization box, select Create.

  4. A flyout pane contains policy details. Selecting View settings will show the default settings. You can edit settings from here, which takes you into the guided process outlined below. To continue creating your policy using the default settings, simply enter a descriptive name, then select Create policy.

Your policy will be created and you'll find it listed on your Polices page. It begins in test mode so you can monitor how it performs before turning it on.

Default data minimization policy settings

A data minimization policy created from the template will detect:

  • Content items containing personal data that has not been modified in at least the last 30 days.
  • Data that is stored in any of these locations within your organization: Exchange, OneDrive, SharePoint, Teams.
  • Data types based on the following classification groups:
    • EU General Data Protection Regulation (GDPR)
    • US personally identifiable information
    • US Patriot Act
    • US State Breach Notification Law
    • US Gramm-Leach-Bliley Act (GLBA)
    • US Health Insurance Portability and Accountability Act (HIPAA)
    • Australia Health Records Act (HRIP)
    • Australia Privacy Act
    • Japan personally identifiable information
    • Japan Protection of Personal Information

Custom setup: Guided policy creation process

The custom policy option is a guided process to create a new policy by setting conditions, designating alert severity and frequency, and turning on user email notifications.

Complete the steps below to create a new data transfer policy:

  1. In the Microsoft Purview compliance portal, find Priva Privacy Risk Management in the left navigation and select Policies.

  2. Select the Create a policy button in the upper right of your screen, which displays a flyout pane listing all policy creation options.

  3. In the Custom box, select Create.

  4. On the Name and type page, select the Data minimization policy template. Enter a policy name that will help you easily identify it from your list on the Policies page, and enter an optional description, then select Next.

  5. On the Data to monitor page, choose the type of personal data you want your policy to monitor. There are two options:

    • Classification groups: groupings of sensitive information types that are used to detect content related to personal data or specific regulations. If you select this option, you'll then need to select +Add classification groups to choose one or more groups from the list provided.
    • Individual sensitive information types: select this option to choose from a list of individual sensitive information types.

    Learn more about choosing data to monitor. When you're done selecting data to monitor, select Next.

  6. On the Users and groups page, choose which users in your organization the policy will apply to. You can select all individual users and all Office 365 distribution groups, or you can select specific users and groups. Learn more about choosing users and groups. When you're done, select Next.

  7. On the Locations page, select all the data locations in Microsoft 365 that you want the policy to cover. Choose from Exchange email accounts, OneDrive accounts, Teams chat and channel messages, and SharePoint sites.

    Within SharePoint you can designate all sites or specific sites. If you select Specific SharePoint sites, you can enter the site URL in the URL field. You can also select +Choose sites, then on the flyout pane, check the box to the left of the site name you want to select.

    Learn more about choosing locations. When you're done selecting locations, select Next.

  8. On the Conditions page, use the drop-down menu to choose how many days since an item was last modified that the policy will detect:

    • 30 days
    • 60 days
    • 90 days
    • 120 days

    When you're done, select Next.

  9. On the Outcomes page, decide whether to notify users when they match the conditions set by the policy. If you check the email notifications box, users will receive an email notification when their actions match policy conditions. Emails will contain instructions to take remediation actions directly from the email, along with a link to privacy training. You'll designate the frequency of emails and the URL for your preferred privacy training.

    Learn more about setting up user notifications. When you're done selecting outcomes, select Next.

  10. On the Alerts page, use the toggle switch to turn on alerts that an admin will see on the Alerts page in the Policies section of Privacy Risk Management. You'll designate how frequently alerts are generated, thresholds for matches before alerts are generated, and alert severity. Learn more about setting alerts for policy matches. When you're done, select Next.

  11. On the Mode page, decide whether or not you want to run your policy in test mode when you first create it, which means no alerts or notifications will be sent. To keep your policy in test mode, which we recommend, select the toggle switch to the On position. Learn more about testing a policy.

Note

If you toggle the Run in test mode switch to the Off position, this will turn on your policy when you're done creating it. This means any alerts or user notifications you set up will start generating once a match is detected.

  1. On the Finish page, review your choices. Select Edit underneath any of the sections in order to adjust settings. When you're satisfied with your policy's settings, select Submit to create the policy.

After a few seconds, you'll see a confirmation that the policy was created. Select Done on the confirmation page, which will take you to the Policies page where you'll see the new policy at the top of the table.

Next steps

Visit Privacy Risk Management polices for details about how to edit and manage policies.