General Data Protection Regulations (GDPR) will come into effect on 25th May 2018. GDPR will replace the existing Data Protection Act and subsequent electronic communications act. GDPR brings into play many key rules that every business needs to adhere to, regardless of whether they are a sole trader or global enterprise. The key focus is the collection, storage, and processing of personal data. If you operate in the UK or provide goods or services within the UK, then you need to consider GDPR and make necessary preparations. Fortunately, if you are a Microsoft user, then there are many ways you can ensure your business is compliant. In this article, we look at top five tips you can use to get ready for GDPR with Office 365
1. Set your Office 365 data centre to the correct location
A central tenet of GDPR is the storage of personal data within the EU. Most software providers are making this possible by opening data centres across the globe. Microsoft is enabling Office 365 users to change the location of their data if they have specific data residency requirements.
Moving data applies to core data only, which is as follows:
- Exchange Online mailbox content
- SharePoint Online site content and the files stored on that site
- Files uploaded to OneDrive for Business.
If your core data includes any details which might be considered personal data such as customer contact details, then it would be advisable to check and reset to the United Kingdom.
2. Update to multifactor authentication
Multifactor authentication (MFA) provides extra layers of security to protect against a compromise. Multifactor authentication includes two-factor steps, such as a code texted to your mobile after you enter your usual username and password options. It also includes use of smart cards, certificate based authentication (CBA) and third-party SAML identity providers.
You can apply multifactor authentication with your Office 365 and Exchange account by following this link: https://support.office.com/en-us/article/Using-Office-365-modern-authentication-with-Office-clients-776c0036-66fd-41cb-8928-5495c0f9168a
GDPR sets out new rulings for the collection, storage and processing of personal data which could identify an individual and includes new considerations such as the right to be forgotten.
3. Consider how and when to use encryption
Encryption is a process of encoding data so that it cannot be read by computers or people unless the encrypted data is decoded. Decryption is done using an encryption key that only authorised users would have.
Microsoft encryption works for content at rest (i.e. a saved document) and content in transit (i.e. an email). Encryption for data at rest is standard and unlikely you would want to amend. Encryption for content in transit can be varied and may suit different circumstance. The main types of encryption for email are Office 365 Message Encryption (OME), IRM and S/MIME. You may want to use different methods in different scenarios.
OME is best for sending sensitive information to recipients outside your organisation IRM is best for sending an internal confidential email that should not be shared outside the business. S/MIME is more commonly used when communicating with government agencies. For more information on how to set up rules and different encryption types, please visit: https://support.office.com/en-us/article/Email-encryption-in-Office-365-c0d87cbe-6d65-4c03-88ad-5216ea5564e8
4. Keep up-to-date with Windows and other software updates
It is vital to keep up-to-date with the latest patches and software releases. Outdated software versions are far more vulnerable to cyber-attacks. Windows updates can sometimes take a long time and you may be tempted to delay them. Instead, amend your update settings to run out of active hours or during lunch breaks.
To ensure you have the latest updates:
Go to Settings
Go to Update & Security
View latest update information
Change active hours so that restarts do not happen during working hours
View Update History to see which updates were successful and which ones failed. Attend to any failed updates.
5. Access anywhere, anytime?
Connected devices allow users access to desktop services from any location and at any time. This is ideal for field-based staff who want to check emails or update CRM. The problem is that not all wi-fi connections are secure. Many public wi-fi networks are open, and there is potential for malicious inference.
Make sure staff are aware of your company’s internet and device security policies. Set sync functions so that they only work when a device is connected to a secure and approved network. If a staff member loses their device, it is possible to wipe it remotely through OWA and Office 365 Security Center. Finally, make sure you visit the Office 365 Security & Compliance Center. This is the data protection portal for Office 365. You can use it to audit your organisation, view latest alerts, manage devices and set up data loss prevention schemes. If you are looking to update your CRM software or are interested CRM specific GDPR consultancy services, then SeeLogic can help. Please contact us on 01296 328 689 or email email@example.com to find out more.