iGlobe CRM Office 365 and the related Add-ins and General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) strengthens the right of individuals in the European Union (EU) to control their personal data and requires organizations to bolster their privacy and data protection measures. It applies to organizations established in the European Union (EU) as well as organizations-wherever they are located-that offer goods and services to the EU or monitor the behavior of individuals in the EU. Enforcement of the regulation begins May 25, 2018.

It all comes down to personal data. GDPR analysis begins with understanding what data exists and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in:

  • Customer databases
  • Feedback forms filled out by customers
  • Email content
  • Photos
  • CCTV footage
  • Loyalty program records
  • HR databases


iGlobe CRM Office 365 and the connected Office Add-ins is built on and into Microsoft Office 365 platform. The App, Add-ins and the data are all on your Office 365 tenant and are therefore in many regards following the same compliance as Microsoft Office 365.

Office 365 that includes powerful tools to identify personal data across Exchange Online, SharePoint Online, OneDrive for Business, and Skype for Business environments. Content Search allows you to query for personal data using relevant keywords, file properties, or built-in templates. Advanced eDiscovery lets you identify relevant data faster and with better precision than traditional keyword searches by finding near-duplicate files, reconstructing email threads, and identifying key themes and data relationships.

The following questions and answers shows the GDPR compliance of iGlobe CRM and iGlobe Add-ins

Search for and identify personal data. The GDPR has many requirements about how you collect, store, and use personal data, making it necessary to first identify the personal data you hold about data subjects.

iGlobe CRM provides multiple methods for you to search for personal data within records such as: Advanced Search, Quick Find, marketing Search, and Filters. These functions all enable you to identify personal data.

Classify personal data. The GDPR has many requirements to enable the rights of data subjects. This makes it necessary to classify personal data.

iGlobe CRM offers flexibility to build out an application extension around data classification. Using the SharePoint Online as the backend of iGlobe CRM, customers can configure Views to look for personal information based on GDPR requests. At the Row level, data classification can be implemented using solution customization. Besides that Office 365 has multiple tools to classify data and assign protections such as: access restrictions, encryption, and policies to enforce deletion and retention policies. Advanced Data Governance helps you identify, classify, and manage data and sensitive data, as well as apply retention and deletion policies to help protect data. Office 365 data loss prevention (DLP) policies can automatically apply restrictions on access to and sharing of data.

Receive requests for the rectification, erasure, or transfer of personal data. The GDPR requires that a controller processing personal data must enable data subjects to exercise their rights by giving them a way to submit requests to rectify, erase, or transfer their personal data

iGlobe CRM provides users with several tools to erase and edit personal data associated with data subjects as well as employee user accounts. Users can also manually track requests for rectification. Office 365 provides a suite of productivity applications that you can use to manually track requests for rectification, erasure, or transfer of personal data. For example, organizations can use SharePoint Online to manually track and manage data subject rights requests. Office 365 allows you to manage requests from data subjects in a central location by using Exchange Online mail flow rules to route mail with certain keywords, such as data subject rights or erasure, to specific mailboxes. This allows you to create a customized process for

receiving, managing, and responding to these requests.

Rectify inaccurate or incomplete personal data regarding data subjects. The GDPR requires controllers who process personal data to enable data subjects to request  rectification of "inaccurate personal data" and the completion of "incomplete personal data.

iGlobe CRM offers you several methods to rectify inaccurate or incomplete personal data. You can export data to Excel Online to quickly bulk edit multiple iGlobe CRM records, then reimport them to iGlobe CRM. You can also amend personal data stored as Contacts by manually amending the data element containing the target personal data. You can also use iGlobe CRM to edit a single row directly or modify multiple rows directly.

Erase personal data. Under the GDPR, all data subjects have the right to request the erasure of their personal data by controllers.

iGlobe gives you several methods for erasing data regarding a data subject. Once the data is identified the Administrator role in iGlobe CRM lets you locate the data and directly delete records.

Provide data subjects with their personal data in a common, structured format. Under the GDPR, data subjects have the right to portability of their data. This means they can request and receive their personal data from controllers in a structured, commonly used, and machine-readable format.

iGlobe CRM data can be exported to a static Excel file to facilitate a data portability request. Using Excel, you can then edit the personal data to be included in the portability request and then save as a commonly used, machine-readable format such as .csv.

Restrict the processing of personal data. Under the GDPR, data subjects may request a temporary restriction of processing activities utilizing their personal data in certain circumstances, for example if a data subject objects to the processing of that data, but the controller has a legal requirement to retain it. Controllers may need to employ technical means to prevent a specific data subject's personal data from undergoing certain processing activities.

iGlobe CRM helps to protect sensitive information and service availability as required by the GDPR by incorporating security measures at the Office 365 platform and service levels. iGlobe CRM is built on the security model set by Microsoft Office 365. Office 365 Data Loss Prevention (DLP) policies enable you to set limits on the processing of the personal data of specific data subjects by implementing processes such as preventing sending the data in email or restricting access to it on SharePoint Online.

Data protection and privacy by design and default. The GDPR requires controllers who collect or process personal data to ensure that their activities and supporting technology are built to include data protection and data privacy principles

iGlobe CRM is based on Microsoft Office 365 services and is developed utilizing the Microsoft Security Development Lifecycle.

Secure personal data, such as through encryption. The GDPR requires controllers who collect or process personal data to ensure that their activities and supporting technology are built to include data protection and data privacy principles

All data in iGlobe CRM is on the customers own Office 365 account. Office 365 encrypts all customer content at rest and in transit using multiple encryption technologies, such as BitLocker, Azure Storage Service Encryption, and Office 365 Service Encryption. In addition, each Office application, such as Word, Excel, and PowerPoint, enables you to encrypt documents. OneDrive for Business and SharePoint Online encrypt

all personal data in transit. By default, all Skype-to-Skype voice data, video data, file transfers, and instant messages are encrypted. By default, Exchange Online encrypts communications between Office 365 and Exchange Online servers and between Exchange Online customers. Customer data within Office 365 is protected by various forms of encryption and is encrypted both at rest and in transit. For data at rest, Office 365 uses BitLocker, Azure Storage Service Encryption, and Office 365 Service Encryption. For data in transit, Office 365 uses multiple encryption technologies, including Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Office 365 also includes additional customer-managed encryption options, such as message protection in Office 365, but regardless of customer configuration, customer content stored within Office 365 is protected using encryption.

Establish security controls that ensure the confidentiality, integrity, and availability of personal data. The GDPR requires that controllers implement appropriate technical and organizational measures to secure personal data. Those measures must be appropriate for the risk in question, taking into consideration the state of the art and the cost of measures.

iGlobe CRM Office 365 is based on SharePoint Online and offers multiple tools to help safeguard data according to an organization's specific security and compliance needs, including: Security concepts for iGlobe CRM 365, which helps protect data integrity. Using the SharePoint Role-based security, which allows you to group together two set of privileges that limits the tasks a user can perform. The Admin Role give access to the administration and configuration of the iGlobe CRM and access to delete data. Using SharePoint Online site and Groups with iGlobe CRM allow organization to fully control access to data both internally and externally.

Detect and respond to data breaches

iGlobe CRM is based on Office 365 that provides several tools to help you prevent, detect and respond to data breaches.

Facilitate regular testing of security measures

iGlobe CRM is based on Office 365 that provides several tools to help you evaluate your security, including Office 365 Secure Score, which provides insight into your security posture, as well as the security features you have enabled.

Maintain audit trails to show GDPR compliance

iGlobe CRM is based on Office 365 and is using the Office 365 services. Office 365 provides you with the Unified Audit log to track and record processing activities across the Office 365 environment, including user and administrator activities in Exchange Online, SharePoint Online, and OneDrive for Business. You can use the Unified Audit log to record the resolution of data subject rights requests and log events associated with

amending, erasing, or transferring personal data. Auditable events include File and page activities, Folder activities, Sharing and access request activities, Exchange mailbox activities, and user administration activities.

Only transfer personal data to third countries with required safeguards in place.

iGlobe CRM is an Add-in for Office 365 build on Office 365. All data is on your Office 365 tenant. Microsoft Office 365 lets you reduce the need for the transfer of personal data outside of the EU. During the initial setup of Office 365 services, customers with an EU billing address will have their Office 365 tenants provisioned in the EU, where their Exchange Online mailbox content, SharePoint Online site content, and files uploaded to OneDrive for Business are stored at rest. Additionally, Microsoft has made several contractual commitments related to Office 365 that enable the appropriate flow of personal data within the Microsoft ecosystem. Microsoft has implemented EU Model Clauses and is certified to the EU-US Privacy Shield framework.

Office 365 Information Protection for GDPR - By Microsoft

This solution demonstrates how to protect sensitive data that is stored in Office 365 services.

This solution includes prescriptive recommendations for discovering, classifying, protecting, and monitoring personal data. This solution uses General Data Protection Regulation (GDPR) as an example, but you can apply the same process to achieve compliance with many other regulations.