With the date of GDPR enforcement quickly approaching, many businesses need to prepare their SharePoint environments in accordance with the data protection requirements. We, in the SPDocKit team, have created some impressive data classification and security features that align with the GDPR requirements. Here are 10 steps that will help prepare your SharePoint environment for GDPR compliance.
1. Know Where Your Personal Data is Stored – Tag SharePoint Objects
The tagging feature in Permissions Explorer will help you keep track of SharePoint objects containing personal and sensitive data. GDPR is all about data classification, so use this feature to easily label folders containing private and confidential employee or customer information. This will help you visually highlight sensitive data and classify objects. You can also filter objects by a specific tag to get a summary of everything related to that tag.
2. Enforce Security Rules – Turn On SharePoint Auditing
Another important aspect of GDPR is audit and record management – you need to know who’s done what in your SharePoint environment. The SharePoint audit feature tracks user actions across your site collections.
SPDocKit comes with built-in queries that help you detect whether auditing is turned on in the Documents, Items, Lists, Libraries, and Sites sections. You will get a report that will show you the site collection names, URLs, and events tracked for each site collection. You can even go a step further and create a rule to configure auditing settings straight from SPDocKit.
3. Protect – Explore and Report on SharePoint Permissions
After you have discovered and tagged the SharePoint objects containing personal data, you need to protect them to prevent data breaches. Permissions Reports from SPDocKit will come in handy when using both SharePoint On-Premises and SharePoint Online.
With Permission Reports, you can do a number of things to ensure that the right people have access to sensitive data:
- see the members of your SharePoint and Active Directory Groups (or Security Groups)
- examine permission levels for each user
- explore permissions through your SharePoint hierarchy.
4. Analyze External Sharing in SharePoint Online
While the external sharing option might be very useful to users in your environment, it may also be very risky, as you don’t have that much control over external users’ actions. This is why you need to ensure that Anonymous Access Links and External Sharing are allowed only on those site collections that do not contain any sensitive data, and only when that is necessary.
Under Permission Reports you can:
- track Office 365 externally shared content and users
- view anonymous access links.
5. Conduct a Permissions Health Check
Permissions Health Check reports help you organize permissions more efficiently and remain compliant with your company’s governance policies. These reports guide you through a set of permissions management best practices. Use the reports to check directly assigned permissions as well as uniquely secured list items, and then categorize your content using permission levels.
6. Manage and Restore Permissions
After you have explored everything and made an action plan to define how your permissions structure should look, it’s time to manage permissions. You can use the following actions to tighten your environment security: Edit, Clone, Transfer, Remove, Move or copy user to a group, and Remove user or a group.
You can also manage permissions inheritance in SharePoint groups. If something goes wrong or somebody assigns permissions that shouldn't be assigned, you can restore permissions for a preferred securable object − subsite, list or list item − using a simple wizard.
7. Audit Permissions Changes and Administrative Actions
Quickly get an insight of permission changes across your environment with a Permissions Audit Overview report. This will show you a list of all site collections and permission changes, if there were any. From here, you will be able to drill down into all permissions change logs (who made each change, of what type, on which object) on a specific site collection in a given time period.
Knowing who has performed which action is crucial for the security of your SharePoint environment. In case of a security breach, auditing reports are a must-have tool for every administrator. SPDocKit comes with an Administrative Actions report, which provides a user-friendly interface for browsing and analyzing administrative actions made on your SharePoint farm.
8. Know Who Has Privileged Access
Use the Users with Privileged Access report to check all of the farm administrators, users with full control/full read web application policy, site collection administrators, and users with full control access to your root web. It is very important to know who these people are and to maintain control over this list, since those users may have access to almost all data in your environment.
9. Audit Farm Configurations According to Best Practices
With the Best Practices reports, you can easily validate whether your farm is adjusted according to Microsoft recommendations. Below is a list of some checks you can perform:
- check whether the SharePoint farm and servers in the farm are up to date
- determine whether the Farm Admin account is a member of the Local Administrator group (giving the local administrator permissions for the Farm Admin account poses a security issue)
- check whether the Office Web Apps infrastructure is configured to use SSL connections
- perform a monitoring and logging check.
10. Use Comments to Simplify Farm Configuration Audits
You can easily add comments to every report in Farm Explorer. Some of the common reasons for adding comments are planning adjustments, keeping notes of changes, and simplifying collaboration with your colleagues. You can also include comments in the SPDocKit generated documentation.
Learn More About GDPR Compliance
If you want to know more about GDPR compliance in general, download our in-depth GDPR compliance whitepaper below.