Fotolia

Tip

Five areas to focus on in a SharePoint and GDPR compliance strategy

SharePoint admins need to be ready for the General Data Protection Regulation, too. Expert Reda Chouffani suggests five things to focus on when preparing for GDPR.

The May 25 deadline for the implementation of the General Data Protection Regulation remains one of the highest priorities for organizations that store or interact with digital information containing data from European citizens and enterprises. Complying with the regulation may be particularly difficult for SharePoint administrators who must maintain information for different departments throughout an enterprise.

The General Data Protection Regulation (GDPR) requires companies storing any EU citizen's sensitive data to take additional measures to classify and protect the information against misuse or redistribution. Administrators in charge of SharePoint and GDPR compliance strategies should take into account the presence of personally identifiable information in everything from human resources systems that store employee reviews, contracts and personnel documents, to sales systems that include contact information lists.

There are five key areas on which SharePoint administrators should focus to ensure that any sensitive or protected data meets the upcoming GDPR requirements.

  1. Data classification planning and implementation. With data flowing in and out of SharePoint frequently, administrators must focus on defining an adequate data governance plan that will help ensure that all the data that meets the specifics of GDPR is properly classified and protected. A key step toward properly implementing and securing all the data within SharePoint begins by defining the criteria for data classification, then determining policies that include the specific actions needed to protect the newly classified data. Once administrators have updated their data governance plan to include SharePoint and GDPR compliance requirements, the implementation can begin. SharePoint offers several features for the detection of specific content types as part of its data leak prevention capabilities.
  2. As part of a SharePoint and GDPR compliance strategy, administrators must also enable auditing for all the sensitive data within their systems. While different SharePoint versions offer several audit reports, administrators will likely need to customize some of them in order to focus on the specific audit trails of the data related to GDPR. The auditing reports should also include alerts that can notify administrators of any access violations in which data is exposed to users who are not authorized to access it.
  3. Securing access to the platform and protecting the data. Part of the process in which SharePoint administrators further tighten the security of their content is ensuring that only authorized users can access the system. More administrators are doing so by turning to multifactor authentication tools. These tools significantly reduce the risks associated with hackers using stolen identities to log on and access sensitive information stored within SharePoint. This can happen because the platform is frequently accessible from the internet within any virtual private network requirements. By restricting the number of users who have access to the data, risks are significantly reduced.
  4. Encrypting data at rest and during transport. All information exchanges between the user and the server must be secured to ensure that the data isn't intercepted by hackers. The use of the Secure Sockets Layer to encrypt HTTP traffic between the browser and the server hosting the SharePoint site helps to secure the system. For organizations using SharePoint Online as part of the Office 365 suite, Microsoft addresses security concerns by enforcing HTTPS, as well as encryption at rest. However, SharePoint on-premises administrators are still required to configure all the encryption and security requirements. In doing so, they can meet SharePoint and GDPR compliance requirements.
  5. End-user compliance training. SharePoint administrators have several tools they can use to detect and protect sensitive data. But there are always risks when it comes to end-user misuse or accidental leaks of data. To help mitigate those risks, users must receive adequate training on the proper use of the data and understand the relationship between SharePoint and GDPR compliance requirements. Administrators should take the appropriate steps to share training information via emails, training videos, or updates to terms and conditions in order to ensure that employees have a good understanding of what the new regulations mean for them.

With several hundreds of thousands of organizations using SharePoint, it is important to note that not all implementations will be required to meet GDPR compliance requirements. But for those that do, ensuring that all the appropriate steps are taken to protect and secure personal data related to EU citizens is a must, as is equipping administrators with everything that they need in order to meet those requirements in SharePoint.

Dig Deeper on Content collaboration