Privacy guide for Briefing emails

When data is processed for Briefing emails, Microsoft protects employee privacy and fully complies with local regulations, such as the General Data Protection Regulation (GDPR). The Briefing protects privacy in the following ways:

  • Personal and private - Your Briefing emails are personal and private and are only sent to you directly in your mailbox, which cannot be accessed by anybody else in your organization, including your IT admin or your manager.
  • Everyone's data is kept private - Briefing emails do not include any new personally identifiable information about anybody else in your organization. The insights and actions are based on information generated by you and your organization just by going about your regular workday. Your Briefing emails are based on information that you already have access to but can’t quickly aggregate without help.
  • Mailbox security - Briefing email data uses Exchange Online email and calendar data and processes and stores any insights or actions inside your Exchange Online mailbox, so data security is built-in and enforced by Exchange.
  • GDPR compliant – Microsoft complies with GDPR when providing the Briefing email.
  • User-level configuration – Your admin can turn on or off all Briefing email functionality for one user or for multiple users. See Configure Briefing email for details. A user can then select Unsubscribe at the end of any Briefing email to individually opt out.
  • More information is always available – Your first Briefing email describes what it is, that your data is kept private, and includes documentation links to get more details. All subsequent Briefing emails will always include informational links and the option to unsubscribe.

Your experience with Briefing emails

You can use a Briefing email to do the following:

How it works

The insights and actions in the Briefing email are based on your Exchange Online mailbox data, such as email and calendar data. The insights are derived from data that is already available to you in your Exchange Online mailbox.

For example, if you want to determine what commitments you made to others, you could manually review each email in your mailbox. The Briefing email simply saves you from this tedious process.

GDPR compliance

Microsoft helps data controllers meet the following obligations for the Briefing email:

  1. Secure and protect users’ personal data. All data is stored in the employees’ Exchange Online mailbox. The computed metrics, such as tasks, are appended to the mailbox. Thus, the Briefing email meets this obligation by virtue of Exchange Online also meeting the obligation:

    • Microsoft will not mine customer data in Exchange Online for advertising.
    • Microsoft will not voluntarily disclose Exchange Online customer data to law enforcement agencies.
    • Microsoft will meet all requirements related to encryption of Exchange Online data and implement controls to reduce security risks and help ensure business continuity, as described in ISO 27001 and 27018.
  2. Notify users in the event that a breach is detected. Microsoft will notify customer privacy contacts within 72 hours of Microsoft becoming aware of a breach by using Office 365 incident response standard operating procedures.

  3. Honor user requests (DSRs) to export, delete, or restrict processing personal data. Microsoft supports your need to honor user requests in the following ways.

    • Data export requests - Users can view the insights in the Briefing email and manage it if they want to have permanent copies of their information.
    • Request to restrict processing - Use PowerShell to opt employees out of the Briefing email. Or employees can individually unsubscribe from the Briefing email to restrict processing of their data.
    • Delete employee data - Sign in to Azure Active Directory admin center and then remove the employee's data through the User Management Portal.

To learn more, see GDPR compliance.