Apply protection to personal data in Office 365

Protection of personal information in Office 365 includes using data loss prevention capabilities. With data loss prevention (DLP) policies in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.

This topic describes how to use DLP to protect personal data. This topic also lists other protection capabilities that can be used to achieve GDPR compliance, including setting permissions in SharePoint libraries and using device access policies.

Apply protection using data loss prevention in Office 365

With DLP, you can:

  • Identify sensitive information across many locations.

  • Prevent accidental sharing of sensitive information.

  • Help users learn how to stay compliant without interrupting their workflow.

  • View DLP reports showing content that matches your organization’s DLP policies.

For more information, see Overview of data loss prevention policies.

Options for creating a Data Loss Prevention policy

This illustration shows the options for creating a DLP policy:

  • Choose the protection to apply. Protection can include:

    • Policy tips for users

    • Email report for admins

    • Prevent sharing externally, internally, or both

  • Choose the criteria for applying the protection. Apply the protection to documents with this type of content: you can configure the policy to use sensitive information types and/or labels.

Using DLP for GDPR compliance

One of the primary uses of Office 365 DLP is to identify personal data related to EU data subjects in your Office 365 environment. Office 365 DLP can notify your compliance teams of where personal information is stored in SharePoint Online and OneDrive for Business, or when users send email containing personal information. DLP can also provide policy tips to your employees when working with personal information related to EU residents.

Educating and raising awareness to where EU resident data is stored in your environment and how your employees are permitted to handle it represents one level of information protection using Office 365 DLP. Often, employees who already have access to this type of information require this access to perform their day to day work. Enforcing DLP policies to help comply with GDPR may not require restricting access.

However, complying with GDPR typically involves a risk based assessment of the organization from both a legal and information security perspective, identification of what type and where personal information is stored, as well as if there is a legal justification to store and process that information. Based on this assessment, implementing policies to protect the organization and comply with GDPR might require removing access for employees to documents that contain personal information for EU data subjects. In cases where further protection is required, additional DLP protection can be configured.

The following table lists three configurations of increasing protection using DLP. The first configuration, awareness, can be used as a starting point and minimum level of protection for GDPR.

Example protection levels that can be configured with DLP policies and used for GDPR compliance

Protection level DLP configuration for documents with personal information related to EU data subjects Benefits and risks
Awareness

Send email notifications to compliance teams when this data is found in documents in SharePoint Online and OneDrive for Business.

Customize and display Policy Tips to employees in SharePoint and OneDrive for Business when accessing documents containing this data.

Detect and report when this data is being shared.

Raise awareness with compliance teams as well as employees regarding where this data is stored.

Educate employees on corporate policy for handling documents containing this data.

Does not prevent employees from sharing this data internally or externally.

You can review DLP reports for shared data and decide if you need to increase the protection.

Prevent external sharing

Restrict access to documents that contain this data in SharePoint Online and OneDrive for Business when that content is shared with external users.

Prevent sending emails with documents that contain this data to external recipients.

Detect and report when this data is being shared.

Prevents external sharing of this data while allowing for employees to work with this data internally.

You can review DLP reports for internally shared data and decide if you need to increase this protection.

Prevent internal and external sharing

Restrict access to documents that contain this data in SharePoint Online and OneDrive for Business when that content is shared internally or externally.

Prevent sending emails which contain this data to both internal and external recipients.

Prevents internal and external sharing of this data.

Employees might not be able to complete tasks that require working with this data.

You can review DLP reports for internally or externally shared data and decide if end user training is needed.

Note: As the levels of protection increase, the ability of users to access information will decrease in some cases, and could potentially impact their productivity or ability to complete day to day tasks. Increasing protection levels by implementing policies that impact employees is typically accompanied by end user training, educating users on new security policies and procedures to help them continue to be productive in a more secure environment.

Example DLP policy for GDPR — Awareness

Name: Awareness for personal data that is subject to GDPR.

Description: Display policy tips to employees, notify compliance teams when this data is found in documents in SharePoint Online and OneDrive for Business, detect and report when this data is being shared outside your organization.

Control Settings
Choose information to protect Select a Custom policy template.
Locations All locations in Office 365
Find content that contains Click ‘Edit’ and add all the sensitive information types you curated for your environment.
Detect when this content is shared Check this box and select ‘with people outside my organization.’
Notify users when content matches the policy settings

Check this box (“Show policy tips to users and send them an email notification.”)

Click ‘Customize the tip and email’ and update these for your environment. See the default notifications in this article: Send email notifications and show policy tips for DLP policies.

Detect when a specific amount of sensitive info is being shared at one time

‘Detect when content that’s being shared contains: At least ____ instances of the same sensitive info type’ — Set this to 1.

‘Send incident reports in email’ — check this box. Click ‘Choose what to include in the report and who receives it.’ Be sure to add your compliance team.

‘Restrict who can access the content and override the policy’ — clear this checkbox to receive notifications about sensitive information without preventing users from access that information.

All locations includes:

  • SharePoint Online

  • OneDrive for Business accounts

  • Exchange mailboxes

Because Content Search doesn’t currently let you test sensitive information types with email,consider creating separate policies for Exchange with a subset of sensitive information types in each policy and monitoring the rollout of these policies.

Additional protection you can apply to protect personal data in Office 365

Sensitive information types, labels, and data loss protection policies help you identify documents containing specific data and apply protection. However, these protections depend on appropriate permissions being set for access to data, users with accounts that are not compromised, and devices that are healthy.

The following illustration details additional protection you can apply to protect access to personal data.

Additional protection to protect access to personal data

For accessibility, the following table provides the same information in the illustration.

Scope of protection Capabilities
Document and email-level protection (includes mail in transit, but not currently mailboxes at rest)

Sensitive information types

Office labels

Data loss prevention policies

Office 365 Message Encryption for email

Site and library-level protection (includes SharePoint Online and OneDrive for Business sites)

Permissions for SharePoint Online and OneDrive for Business sites and libraries

External sharing policies for SharePoint Online and OneDrive for Business (site-level)

Site-level device access policies

Service access protection (includes access to all services in Office 365)

Identity and device access protection in Enterprise Mobility + Security (EMS) suite

Privileged access management

Windows 10 security capabilities

The rest of this article provides more information on each of these categories of protection.

Capabilities that are OK to use with GDPR

You can use the following capabilities in an environment configured for GDPR compliance. These capabilities are not necessary for GDPR compliance, but they can be used without adversely affecting your ability to discover, protect, monitor, and report on data related to GDPR compliance.

Customer Key — Allows customers to provide and retain control over the encryption keys that are used to encrypt data at rest within Office 365. Recommended only for customers with a regulatory need to manage their own encryption keys.

Customer Lockbox — Customer lockbox allows you to control how a Microsoft support engineer accesses your data, if needed, to fix a technical issue on a case by case basis. You can control whether to give the support engineer access to your data or not. An expiration time is provided with each request.

Site and library-level protection

Permissions for SharePoint and OneDrive for Business libraries

Use permissions in SharePoint to provide or restrict user access to the site or its contents. Add individual users or Azure Active Directory groups to the default SharePoint groups. Or, create a custom group for finer-grain control.

Permission levels from full control to view only

The illustration plots permission levels from Full control to View Only. The following table includes the same information.

Full Control Design Edit Contribute Read View Only
Contribute + approve and customize Contribute + add, edit and delete lists (not just list items) View, add, update, delete list items and documents View and download View, no download

More information:

External sharing policies for SharePoint and OneDrive for Business libraries

Many organizations allow external sharing to support collaboration. Find out how your tenant-wide settings are configured. Then review the external sharing settings for sites that contain personal data.

An external user is someone outside of your organization who is invited to access your SharePoint Online sites and documents but does not have a license for your SharePoint Online or Microsoft Office 365 subscription.

External sharing policies apply to both SharePoint Online and OneDrive for Business.

  • You must be a SharePoint Online admin to configure sharing policies.

  • You must be a Site Owner or have full control permissions to share a site or document with external users.

The following table summarizes the controls you can configure.

Control category Options
Type of sharing

Don’t allow sharing outside your organization (can be set for individual site collections)

Allow sharing to authenticated external users only (allow new or limit to existing, can be set for individual site collections)*

Allow sharing to external users with an anonymous access link (can be set for individual site collections)

Limit external sharing using domains (allow and deny list)

Choose the default link type (anonymous, company shareable, or restricted)

What external users can do

Prevent external users from sharing files, folders, sites they don’t own

Require external users to accept sharing invitations with the same account the invitation was sent to

Notifications

Currently only available in OneDrive for Business. Notify owners when:

-

Users invite additional external users to shared files

-

External users accept invitations to access files

-

An anonymous access link is created or changed

More information:

Site-level device access policies

SharePoint Online and OneDrive for Business let you configure device access policies at the site level. This lets you configure more protection for sites with sensitive data.

If you configure site-level device access policies, be sure to coordinate these with tenant-level policies and also with access policies that are configured in Azure Active Directory, Intune, and Intune App Management.

Device access policies for SharePoint and OneDrive for Business require supporting policies in Azure Active Directory and Microsoft Intune depending on the scenario you are implementing. The following table summarizes objectives you can achieve with device access policies and indicates which products require supporting policies.

Only allow access from specific IP address locations Prevent users from downloading files to non-domain joined devices Block access on non-domain joined devices Prevent users from downloading files to non-compliant devices Block access on non-compliant devices
SharePoint admin center Yes Yes Yes Yes Yes
Azure Active Directory Yes Yes Yes Yes
Microsoft Intune Yes Yes

More information: SharePoint Online admin center: Control access from unmanaged devices.

Service access protection for identities and devices

Microsoft recommends you configure protection for identities and devices that access the service. The work you put into protecting access to Office 365 services can also be used to protect access to other SaaS services, PaaS services, and even apps in other cloud providers.

Access protection for identities and devices provides a baseline of protection to ensure that identities are not compromised, devices are safe, and organization data that is accessed on devices is isolated and protected.

For starting point recommendations and configuration guidance, see Microsoft security guidance for political campaigns, nonprofits, and other agile organizations.

For hybrid identity environments with AD FS, see Recommended security policies and configurations.

The following illustration describes how cloud services (SaaS, PaaS), account types (tenant domain accounts vs. B2B accounts) and service access capabilities relate. It’s important to note which capabilities can be used with B2B accounts.

Cloud services, account types, and access capabilities

For accessibility, the rest of this section describes this illustration.

Cloud services

Azure Active Directory provides identity access to any cloud service, including non-Microsoft providers such as Amazon Web Services. The illustration shows Office 365, “Other SaaS app,” and “PaaS app.” Arrows point from Azure Active Directory to each of these services, showing that Azure Active Directory can be used for authentication to all of these app types.

Types of accounts

Tenant domain accounts are account you add to your tenant and manage directly. B2B accounts are accounts for users outside your organization you invite to collaborate with. These can be other Office 365 accounts, other organization accounts, or consumer accounts (such as Gmail). The illustration shows both account types within Azure Active Directory.

Capabilities

The capabilities in the following table protect identities and devices. The table indicates which capabilities can also be used with B2B accounts, similar to the illustration.

Capability Works with tenant domain accounts Works with Azure B2B accounts (without additional licensing)
Multi-factor authentication and conditional access Yes Yes
Azure AD Identity Protection Yes Yes
Azure AD Privileged Identity Management Yes
Mobile Application Management (MAM) Yes
Device enrollment and management Yes Only one organization can manage a device
Windows 10 security capabilities (conditional access based on device compliance requires device management) Yes Yes

You can add licenses to B2B accounts to give these users additional capabilities, if needed, to protect access to personal data in your environment.