Apply labels to personal data in Office 365

Use this topic if you are using Office labels as part of your GDPR protection plan. Today labels can be created in the Office 365 Security & Compliance Center and in Azure Information Protection. Over time these technologies will converge into a unified labeling and classification experience and you will be able to achieve even more.

If you are using labels for protection of personal data in Office 365, Microsoft recommends you start with Office labels. You can use Advanced Data Governance to automatically apply labels based on sensitive information types or other criteria. You can use Office labels with data loss prevention to apply protection. You can also use labels with eDiscovery and Content Search. You’ll soon be able to use both labels and sensitive information types with Cloud App Security to monitor personal data that resides in other SaaS apps.

Azure Information Protection labels are currently recommended for applying labels to files on premises and in other cloud services and providers. These are also recommended for files in Office 365 that require Azure Rights Management (Azure RMS) encryption for data protection, such as trade secret files.

At this time, using Azure Information Protection to apply Azure RMS encryption is not recommended for files in Office 365 with data that is subject to the GDPR. Office 365 services currently cannot read into RMS-encrypted files. Therefore, the service can’t find sensitive data in these files.

Azure Information Protection labels can be applied to mail in Exchange Online and these labels work with Office 365 data loss prevention. Coming soon with the unified classification and labeling engine you will be able to use the same labels for email and files, including automatically labeling and protecting email in transit.

Office 365 labels and Azure Information Protection labels

In the illustration:

  • Use Office 365 labels for personal data and for highly regulated & trade secret files in SharePoint Online and OneDrive for Business.

  • Use Azure Information Protection (AIP) labels for highly regulated & trade secret files, Exchange Online email, files in other SaaS services, files in on-premises datacenters, and files in other cloud providers.

  • Coming soon: both types of labels will converge into a unified classification and labeling experience.

Use Office labels and sensitive information types across Microsoft 365 for information protection

The following illustration shows how Office labels and sensitive information types can be used in label policies, data loss prevention policies, and with Cloud App Security policies.

Office labels and sensitive information types

For accessibility, the following table provides the same examples in the illustration.

Classification elements Label policies — 2 examples Data loss prevention policies — 2 examples Cloud App Security policies for all SaaS apps — 1 example
Office labels. Examples: Personal, Public, Customer data, HR data, Confidential, Highly confidential

Auto apply this label . . .

Customer data

. . . to documents that match these sensitive information types . . .

<list of example sensitive information types>

Apply this protection . . .

<define protection>

. . . to documents with this label . . .

Customer data

Alert when files with these attributes . . .

<predefined PII attribute -or- custom expression>

. . . in any sanctioned SaaS app are shared outside the organization

Sensitive information types. Examples: Belgium National Number, Credit Card Number, Croatia Identity Cart Number, Finland National ID

Publish these labels for users to manually apply . . .

<select labels>

. . . to these locations . . .

<all locations or choose specific locations>

Apply this protection . . .

<define protection>

. . . to documents that match these sensitive information types>

Note: Attributes coming soon to Cloud App Security include Office 365 sensitive information types and Unified labels across Office 365 and Azure Information Protection.

Prioritize auto-apply label policies

For personal data that is subject to GDPR, Microsoft recommends auto-applying labels by using the sensitive information types you curated for your environment. It is important that auto-apply label policies are well designed and tested to ensure the intended behavior occurs.

The order that auto-apply policies are created and whether users are also applying these labels affect the result. So, it is important to carefully plan the roll-out. Here’s what you need to know.

One label at a time

You can only assign one label to a document.

Older auto-apply policies win

If there are multiple rules that assign an auto-apply label and content meets the conditions of multiple rules, the label for the oldest rule is assigned. For this reason, it is important to plan the label policies carefully before configuring them. If an organization requires a change to the priority of the label policies, they will need to delete and recreate them.

Manual user-applied labels trump auto-applied labels

Manual user applied labels trump auto-applied labels. Auto-apply policies cannot replace a label that is already applied by a user. Users can replace labels that are auto-applied.

Auto-assigned labels can be updated

Auto-assigned labels can be updated by either newer label policies or by updates to existing policies.

Be sure your plan for implementing labels includes:

  • Prioritizing the order that auto-apply policies are created.

  • Allowing enough time for labels to be automatically applied before rolling these out for users to manually apply. It can take up to seven days for the labels to be applied to all content that matches the conditions.

Example priority for creating the auto-apply policies

Labels Priority order to create auto-apply policies
Human Resources — Employee Data 1
Customer Data 2
Highly Confidential 3
Human Resources — Salary Data 4
Confidential 5
Public 6
Personal No auto-apply policy

Create labels and auto-apply label policies

Create labels and policies in the Security & Compliance Center.

Step Description

Give permissions to members of your compliance team.

Members of your compliance team who will create labels need permissions to use the Security & Compliance Center. Go to Permissions in Security and Compliance Center and modify the members of the Compliance Administrator group.

See Give users access to the Office 365 Security & Compliance Center.

Create Office labels.

Go to Classifications in Security and Compliance Center, choose Labels, and create the labels for your environment.

Create auto-apply policies for labels.

Go to Classification in Security and Compliance Center, choose Label policies, and create the policies for auto-applying labels. Be sure to create these policies in the prioritized order.

The following illustration shows how to create an auto-apply label for the Customer data label.

Create and apply a label for customer data

In the illustration:

  • The “Customer data” label is created.

  • The desired sensitive information types for GDPR are listed: Belgium National Number, Credit Card Number, Croatia Identity Card Number, Finland National ID.

  • Create an auto-apply policy assigns the label “Customer data” to any file that includes one of the sensitive information types that you add to the policy.