GDPR user consent for external users in SharePoint Online
https://sharepoint.stackexchange.com/questions/247435
-
21-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've been looking around the entire World Wide Web it feels like regarding GDPR user consent and SharePoint Online. One of the main "corner-stones" of GDPR is to collect and store the consent from the users, they agree on how their data will be processed.
The built-in GDPR support in Office 365 only concerns content of stored documents. The user profiles and user activities (e.g. version history of files) are never mentioned.
In SharePoint (and other Office 365 services such as Teams) there is no standard way to customize a greeting-page at the first login from external users, hence we have no way of collecting consent for how their data will be processed (other than via manual steps).
Am I imagining that the user profiles and user activities should be considered as privacy data and that explicitly collected user consent is necessary from a GDRP perspective?
If I am not imagining, am I missing some built-in functionality in SharePoint Online or Office 365 that could be used? The only things I can come up with are custom javascript solutions or some custom scheduled job sending out consent-emails.
Edit 2018-09-14 Since SharePoint is often used B2B as part of some collaboration, it could in most cases be considered as a tool for "Contractual fulfillment" as defined by GDPR, hence explicit consent should not be necessary.
Edit 2019-07-12 There is support for Terms of Use in Azure AD Premium that is displayed to external users. This will in effect record the consents by the users.
Solution
As far as I know there are no options for consent pages. If you need it for GDPR is hard to say, as it depends on your company policies to be compliant.
On way you could to this, is requesting consent after sign-up. If you detect a new external user in AAD, send him an e-mail to give consent and if he doesn't react or denies, delete all his data from the tenant. Than you control it no matter where the user receives an invite from (SPO and Teams are not the only places where you can invite external users).
