Data transfer policies in privacy risk management

Transferring personal data presents risks, especially when transferred outside of your organization, or sent between certain departments or geographic locations within your organization. For example, if the data is sent via unencrypted emails or to unauthorized recipients, the data may no longer be secure. Data transfer activities like these can have regulatory impact or may violate established organizational privacy practices.

Data transfer policies in Microsoft Priva Privacy Risk Management allow you to monitor for personal data transfers outside of your organization, as well as internal transfers between different departments or countries or regions. When a policy match is detected, you can send users notifications in Microsoft Teams or emails with remediation options that include revoking access to, keeping, or deleting items (see details at step 10 of the policy creation process).

Our policy setup process makes it easy to set policy conditions. You have full control over alert timing and frequency of emails and in-the-moment tips in Microsoft Teams that bring users' attention to safe data handling practices.

There are two ways you can create a policy: from a template, which is our quick "out-of-box" option using default settings; or the custom option, which is a guided process for setting conditions, alerts, and notifications.

Quick setup: Use a template with default settings

The default data transfer policy detects when personal data is sent to recipients outside of your organization. For example, it spots when a user in your organization sends an Exchange email to an external recipient in the To, Cc, or Bcc fields.

Follow these steps to create a default data transfer policy:

  1. Sign in to one of the following portals using credentials for an admin account in your Microsoft 365 organization:

  2. Go to the privacy risk management solution and select the Policies page.

  3. Select Create a policy.

  4. In the Data transfers box, select Create.

  5. A flyout pane contains policy details. Selecting View settings will show the default settings. You can edit settings from here, which takes you into the guided process outlined below. To continue creating your policy using the default settings, simply enter a descriptive name, then select Create policy.

Your policy will be created and you'll find it listed on your Polices page. It begins in test mode so you can monitor how it performs before turning it on.

Default data transfer policy settings

A data transfer policy created from the template will detect:

  • When personal data within your organization is transferred to or shared with a recipient or location outside of your organization.

  • When personal data is shared externally from any of these locations within your organization:

    • Exchange. Example: sending an email containing personal data to a recipient email address that's outside of your organization.
    • OneDrive and SharePoint. Examples: sending a link to a file or site that contains personal data to someone outside of your organization; copying or moving a file to a OneDrive or SharePoint location that sits outside of your organization.
    • Teams. Example: sending a Teams chat message containing personal data to a recipient who's outside of your organization.
  • Types of data based on the following classification groups:

    • EU General Data Protection Regulation (GDPR)
    • US personally identifiable information
    • US Patriot Act
    • US State Breach Notification Law
    • US Gramm-Leach-Bliley Act (GLBA)
    • US Health Insurance Portability and Accountability Act (HIPAA)
    • Australia Health Records Act (HRIP)
    • Australia Privacy Act
    • Japan personally identifiable information
    • Japan Protection of Personal Information

Custom setup: Guided policy creation process

The custom policy option is a guided process to create a new policy by setting conditions, designating alert severity and frequency, and turning on user email notifications.

Complete the steps below to create a new data transfer policy:

  1. Sign in to one of the following portals using credentials for an admin account in your Microsoft 365 organization:

  2. Go to the privacy risk management solution and select the Policies page.

  3. Select Create a policy.

  4. In the Custom box, select Create.

  5. On the Name and type page, select the Data transfers policy template. Enter a policy name that will help you easily identify it from your list on the Policies page, and enter an optional description, then select Next.

  6. On the Data sources page, select all the data sources in Microsoft 365 that you want the policy to cover. Choose from Exchange email accounts, OneDrive accounts, Teams chat and channel messages, and SharePoint sites.

    Within SharePoint, you can designate all sites or specific sites. If you select Specific SharePoint sites, you can enter the site URL in the URL field. You can also select +Choose sites, then on the flyout pane, check the box to the left of the site name you want to select.

    Learn more about choosing data sources. When you're done, select Next.

  7. On the Data to monitor page, choose the type of personal data you want your policy to monitor. There are two options:

    • Classification groups: groupings of sensitive information types that are used to detect content related to personal data or specific regulations. If you select this option, you'll then need to select +Add classification groups to choose one or more groups from the list provided.
    • Individual sensitive information types: select this option to choose from a list of individual sensitive information types.

    Learn more about choosing data to monitor. When you're done selecting data to monitor, select Next.

  8. On the Users and groups page, choose which users in your organization the policy will apply to. You can select all individual users and all Office 365 distribution groups, or you can select specific users and groups. Learn more about choosing users and groups. When you're done, select Next.

  9. On the Conditions page, select which type of data transfer condition the policy will detect:

    • Transfers outside your organization: Detects transfers from users or groups inside your organization to external or guest users outside of your organization.
    • Transfers across country boundaries or regions: For this option, you'll select a sender region and a recipient region. Choose your designated countries or regions from the flyout panes that appear, then select Add.
    • Transfers between users: Detects transfers based on users' Microsoft Entra attributes, such as departments, postal code, or job titles.
    • Transfers between Microsoft 365 groups: Detects transfers between users of any two Microsoft 365 groups. This includes Exchange mailboxes and SharePoint sites associated with the groups.
    • Transfers between SharePoint sites: Detects when an item containing personal data has been copied or moved from one SharePoint site to another SharePoint site.
  10. On the Outcomes page, decide whether to notify users when policy conditions are met. You can choose one or both of the following options, or choose neither by leaving the checkboxes blank:

    • When content matches the policy condition, give users policy tips and recommendations: Data handling tips will appear in a user's instance of Microsoft Teams when they take an action that matches the policy's conditions. You must provide a URL for your preferred privacy training, which will also appear in the tip.

    • Send a notification email to users when a policy match occurs: Users receive an email notification when their actions match policy conditions. After you check the box, you can preview and edit the email, then set the frequency and provide a link to privacy training (learn more about notification emails). The remediation options in the emails depend on the data source:

      • From SharePoint or OneDrive - the remediation options are Revoke access and Keep.
      • From Teams - the remediation options are Trash and Keep.
      • From Exchange - the remediation option is Keep.

      When you're done defining outcomes, select Next.

  11. On the Alerts page, use the toggle switch to turn on alerts that an admin will see on the Alerts page in the Policies section of Privacy Risk Management. You'll designate how frequently alerts are generated, thresholds for matches before alerts are generated, and alert severity. Learn more about setting alerts for policy matches. When you're done, select Next.

  12. On the Mode page, choose which mode to put the policy in: Test it out first or Turn it on right away. In test mode, no alerts or notifications will be sent. Learn more about recommendations and what to analyze when testing a policy. When you're done, select Next.

  13. On the Finish page, review your choices. Select Edit underneath any of the sections in order to adjust settings. When you're satisfied with your policy's settings, select Submit to create the policy.

After a few seconds, you'll see a confirmation that the policy was created. Select Done on the confirmation page, which will take you to the Policies page where you'll see the new policy at the top of the table.

Next steps

Visit Privacy Risk Management polices for details about how to edit and manage policies.

Microsoft Priva legal disclaimer