Compliance with GDPR in Exchange requires extra effort

Exchange administrators outside of the European Union might not think that GDPR affects them, but they should work toward compliance to avoid a stiff penalty if a violation occurs.

Even at U.S.-based companies, Exchange administrators need to know what the European Union's General Data Protection Regulation covers and what they can do with their messaging platform to maintain compliance.

The General Data Protection Regulation (GDPR) protects the personal information of people living in European Union (EU) countries by setting rules on how that data can be collected, used and stored. Compliance with GDPR affects IT professionals who work in organizations with an EU footprint no matter where they are based. For example, if a U.S. company falls victim to a data breach that leaks the personal data of EU citizens, then that company could be penalized heavily as a result.

Admins need to work with the legal and management teams to ensure their organization meets its obligations. Part of an IT professional's job is to make sure the legal team understands what is technically possible; the legal team ensures that those technical decisions maintain compliance with the applicable laws. The following guidelines can help Exchange administrators strive toward compliance with GDPR and their email system.

How to determine GDPR's reach

For Exchange administrators, compliance with GDPR relates to any email from a person in the EU.

GDPR covers personal data, which is any data from the individual's private, professional or public life, such as their names, email addresses or computer IP address.

GDPR applies to an organization when:

  • the organization controlling the data originates in the EU;
  • the subject of the data lives in the EU; or
  • the organization controlling the data uses another organization to process the data that is based in the EU.

For Exchange administrators, compliance with GDPR relates to any email from a person in the EU. Exchange administrators that work for organizations that operate in the EU or that have EU-based customers should prepare themselves and their systems for any requests related to the regulation.

However, GDPR includes language that excludes governments from its requirements for law enforcement and national security.

GDPR personal data
The European Union's General Data Protection Regulation affects companies that handle any information that can be used to identify people. This chart lists the data covered by GDPR.

Knowing where GDPR and Exchange intersect

Exchange administrators need to know the rights GDPR grants to data subjects and how to reach compliance with GDPR in the following areas:

  • Data protection: GDPR requires organizations that process personally identifiable information (PII) to protect data by design. The specific configurations that guarantee data protection vary by application, but organizations can meet this clause by implementing standard best practices. In short, by following Microsoft's guidelines during the deployment stage, administrators can avoid trouble with GDPR.
  • Pseudonymization: GDPR recommends the use of data encryption to protect data subjects. Exactly what encryption should be applied and when is more of a gray area. There are several different types of native encryption technologies and innumerable third-party options for on-premises Exchange, each designed for a different purpose. What works for your organization will require meeting with the legal team to produce a policy on what email to encrypt and what technology to use.
  • Right of access: GDPR subjects have the right to access their personal data and know how that data is processed. Exchange administrators can support the compliance team via an eDiscovery search if they receive what's called a data subject request. Compliance with GDPR requires an organization that holds a data subject's information to act on these requests promptly when possible. Administrators should familiarize themselves with this search function to find the pertinent material if a request arrives.
  • Right to erasure: Data subjects have the right to have their personal data removed upon request. This is more limited than the right to be forgotten originally proposed as part of GDPR. Administrators need to support the removal of PII information upon request. The policies and procedures most organization use to maintain Exchange focus on retaining information, not deleting it. New policies to comply with this aspect of GDPR can require some significant effort, as they entail the removal of data from backups, data redundancy, offline files and more to ensure PII is properly deleted.

GDPR adds an extra layer of difficulty to the complications around compliance. GDPR requires organizations to have an appointed data protection officer and a process to notify the proper groups in the event of a data breach. A compliance officer should have a hand in the design and implementation of an Exchange system to reduce the strain associated with GDPR.

Dig Deeper on Microsoft cloud computing and hybrid services

Cloud Computing
Enterprise Desktop
Virtual Desktop