I’ve received feedback from several enterprise sysadmins and consultants about on-prem costs. Thanks very much! It’s not quite enough to comfortably make some 2020 predictions though…if you haven’t responded yet, please take a moment. It really can help us all.

Now, on to today’s topic. GDPR.

I know, I know. “I got a hundred ‘privacy update’ emails already! I don’t want to hear about GDPR ever again!”

Hopefully this post will come as something of a relief. You may not need to worry about GDPR compliance (yet). Even if you do, Microsoft’s actions make the problem easier to tackle. Let’s see how, and why.

What GDPR Requires

GDPR mandates certain privacy announcements, policies, and rights for the consumer in the European Union. It’s all about the data users generate. Not just banking numbers either—personal information, text about their activities, etc.

Essentially, GDPR says you must:

  1. Tell users what data you’re collecting about them;
  2. Tell them about the sales/marketing campaigns to which they’re agreeing; and
  3. Comply with any request to remove data about them from your systems.

Just an extension of what most responsible businesses already do.

GDPR privacy agreements
“Is this contract compatible with GDPR?” “Uhm…”

Photo by rawpixel on Unsplash

“But we’re not based in the EU,” you might say. Even so, you will need to make sure you’re GDPR compliant if you:

  • Have European offices,
  • Store customer data in the EU, or
  • Have European customers/users.

At this point, if these stipulations apply, I’d expect you’ve already prepared for GDPR compliance. But what about your Microsoft software, like Skype for Business or Teams? Did Microsoft already make them GDPR compliant, or do you have to do anything?

Microsoft and GDPR: A Little Proactivity Goes a Long Way

Skype for Business is not a customer marketing system. Neither is Teams. They’re meant for communications.

However, some companies will use them to communicate with customers, and possibly market to them (say via a customer’s dedicated Teams channel, or Skype Meeting-hosted webinars). If that’s you, and the above requirements apply, then you must comply with GDPR.

Fear not! Microsoft has provided many resources for us. Starting with the GDPR Privacy Center – Microsoft.com. It includes several ebooks, a Compliance Manager tool, and a GDPR Assessment tool.

The tools will come in handy, as we’ll see in a moment.

When it comes to Skype for Business/Teams and GDPR, these MS resource pages give us guidelines:

  1. GDPR for Skype for Business Server and Lync Server – Microsoft Docs
  2. Overview of Office 365 Information Protection for GDPR – Microsoft Docs
  3. GDPR for Exchange Server – Microsoft Docs

In general, the on-prem versions are compliant by default, provided you secure the physical/virtual servers & limit permissions. Existing data export cmdlets facilitate GDPR privacy requests, like “Export-CsUserData.”

Now, Office 365 compliance. Since MS controls the Office 365 servers, it has to enforce GDPR compliance at server-level. That’s good news for Teams users. As long as you’re only working with US customers and have no European offices, you can probably relax.

GDPR Privacy in Skype4B/Teams
Your data is behind this door.

Photo by Dayne Topkin on Unsplash.

This site provides a list of MS O365 data locations worldwide: Where is your data located? [USA] – Office.com. Teams data is stored in:

  • Blue Ridge, VA
  • Cheyenne, WY
  • Chicago, IL
  • Des Moines, IA
  • Santa Clara, CA
  • Quincy, WA

All US-based datacenters. This alleviates the ‘Store customer data in the EU’ stipulation from earlier.
(Santa Clara though…I don’t want to know what they paid for THAT real estate!)

I checked France and the UK too; native datacenters store their Teams data. U.S. data in the U.S., EU data in the EU. Makes sense. Makes things easier for everyone too.

You should still check your current data though. The Compliance Manager tool I mentioned will determine if you possess data subject to GDPR. If so, you’ll have to classify that data in your Office 365 tenant, and maybe use labels to notify customers.

“We have X data on you, you must pay 1 Bitcoin to—” Whoops, sorry, wrong line of thought.

If you market via Skype for Business/Teams to EU customers, then you must comply. If not, relax.

Adjusting Skype for Business/Teams for GDPR compliance may take a little configuration. But if you have data protection policies in place (and you should), then most of the work’s already done for you.

What changes (if any) did GDPR mandate in your Skype for Business/Teams deployment?

Is Skype for Business GDPR Compliant? What About Teams?

7 thoughts on “Is Skype for Business GDPR Compliant? What About Teams?

  • June 13, 2018 at 1:57 pm

    Be careful, GDPR covers employees’ personal data as well, so it does matter, whether you “market via…”. Whenever your internals are EU citizens, you have to obey GDPR rules.

    • June 13, 2018 at 2:09 pm

      You make an excellent point, Jirka. Thanks for pointing that out.

  • June 16, 2018 at 10:29 pm

    Great article.
    3 clear requirements must be addressed :
    1. The right to be forgotten (when he leaves the company)
    2. User must have the rights to access his data stored
    3. Companies must obtain the consent of all party before recording or archiving any conversation.

    All of theses can be addressed by modules of eDiscovery and Disclaimers as done by SkypeShield-
    https://agatsoftware.com/skypeforbusiness/compliance-gdpr/ in addition to DLP and Ethical wall controlling communication and making sure to personal data is miss- handled

  • October 12, 2018 at 2:40 am

    What about skype4b federations and lack of built in ethical wall ?

    • October 15, 2018 at 8:09 am

      Now that’s an excellent question. Federations to EU-based companies or satellite offices will mean you need GDPR compliance in your policies. I am not a lawyer, but I think the best way to establish an ethical wall is to have a lawyer draw up stipulations for federated partners. “Since you are based in the EU, and we’re federated on Skype for Business, we must now implement GDPR compliance in both our locations” kind of thing. Hope that helps.

  • November 27, 2018 at 3:40 am

    What about using Skype internally? So, for example, if I Skype a customers email address to a colleague. Does this fall foul of GDPR if it is an internal communication (and the customers email address has been obtained in a legitimate and compliant manner)?

    • November 28, 2018 at 10:20 am

      Good comment Gareth. I would guess that this is OK under GDPR, since it’s done to facilitate communication, not marketing. That said, I’m not a lawyer, so check with Legal just in case.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.