Fulfilling Data Subject Requests with Office 365

Now that the European General Data Protection Regulation (GDPR) is in force, it is more important that ever for organisations to understand what is expected of them when fulfilling Data Subject Requests (DSR), and how Office 365 can help. Having spoken to a number of clients about this, it is clear that most don't quite understand how utilising elements of O365 can actually make their job much simpler.

What is a Data Subject Request?

Under GDPR, individuals have the right to access their personal data. That is the key point. These requests can be made verbally or in writing, and organisations have one month in which to respond to such requests.

How do I fulfil a DSR within O365?

When logging into Office 365 (portal.office.com), navigate to the Security & Compliance Centre. Taking pride of place on the Security and Compliance home page is the GDPR Dashboard, which once you've clicked on that panel you'll be presented with the main dashboard that we're interested in.

On this dashboard you'll see the heading "Data subject requests" which allows me to either create a new DSR or view any cases which have already been investigated. Let's start by creating a new DSR by clicking on the blue bar titled "Create a DSR Case".

Name your case

Give your case a name which allows you to easily identify it later. When I have spoken with some of my clients about this, they have prepended a unique reference at the start along with something meaningful.

Request Details

This detail is one which, for me, can be a little bit confusing. It asks you to provide the Data Subject i.e. the name of the person who filed the request. This should read, the data subject of whom you are looking to find data for. When you first start typing in this box, it behaves a little like a user field, i.e. if you start typing the name of someone in your organisation then it will show them as a drop-down, however in reality you can put anything in this box.

Confirm your case settings

Ensure you are happy with the settings (you should be as it's only been 4 fields so far) and hit save.

Once the case has been saved, you have the option to run a search straight away, or hit finish and run the search later.

What have I got?

A default Search query has been built for me which takes into account the data subject and looks across everything within Office 365. This can then be further refined in order to determine exactly what you're looking for. In order to do this, you can modify the conditions of the search query, e.g. looking for specific compliance tags or dates.

I can also select which locations are going to be included in the search, either selecting All Locations or being more specific. If I did select to be more specific, the areas are broken down into three key categories:

  • Communications - searching across Exchange, Skype for Business, Teams messages, and To-Do
  • Content - SharePoint, OneDrive for Business, O365 Group sites, Teams sites
  • Exchange Public Folders

By default, All areas are included in the Search, however this can be reduced if needed.

Once I have configured my Search, I can then run it and see what results I get back.


One of the things that I really like about this area is that I can see results and statistics about my search. I get a preview of the Search results in the main body of the screen where I can click on a result and get a preview of the content.

I can then export a report of these results by click on the More button on the menu and selecting Export Report. Again there are a number of options which I have around this:

  • All items, excluding ones that have unrecognized format, are encrypted, or weren't indexed for other reasons
  • All items, including ones that have unrecognized format, are encrypted, or weren't indexed for other reasons
  • Only items that have an unrecognized format, are encrypted, or weren't indexed for other reasons

For the purpose of this I have selected the first (default) option, and then clicked Generate Report. This will go away and do something, although it's not immediately obvious what has happened because it will simply close generate report form. However, if you now click on "Export" you will see that you now have a report that you can download.

Warning: You can only use Microsoft Edge or Internet Explorer to download these reports

This is the part which I always forget as I use Google Chrome (sorry Microsoft but this is one product I've not bought into yet), so always end up having to switch just for this one action!!! So when I export the report now, I am prompted to download and run the Unified Export Tool.

As a security precaution, you must copy and past the export key generated from the Export window into the relevant box, and then tell it where to export the report to.

This application will then engage with Office 365 and download the data that it requires to compile the report. This export will simply create a CSV which contains details of all documents which are relevant to your Data Subject Request.

What I find more useful is if I select Export Results. The difference with this, is that it will export every piece of content related to my search into a folder structure which mirrors where it is found.

The Exchange folder will output a PST for each mailbox that it finds content in:

Likewise the SharePoint folder will output documents stored in both SharePoint and OneDrive for Business

So in the case of having to present the physical content that relates to this DSR, I now have everything in a folder which means I can respond. The export time obviously depends on the amount of content that needs to be exported, but generally this is quite quick, and certainly comes in well under the 1 month response time which is dictated by GDPR.

What we have just gone through is how to undertake and fulfil a Data Subject Request using Office 365. There will obviously be more of a process to be wrapped around this technical solution in order to fully meet the requirements of GDPR, however this will at least give you a starting point from an Office 365 perspective. The tools which Microsoft are offering are still, to me, surprisingly good and they are getting better and better. Security and Compliance as a whole remains to be an area of innovation and should be watched with great interest in the future.