publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/914682
14 WWW.ILTANET.ORG | ILTA WHITE PAPER OFFICE 365 A New Hope: How to Leverage Office 365 to Mitigate GDPR Risk availability across Europe in anticipation of GDPR and compliance with its strict requirements for how data are stored and transferred across borders. Microso's emphasis on GDPR will make it much easier for Office 365 customers to segment where their data are stored. Depending on unique circumstances, some organizations might need to establish an outsourced data center in the EU, to place data in the right place in a secure manner. This process should involve input from experts that will help ensure the storage providers have the appropriate security certifications per GDPR guidelines. » Storage flexibility: Organizations still figuring out their plan for Office 365 migration, or migrating but keeping certain regions on an on-premise solution to avoid dealing with geographical challenges, need to consider how to make their storage plan work with GDPR. Leveraging Microso's widespread availability across many regions, and the flexibility it offers through multitenant deployments or single deployments spread across various storage options will support compliance efforts. Some organizations are leery of multitenant storage, but it can reduce GDPR risk, as Office 365 can automate the process of separating storage so data originating in Europe does not cross borders when it goes to the cloud. The more a company knows about its users, what data they are using and how they are using the data, the easier it becomes to regulate how and where their data are saved. » Mobile data: Mobile device data, including text messages and app activity, must also be addressed during Office 365 migration and for GDPR compliance. Whether these data originate from a device owned by the company or the individual user, it is tricky from technology and data privacy perspectives. Establishing an acceptable use policy to which all employees agree is a necessary first step, along with making the distinction of how the company defines ownership of devices and their related data. Mobile use policies should be customized to the data protection laws for each region in which employees reside, which will make it much easier to ensure fulfillment of GDPR and other jurisdictional requirements.