"Microsoft menaced with GDPR mega-fines in Europe for 'large scale and covert' gathering of people's info via Office. Telemetry data slurp broke the law, Dutch govt eggheads say."
As you can imagine, the headline above (from The Register here) grabbed my attention. Apparently the Dutch government commissioned a Data Protection Impact Assessment (DPIA) on the use of Microsoft Office software which included Office 365.
Both Windows and Office software collect information pertaining to the use of that software, e.g., telemetry and diagnostic data. Data collected in Windows is documented and tools are available to view this data. No such documentation or tooling exists for Office.
The part of the DPIA report (here) that I find most concerning is this: "Prior to this DPIA, Microsoft assumed the telemetry data were not personal data. As a result of this DPIA, Microsoft recognises that many diagnostic data about the use of the Office software and connected services, including the telemetry data, contain personal data."
Microsoft have agreed to remediate these issues but I have to ask the question, how many other pieces of software whether deployed on-site or in the cloud are also collecting information and storing it without the user being aware?
From a banking perspective, the security of user data is of paramount importance. What is the situation where a bank is using a cloud provided application and that application is collecting and storing data. Would the end users or the bank know about this collection unless they ran an investigation similar to a DPIA?
Given the fines for GDPR breaches, this appears to be another risk that must be investigated and resolved by bank compliance departments. As if they weren't busy enough already!
Comments