I’ve received feedback from several enterprise sysadmins and consultants about on-prem costs. Thanks very much! It’s not quite enough to comfortably make some 2020 predictions though…if you haven’t responded yet, please take a moment. It really can help us all.

Now, on to today’s topic. GDPR.

I know, I know. “I got a hundred ‘privacy update’ emails already! I don’t want to hear about GDPR ever again!”

Hopefully this post will come as something of a relief. You may not need to worry about GDPR compliance (yet). Even if you do, Microsoft’s actions make the problem easier to tackle. Let’s see how, and why.

What GDPR Requires

GDPR mandates certain privacy announcements, policies, and rights for the consumer in the European Union. It’s all about the data users generate. Not just banking numbers either—personal information, text about their activities, etc.

Essentially, GDPR says you must:

  1. Tell users what data you’re collecting about them;
  2. Tell them about the sales/marketing campaigns to which they’re agreeing; and
  3. Comply with any request to remove data about them from your systems.

Just an extension of what most responsible businesses already do.

GDPR privacy agreements
“Is this contract compatible with GDPR?” “Uhm…”

Photo by rawpixel on Unsplash

“But we’re not based in the EU,” you might say. Even so, you will need to make sure you’re GDPR compliant if you:

  • Have European offices,
  • Store customer data in the EU, or
  • Have European customers/users.

At this point, if these stipulations apply, I’d expect you’ve already prepared for GDPR compliance. But what about your Microsoft software, like Skype for Business or Teams? Did Microsoft already make them GDPR compliant, or do you have to do anything?

Microsoft and GDPR: A Little Proactivity Goes a Long Way

Skype for Business is not a customer marketing system. Neither is Teams. They’re meant for communications.

However, some companies will use them to communicate with customers, and possibly market to them (say via a customer’s dedicated Teams channel, or Skype Meeting-hosted webinars). If that’s you, and the above requirements apply, then you must comply with GDPR.

Fear not! Microsoft has provided many resources for us. Starting with the GDPR Privacy Center – Microsoft.com. It includes several ebooks, a Compliance Manager tool, and a GDPR Assessment tool.

The tools will come in handy, as we’ll see in a moment.

When it comes to Skype for Business/Teams and GDPR, these MS resource pages give us guidelines:

  1. GDPR for Skype for Business Server and Lync Server – Microsoft Docs
  2. Overview of Office 365 Information Protection for GDPR – Microsoft Docs
  3. GDPR for Exchange Server – Microsoft Docs

In general, the on-prem versions are compliant by default, provided you secure the physical/virtual servers & limit permissions. Existing data export cmdlets facilitate GDPR privacy requests, like “Export-CsUserData.”

Now, Office 365 compliance. Since MS controls the Office 365 servers, it has to enforce GDPR compliance at server-level. That’s good news for Teams users. As long as you’re only working with US customers and have no European offices, you can probably relax.

GDPR Privacy in Skype4B/Teams
Your data is behind this door.

Photo by Dayne Topkin on Unsplash.

This site provides a list of MS O365 data locations worldwide: Where is your data located? [USA] – Office.com. Teams data is stored in:

  • Blue Ridge, VA
  • Cheyenne, WY
  • Chicago, IL
  • Des Moines, IA
  • Santa Clara, CA
  • Quincy, WA

All US-based datacenters. This alleviates the ‘Store customer data in the EU’ stipulation from earlier.
(Santa Clara though…I don’t want to know what they paid for THAT real estate!)

I checked France and the UK too; native datacenters store their Teams data. U.S. data in the U.S., EU data in the EU. Makes sense. Makes things easier for everyone too.

You should still check your current data though. The Compliance Manager tool I mentioned will determine if you possess data subject to GDPR. If so, you’ll have to classify that data in your Office 365 tenant, and maybe use labels to notify customers.

“We have X data on you, you must pay 1 Bitcoin to—” Whoops, sorry, wrong line of thought.

If you market via Skype for Business/Teams to EU customers, then you must comply. If not, relax.

Adjusting Skype for Business/Teams for GDPR compliance may take a little configuration. But if you have data protection policies in place (and you should), then most of the work’s already done for you.

What changes (if any) did GDPR mandate in your Skype for Business/Teams deployment?

Is Skype for Business GDPR Compliant? What About Teams?
Facebooktwittergoogle_plusredditlinkedinmail

3 thoughts on “Is Skype for Business GDPR Compliant? What About Teams?

  • June 13, 2018 at 1:57 pm
    Permalink

    Be careful, GDPR covers employees’ personal data as well, so it does matter, whether you “market via…”. Whenever your internals are EU citizens, you have to obey GDPR rules.

    Reply
    • June 13, 2018 at 2:09 pm
      Permalink

      You make an excellent point, Jirka. Thanks for pointing that out.

      Reply
  • June 16, 2018 at 10:29 pm
    Permalink

    Great article.
    3 clear requirements must be addressed :
    1. The right to be forgotten (when he leaves the company)
    2. User must have the rights to access his data stored
    3. Companies must obtain the consent of all party before recording or archiving any conversation.

    All of theses can be addressed by modules of eDiscovery and Disclaimers as done by SkypeShield-
    https://agatsoftware.com/skypeforbusiness/compliance-gdpr/ in addition to DLP and Ethical wall controlling communication and making sure to personal data is miss- handled

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.