Exporting User GDPR Data From Delve

Posted on by Tony Redmond

Delve Sparkles in 2015 But Then…

When it was first introduced into Office 365 in 2015, Microsoft gave Delve a lot of publicity, perhaps because it was the application that demonstrated the value of collecting and interpreting signals in the Office Graph (now Microsoft Graph). Now, Delve doesn’t get so much attention. One reason why this might be so is that the focus for search has shifted to the Microsoft Search initiative. The new direction was loudly trumpeted at Ignite 2018 and has reached parts of Office 365, but not my tenant.

Delve is Great at Finding Documents

Delve is an application that some people get and others ignore. It is invaluable if you’re like me and constantly forget where documents might be stored, but if you’re happy enough to use the search features built into Outlook, SharePoint, and OneDrive for Business, you might never go near Delve. This is especially so if you do a lot of work in Teams because Delve ignores Teams.

Delve Settings

Like most other Office 365 apps, the cogwheel icon exposes some settings to control how Delve works. The most important of the Feature settings is the one controlling whether Delve shows other users documents created by the user that Delve considers to be “of interest” to them. If you don’t want your documents showing up in other peoples’ Delve dashboards, you should disable this setting.

Setting Delve feature settings in Office 365
Delve Feature settings

Delve’s Two New Export Settings

The Documents setting and those controlling if you want to use MyAnalytics (now available to all Office 365 E3 users) and receive a weekly email digest about your activities have existed for a while and are reasonably well know. What’s interesting is that two new settings have appeared at the bottom of the list. These choices allow the user to export data from Delve and seem to have been added as a result of GDPR. At least, that’s what you might conclude from the URL used for the pages that display exported data (in my case, https://eur.delve.office.com/GdprExport.aspx?datatype=delvedata).

The two options are to Export data from Delve and Export list of relevant documents. The former exports your favorites and settings information from Delve including boards, people, and documents. The latter lists the set of documents that the Office Graph considers most relevant to the user.

The Meaning of Export

In the mind of most, “Export” implies that data is neatly extracted from a source and packaged into a form that it can be taken and used elsewhere. In the case of these export options, Delve displays a web page full of JSON-formatted information. For instance, here’s the totally understandable extract about a board used to classify items in Delve.

“FavoriteBoards”: [ { “ItemClass”: “FavoriteTag”, “Id”: “RgAAAACyPcnnN7H0QJfC24p9x6tEBwB9Uc0UOBLtRZ-anCKgnmWOAAAAAAEWAAB9Uc0UOBLtRZ-anCKgnmWOAACbw9EtAAAA0”, “Title”: “Fifth Edition”, “ContentItemMetadataSource”: 0 },

And here’s what you see about a relevant document. As you can see, the information is as clear as daylight unless you are fluent in JSON and communicate in this format:

{ “Title”: “Vacation Options 2016”, “Address”: “https://office365itpros.sharepoint.com/sites/confidentialstuff/Shared%20Documents/Vacation%20Options%202016.docx”, “ReasonForTrending”: “{\”ActorAadId\”:\”cad05ccf-a359-4ac7-89e0-1e33bf37579e\”,\”Email\”:\”jryan@office365itpros.com\”,\”Name\”:\”James Ryan\”,\”ModifiedTime\”:\”2018-11-14T19:57:00.182+00:00\”}”, “Rank”: 2

Delve Complies with GDPR

You can export the content by copying it and pasting it into somewhere more reasonable, like a Word document. But in reality, this rudimentary implementation smacks of being done with the least possible effort to be able to say that Delve complies with the need under GDPR to extract all personal information from Office 365 should someone ask for it in an Article 15 Data Subject Request (DSR). The DSR functionality available in the Office 365 Security and Compliance Center doesn’t include Delve data (it also misses Yammer), so you have to take some manual steps to ensure that all possible data is exported to meet a DSR.

We cover Delve in Chapter 9 of the Office 365 for IT Pros eBook. We also have quite a lot to say about GDPR DSRs, but that content is in Chapter 20.

3 Replies to “Exporting User GDPR Data From Delve”

  1. Tony, thanks for the coverage / analysis above. A couple of thoughts as I read what you wrote:
    – since this is an end user driven process – done by a user for their data – I don’t view it as part of an organisation responding to a GDPR DSR. That should be an organisation-level process, done by someone other than the requestor of the data access request.
    – since Delve surfaces signals and points at interesting / potentially relevant content, I think the export design is fine. It shows the signals and the reasoning, not the content directly.
    – another requirement under GDPR is for the right of data portability. As I read your analysis above, I wonder if this is what the export process is getting at. It’s in a machine-readable format (as is recommended by GDPR) and it includes the signals. How useful this would be when transferred to another service, though, is the larger question.

    Reply

    1. While an admin can cope with JSON, don’t you think that a user deserves to have something more usable output? By all means keep the JSON if that makes it easier to take the data elsewhere (as you point it, there’s probably not much hope of that), but also give something more usable – like output to a CSV file in formatted columns.

      Reply

      1. Maybe. But it depends on what it has to be used for. If it is to be read by the user – this document and that document are potentially useful to me – then agreed, the output format should be more user readable. But if it is an attempt to cover the right of data portability, machine-readable is the requirement / standard, so I’m indifferent / think what’s given is fine.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.