I’ve received feedback from several enterprise sysadmins and consultants about on-prem costs. Thanks very much! It’s not quite enough to comfortably make some 2020 predictions though…if you haven’t responded yet, please take a moment. It really can help us all.
Now, on to today’s topic. GDPR.
I know, I know. “I got a hundred ‘privacy update’ emails already! I don’t want to hear about GDPR ever again!”
Hopefully this post will come as something of a relief. You may not need to worry about GDPR compliance (yet). Even if you do, Microsoft’s actions make the problem easier to tackle. Let’s see how, and why.
What GDPR Requires
GDPR mandates certain privacy announcements, policies, and rights for the consumer in the European Union. It’s all about the data users generate. Not just banking numbers either—personal information, text about their activities, etc.
Essentially, GDPR says you must:
- Tell users what data you’re collecting about them;
- Tell them about the sales/marketing campaigns to which they’re agreeing; and
- Comply with any request to remove data about them from your systems.
Just an extension of what most responsible businesses already do.
“But we’re not based in the EU,” you might say. Even so, you will need to make sure you’re GDPR compliant if you:
- Have European offices,
- Store customer data in the EU, or
- Have European customers/users.
At this point, if these stipulations apply, I’d expect you’ve already prepared for GDPR compliance. But what about your Microsoft software, like Skype for Business or Teams? Did Microsoft already make them GDPR compliant, or do you have to do anything?
Microsoft and GDPR: A Little Proactivity Goes a Long Way
Skype for Business is not a customer marketing system. Neither is Teams. They’re meant for communications.
However, some companies will use them to communicate with customers, and possibly market to them (say via a customer’s dedicated Teams channel, or Skype Meeting-hosted webinars). If that’s you, and the above requirements apply, then you must comply with GDPR.
Fear not! Microsoft has provided many resources for us. Starting with the GDPR Privacy Center – Microsoft.com. It includes several ebooks, a Compliance Manager tool, and a GDPR Assessment tool.
The tools will come in handy, as we’ll see in a moment.
When it comes to Skype for Business/Teams and GDPR, these MS resource pages give us guidelines:
- GDPR for Skype for Business Server and Lync Server – Microsoft Docs
- Overview of Office 365 Information Protection for GDPR – Microsoft Docs
- GDPR for Exchange Server – Microsoft Docs
In general, the on-prem versions are compliant by default, provided you secure the physical/virtual servers & limit permissions. Existing data export cmdlets facilitate GDPR privacy requests, like “Export-CsUserData.”
Now, Office 365 compliance. Since MS controls the Office 365 servers, it has to enforce GDPR compliance at server-level. That’s good news for Teams users. As long as you’re only working with US customers and have no European offices, you can probably relax.
This site provides a list of MS O365 data locations worldwide: Where is your data located? [USA] – Office.com. Teams data is stored in:
- Blue Ridge, VA
- Cheyenne, WY
- Chicago, IL
- Des Moines, IA
- Santa Clara, CA
- Quincy, WA
All US-based datacenters. This alleviates the ‘Store customer data in the EU’ stipulation from earlier.
(Santa Clara though…I don’t want to know what they paid for THAT real estate!)
I checked France and the UK too; native datacenters store their Teams data. U.S. data in the U.S., EU data in the EU. Makes sense. Makes things easier for everyone too.
You should still check your current data though. The Compliance Manager tool I mentioned will determine if you possess data subject to GDPR. If so, you’ll have to classify that data in your Office 365 tenant, and maybe use labels to notify customers.
“We have X data on you, you must pay 1 Bitcoin to—” Whoops, sorry, wrong line of thought.
If you market via Skype for Business/Teams to EU customers, then you must comply. If not, relax.
Adjusting Skype for Business/Teams for GDPR compliance may take a little configuration. But if you have data protection policies in place (and you should), then most of the work’s already done for you.
What changes (if any) did GDPR mandate in your Skype for Business/Teams deployment?