Digital White Papers

13 WWW.ILTANET.ORG | ILTA WHITE PAPER OFFICE 365 A New Hope: How to Leverage Office 365 to Mitigate GDPR Risk should be viewed as a critical business initiative for which the legal department is a primary decision maker from start to finish. By following best practices and taking a leadership role, counsel can help ensure a smooth transition. One pressing risk area—and one that a strategic Office 365 implementation can help manage—is Europe's General Data Protection Regulation (GDPR), a sweeping regulation that will soon affect many facets of business for multinational corporations. GDPR requires companies based in Europe and those that retain personal data of EU citizens to meet stringent data protection requirements. The European Commission has defined personal data as any information related to an individual, which can include things like physical address, email address, IP addresses, age, gender, GPS location, health information, search queries, items purchased, etc. Many companies today freely harvest and commercialize this information, and will soon be legally required to take special care of all data impacted by GDPR. These requirements are proving overwhelming for legal teams, and many companies in the United States have yet to tackle a strategy for GDPR. Because the regulation is so expansive and new, just knowing where to begin is challenging. In Office 365 or other cloud service usage and migration decisions, the regulation simultaneously presents challenges and opportunities. When leveraged, the opportunities can give overwhelmed legal teams hope that achieving compliance is possible. A Way Forward It is critical for organizations to evaluate how cloud data storage will affect their ability to consistently meet GDPR requirements over the long term. Companies that have already migrated to Office 365 are a few steps ahead, and those that are truly proactive have begun to engage consulting partners and build a holistic data governance program. The first step in ensuring a successful Office 365 migration, and one that includes a plan for dealing with GDPR risk, is to evaluate existing IG policies and procedures, specifically as they relate to cloud use and where information is stored. If this knowledge is difficult to glean, the legal team must audit the data universe and figure out where and how it is retained, and whether it is protected from outside threats. One way of doing this is with the Compliance Governance and Oversight Council (CGOC) methodology, which informs what data might need to be moved and where, and how to ensure adequate security and compliance measures around highly sensitive information. The CGOC recommends that an audit include these steps: 1) assess specific needs; 2) plan for key risks and recommended action; and 3) approve the strategy across stakeholders. With the assessment complete, the team can move forward with executing on the plan. During the planning and execution phases, some key considerations will help legal teams minimize migration risks, particularly regarding GDPR requirements. These include: » Data center location: Microso currently has Office 365 datacenters in the United Kingdom, Ireland, Netherlands and Austria. It is focusing heavily on expanding datacenter One pressing risk area—and one that a strategic Office 365 implementation can help manage— is Europe's General Data Protection Regulation (GDPR), a sweeping regulation that will soon affect many facets of business for multinational corporations.

• Cover