Manage GDPR compliancy with SharePoint

28th August 2018

You may think that GDPR has gone quiet, but we know it’s still a topic that’s being researched due to the popularity of our blog post, ‘Is your SharePoint implementation GDPR compliant?

So, we’ve put together an updated post that covers

  • basic terminology,
  • who owns the data,
  • how to prepare the data,
  • ISO27001,
  • and how to stay compliant.

The basic GDPR terminology.

We’ve put together a quick terminology run through for you:

Whom does the GDPR legislation apply to?

If your data contains information about people in the EU, then you need to comply.  If you may store EU data about people, then it’s worth implementing the processes now to make the transition less stressful once you have the data.

The Information Commissioner’s Office breaks down handling the data into two categories – controllers and processors.

  • The GDPR applies to ‘controllers’ and ‘processors’.
    • A controller determines the purposes and means of processing personal data.
    • A processor is responsible for processing personal data on behalf of a controller.

What is personal data?

Your business will undoubtedly have gone through this process of identifying data stored and handled within the business earlier this year and found many sources of data that GDPR applies too.

From HR data with passport information and photos of employees, past and present, to technical support data for customers, and a CRM system for existing customers and prospects.

ICO says that:

Personal data only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information?

A combination of identifiers may be needed to identify an individual.

  • The GDPR provides a non-exhaustive list of identifiers, including:
    • name;
    • identification number;
    • location data; and
    • an online identifier.
  • ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
  • Other factors can identify an individual.

Who owns the data in SharePoint?

That’s easy.  The customer using SharePoint owns the data.

Example: We’re responsible for our data stored on igroup’s SharePoint platform, but our customers are responsible for their data stored on their platforms we host.  Microsoft and igroup are the custodians.

That means it’s the responsibility of your business to maintain the data you store in SharePoint.

Why is SharePoint 2016 and Office 365 important to the process?

The beauty of Office 365 and SharePoint working together allows for integration between the platforms, so users can share, store and work on data together.

 

How to prepare and manage your data.

SharePoint is a flexible platform that enables your business to create and manage the processes required to stay GDPR compliant and store the information, provide security around the information and allow the collaboration to manage the data.

Your business will have put in place processes to handle your data earlier this year.

Probably in some form of a document containing all your sources of data, assessing the purpose of the data and the categories they relate too (reference Article 30), privacy notes such as reasons for keeping the data (reference Article 6 & 9) and consent with the method, date and proof along with the many other areas that need to be covered.

But, if they haven’t already, they also must consider how they handle enquiries about the data.

To date, you may have received little to no requests which have side-lined the urgency of recording those enquiries but it’s something you should consider.

Traceability of each task you complete achieving the required outcome to process the data appropriately and as requested, is as important as carrying out the task.

There are other tools out there such as CRM systems with service ticket modules you might consider, but they don’t offer the full flexibility that SharePoint does such as the collaboration on records and the ability to keep the entire process in one place, and implementation of the system will take time and money.

SharePoint allows you to classify your data referencing your GDPR policy, and ensure that your environment is secure, safeguarding the data and that access is kept to a minimum.

Did you know: If you comply with ISO27001, the international information security standard, then you’ve covered off a good portion of GDPR preparation, but this does not ensure full compliance.

The challenge is staying compliant.

The answer to staying compliant is governance. Managing data requires rules and processes aligned with security settings.

Creating a risk register using SharePoint to document your continuing assessments will help answer future enquiries.

Look to record information about impact assessments and data breaches, retention policies, and requests for data.

Making a list of each potential interaction with the data and determining who will carry that out and who is responsible will enable governance to be carried out.

And don’t forget to document and share that information with all employees!

 

The takeaway

Currently, there’s no perfect solution.  The ICO is still issuing continued advice and does anticipate in the future an accredited system.

But SharePoint goes a long way to enable your business to comply now, allowing you to capture all data and set up the workflows/processes you need to help you manage that data without paying out for an intermediate solution.

 

Find out how we can help you

Our sales team are all technical Microsoft specialists that have a background in Azure, SharePoint, development and Office 365. If you need advice and want to talk through your options, the team are on hand to provide free advice and next steps. Call 0207 099 0632

Contact us

Call now on 0207 099 0632 to speak to a member of our team

Call Us Now