Update on Information Protection, Azure Purview & GDPR

Information Protection

The settings for a Sensitivity Label have changed since Ignite in September 2020. One of the first steps is now to specify whether the label should be used for “Files & Email”, for “Groups & Sites” or also for the new Azure Purview integration:

Even if the dialog looks a bit different in detail, no new feature has been added to the „Files & Email“ section.

In the „Groups & Sites“ area we now have the feature "Control External Sharing for SharePoint Online Sites":

The settings in the label override the settings in the SharePoint Admin Center when the label is assigned to a site.

Note that SharePoint Online caches these settings. If a label is reassigned or updated, it can take up to 24 hours for the changes to take effect. If a label is assigned directly when the page is created, the settings take effect within 15 minutes.

Azure Purview:

Sensitivity labels can now be extended to Azure Purview. This enables labels to be applied to SQL columns and files in Azure Blob Storage.

This is also a relevant new function, especially in the context of GDPR, as personal data is usually stored and processed in various IT systems. Details on this: Microsoft Information Protection and Microsoft Azure Purview: Better Together

The function is currently still in preview status and can be activated in the Security Center in the Sensitivity Labels area:

What is Azure Purview

Azure Purview is a data governance service. The service aggregates data from on-premises systems, multi-cloud scenarios and software-as-a-service (SaaS) applications. The service creates a Purview data map based on this data:

Details: https://azure.microsoft.com/en-us/services/purview/

GDPR

Both features, sensitivity labeling and integration with the Azure Purview service, support the requirements of the GDPR. Parallel to the updates of the technical features, Microsoft has taken action in response to the decisions of the EuGH (Privacy Shield agreement / Schrems II).  

In this press release, which is unfortunately only available in German, Microsoft explains the details of the Defending Your Data program and that these efforts will be part of future contracts with enterprise and public sector customers. The two most important details are:

·        Microsoft is committed to challenging any request by a government entity for data from enterprise or public sector customers where there is a legal basis for doing so.

·        Microsoft will compensate customers for financial damages if their data must be released to a government agency in violation of the EU General Data Protection Regulation (EU GDPR).

Details in the press release linked above.