The Difficulties of Defining a Sensitive Data Type

Phone Numbers Get in the Way

A Petri.com article explains how the new GDPR Data Loss Prevention (DLP) template ran into some problems because its rules blocked perfectly legitimate email due to the presence of phone numbers in user autosignatures.

Mail autosignatures carry a lot of information about people – their name, position, company name, business address, phone numbers and sometimes even company registration numbers. It’s genuinely hard to come up with rules that pick out personal data to block the transmission of this information outside the company while letting normal business communications flow unimpeded. Microsoft made the rules in the GDPR DLP template a little too sensitive, which caused email to be blocked.

Of course, people might ask why testing didn’t catch a problem like this. There’s no good answer to that question except to say that the diversity of autosignatures and the range of information carried in autosignatures is pretty large. The full spectrum of what you might find across 28 EU countries might not have been included in the test suite.

Central Cloud Deployment

One of the nice things about the cloud is that changes can be made centrally and then picked up by tenants without administrator intervention. Microsoft is tweaking the rules in the GDPR template to make them less sensitive to phone numbers. You can expect the fix “soon.”

DIY Sensitive Data Types

You can try your hand at defining your own custom sensitive data types through the Classifications section of the Security and Compliance Center. We explain how in Chapter 22 of Office 365 for IT Pros, along with a heap of other information about how DLP policies work and how to deploy them effectively.