Protecting your Data with Microsoft 365

What we use your personal data for	Our reasons
Creating and managing your account with us	To perform our contract with you or to take steps at your request before entering into a contract
Providing products and/or services to you	To perform our contract with you or to take steps at your request before entering into a contract
Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us	To comply with our legal and regulatory obligations
Enforcing legal rights or defend or undertake legal proceedings	Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e. to protect our business, interests and rights
Customising our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website	Depending on the circumstances: — your consent as gathered e.g., by the separate cookies tool on our website—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price If you have provided such a consent, you may withdraw it at any time by changing the setting on the cookies tool (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive or to check our website is working as intended	Depending on the circumstances: — your consent as gathered by the separate cookies tool on our website]—see ‘Cookies and other tracking technologies’ below — where we are not required to obtain your consent and do not do so, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price If you have provided such a consent you may withdraw it at any time by clearing your cookie settings and rejecting when you revisit our website (this will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn)
Communications with you not related to marketing, including about changes to our terms or policies or changes to the products AND/OR services or other important notices	Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Protecting the security of systems and data used to provide the services	To comply with our legal and regulatory obligations We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, i.e., to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us
Statistical analysis to help us understand our customer base	For our legitimate interests, i.e., to be as efficient as we can so we can deliver the best service to you at the best price
Updating and enhancing customer records	Depending on the circumstances: — to perform our contract with you or to take steps at your request before entering into a contract — to comply with our legal and regulatory obligations — where neither of the above apply, for our legitimate interests, e.g., making sure that we can keep in touch with our customers about existing orders and new products
Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, e.g. to record and demonstrate evidence of your consents where relevant	To comply with our legal and regulatory obligations
Marketing our services to existing and former customers	For our legitimate interests, i.e., to promote our business to existing and former customers See ‘Marketing’ below for further information
The audit of our ISO certifications (to the extent not covered by ‘activities necessary to comply with legal and regulatory obligations’ above)	For our legitimate interests, i.e., to maintain our accreditations so we can demonstrate we operate at the highest standards
To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary	Depending on the circumstances: — to comply with our legal and regulatory obligations — in other cases, for our legitimate interests, i.e., to protect, realise or grow the value in our business and assets

Recipient	Processing operation (use) by recipient	Relevant categories of personal data transferred to recipient
Google	We use Google Analytics (GA4) cookies to collect data about the visitors to the site which includes the number of visitors, session duration, pages visited during the session etc. and whether visitors return. Google Analytics will assign a unique “ID” to a user of the boxxe website at the point they register an account with us for the purpose of tracking their activity on the boxxe website. This information is anonymous and cannot be used to identify you personally unless you end up becoming a boxxe customer. Google Analytics cannot use the ID to work out who you are.	Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Google Analytics stores this information on our behalf in a pseudonymized user profile.
Hotjar Ltd	We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. Hotjar is contractually forbidden to sell any of the data collected on our behalf.	This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile.
Klevu	Klevu offers a machine learning algorithm which takes several parameters into account when establishing what a customer may like and eventually buy on the store. Javascript keeps track of what customers are searching for and visiting. These products visited by these customers and any recent search queries fired by them are used as a context to the search queries fired by them. Klevu perform semantic and statistical analysis of this data to identify the intent and to build multiple, product-noun (e.g. bag, shoe, chair) specific profiles of preferences. Klevu also employs a method called collaborative filtering, which involves analyzing the history of other customers who have or had performed similar searches and visited products similar to the products visited by the current customer. Only those products that are relevant to the current search query are picked up and analyzed to identify common factors within them.	Device’s IP address (processed during your session and stored in a de-identified form) geographic location (country only), and the preferred language used to display our website. Klevu stores this information on our behalf in a pseudonymized user profile.
Dotdigital	Dotdigital is a SaaS cross-channel marketing automation platform and services provider that helps brands devise successful, personalized marketing campaigns across multiple channels (e.g. email). Paired with its Microsoft Dynamics 365 CRM integration, boxxe is able to deliver tailored marketing to its customers.	Contact data (such as email address, contact number, name or other contact details), marketing preferences, IP address and usage information (including online navigation data, location data and browser data).

Recipient country	Recipient	Processing operation (use) by recipient	Lawful safeguard
Ireland	Hotjar	Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile.	Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 https://www.hotjar.com/legal/support/dpa/
USA	Stripe Inc	In order to facilitate online payments through boxxe’s ecommerce portal, where applicable, Stripe may Process Payment Account Details, bank account details, billing/shipping address, name, date/time/amount of transaction, device ID, email address, IP address/location, order ID, payment card details, tax ID/status, unique customer identifier, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports).	UK Data Transfer Addendum https://stripe.com/gb/legal/dpa
EEA	Vaimo	Vaimo has access to certain categories of boxxe customer personal data (names, addresses, DOB, email, number, location, device and diagnostic data, connection data), by virtue of hosting the boxxe website.	Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. Vaimo also has a legally valid intra-group agreement in place and no data is transferred to any entity who is not a party to it.
EEA	Dotdigital	Boxxe will provide certain information about its customers to Dotdigital in order for it to be able to provide automated marketing services that are tailored to its specific customer interests.	Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018. https://dotdigital.com/terms/data-processing-agreement/


Access to a copy of your personal data	The right to be provided with a copy of your personal data
Correction (also known as rectification)	The right to require us to correct any mistakes in your personal data
Erasure (also known as the right to be forgotten)	The right to require us to delete your personal data—in certain situations
Restriction of use	The right to require us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data
Data portability	The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object to use	The right to object: — at any time to your personal data being used for direct marketing (including profiling) — in certain other situations to our continued use of your personal data, e.g. where we use your personal data for our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims
Not to be subject to decisions without human involvement	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you We do not make any such decisions based on data collected by our website
The right to withdraw consents	If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time You may withdraw consents by emailing ecommerce@boxxe.com Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn

Home
News & Resources
Insights
Protecting your Data with Microsoft 365 | Insight

Better information protection

Information Protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud

Protecting your data is business-critical

Unfortunately, in this age the risks to your organisation's data are many. Whether that is external from hackers, malware or specifically ransomware, or internal such as intentional or un-intentional data exfiltration from your own employees, protecting your data is critical to ensuring you stay in business and out of the spotlight for the wrong reasons.

The last thing any CIO needs is a data breach and the fines, damage to reputation and loss of intellectual property that comes with it. The worst part of this is that it affects every organisation from the most highly regulated banks to the small retail business. After all, we all have important information now, and we all have to adhere to data protection compliance regulations such as GDPR.

So, we all have data, but how do we approach the task of managing it?

Firstly it is important to know your data. What data you have, where it is stored and the type of data that it is
You need to classify it test
Apply protection including encryption, access restrictions and visual markings
Prevent accidental oversharing of sensitive information whether intentional or un-intentional
Automatically retain, delete, and store data and records in a compliant manner

This all sounds like a lot of work already; a rock you may wish you'd never looked under. Luckily for us, Microsoft 365 gives us a wealth of technologies that can help to protect our data whether it is held on-premises in our data centre or in the cloud. Let's explore the various data protection products that are available within Microsoft 365.

Microsoft information protection (MIP)

Information protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud. Once you have configured your labels such as 'General', 'Confidential' and 'Highly Confidential' you can associate protection rules to those classifications. For example, preventing a 'Highly Confidential' document from being sent external to your organisation or from being printed or forwarded beyond its intended recipient.

Microsoft Information Protection works seamlessly with Microsoft office applications such as Word, Excel and Outlook, but it also works with PDFs and other file types. It will protect your data in:

SharePoint
OneDrive
Exchange
Teams

MIP can can be set up to scan and protect your on-premises or Azure server data.

Information protection has evolved over time and has had various names over the years however they pretty much refer to similar services. So, if you see 'Microsoft Information Protection', 'Information Protection', 'Azure Information Protection', 'Azure Rights Management', 'MIP', 'AIP', or 'RMS', they pretty much equate to the same product but like rings in a tree stump they tell a story of its evolution over time.

At times it may seem that Microsoft is changing product names relatively often, but there is more to it than simply name changes for the same products. MIP is an improvement upon Azure Information Protection and therefore also the further evolution of Rights Management. Think of Microsoft Information Protection as Azure Information Protection that also includes data stored on devices as well as email and SharePoint, OneDrive, and Teams. Microsoft Information Protection is going the extra mile to cover end user devices and is therefore a more end-to-end data protection solution.

There are two tiers of Information Protection:

Plan 1 (E3) which allows you to classify and protect documents as stated above, but there is also a higher tier
Plan 2 (E5) which gives you auto-classification. Auto-classification removes the possibility of a user intentionally or un-intentionally classifying data incorrectly.

Data loss prevention

Data loss prevention allows you to prevent certain types of data from leaving the organisation. These types of data may include national insurance numbers or credit card numbers. It can be setup to prevent data from leaving or setup to notify of data that has left. DLP can work standalone or arm-in-arm with Information Protection. There is also a higher tier plan with DLP called “Communication DLP for Teams” which blocks chats and channel messages that contain sensitive information.

Insider risk management

Insider risk management is a solution that helps minimise and prevent internal risks. It enables you to detect, investigate and act upon risky activities happening within your organisation. Analysts can quickly review detections and implement actions to ensure users are compliant against your standards and data is protected accordingly.

Microsoft cloud app security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) solution that gives your organisation visibility into their use of cloud apps and services, and provides analytics to identify and protect against cyber threats. It also allows you to control how your data travels across cloud applications. MCAS is a powerful tool when connected into your existing estate. It can use the data from your firewalls or web proxies to understand exactly what your users are doing and especially what they are doing with your data, and what shadow applications or services they maybe using without your knowledge.

Microsoft information governance

The last of our favourites of the Microsoft 365 data protection products is Information Governance. Retention is hugely important in the GDPR age and Information Governance allows you to control data across your applications, looking beyond Microsoft and into third party applications such as Facebook, Twitter, LinkedIn, and WhatsApp. There are many third-party connectors which work to control your data in several ways: Retention, Litigation hold eDiscovery, Records management, Communications Compliance

What licensing options do I have?

There are a lot of different licensing plans and add-ons that you can choose from so it can be confusing. We have created the following table to help explain the options available.

Product	EMS E3 / A3	*EMS E5 / A5**	*Microsoft 365 E5 / A5**	Microsoft 365 E3 / A3	Microsoft 365 E5 / A5 Compliance**	*Microsoft 365 E5 / A5 Info Protection and Governance**	Microsoft 365 E5 * / A5 Insider Risk Management *
Information Protection Plan 1	Y	Y	Y	Y	Y	Y	X
Information Protection Plan 2 (Auto classification)	X	Y	Y	X	Y	Y	X
DLP	X	X	Y	Y	Y	Y	X
Communication DLP for Teams	X	X	Y	X	Y	Y	X
Microsoft Cloud App Security	X	Y	Y	X	Y	Y	X
Insider Risk Management	X	X	Y	X	Y	Y	Y
Microsoft Information Governance	X	X	Y	X	Y	Y	X

This article was written by Matt Fooks, boxxe's Workplace Pre-Sales Solutions Architect. Contact us to book a free consultation with Matt.

Interested?

Call the number below or complete this form to book your free consultation with Matt Fooks.

0330 236 9429

First name

Last name

Contact number

Email address

Company name

Sector

Institute

Message (optional)

I would like to receive news and updates:

by email

by SMS

By completing this form you are agreeing to boxxe's terms & conditions and privacy policy.

* Microsoft 365 Insider Risk Management also licenses several other compliance products not mentioned in this post such as Communication Compliance, Information Barriers, Customer Lockbox and Privileged Identity Management

** Microsoft 365 E5 Compliance licenses everything in the table plus the Insider Risk Management and other great compliance features

Explore our bestselling computers

Explore our bestselling accessories

Latest Case Studies

Didcot Railway Centre IoT CCTV

Derbyshire Healthcare NHS Foundation Trust Data Migration

Joe Browns - Virtual Desktop Success Story

Helpful Insights

The boxxe Community

Already a customer?

Already a customer?

Protecting your information is business-critical. Get the right data protection with boxxe's Microsoft 365 service

Better information protection

Information Protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud

Protecting your data is business-critical

Microsoft information protection (MIP)

Data loss prevention

Insider risk management

Microsoft cloud app security

Microsoft information governance

What licensing options do I have?

Interested?

General

Types of data we collect

If you fail to provide personal data

How your personal data is collected

How and why we use your personal data

Marketing

Who do we share your personal data with

Who do we share your personal data with - in more detail

Overseas transfers and sharing personal data with sub-processors

Transferring your personal data out of the UK - in more detail

How long your personal data will be kept

Data Security

Cookies and other tracking technologies

Your Rights

Policy Changes

Contact Us

Explore our bestselling computers

Explore our bestselling accessories

Latest Case Studies

Didcot Railway Centre IoT CCTV

Derbyshire Healthcare NHS Foundation Trust Data Migration

Joe Browns - Virtual Desktop Success Story

Helpful Insights

The boxxe Community

Already a customer?

Already a customer?

Protecting your data with Microsoft 365

Protecting your information is business-critical. Get the right data protection with boxxe's Microsoft 365 service

Better information protection

Information Protection allows organisations to discover, classify, label, and protect sensitive documents and emails whether stored in the data centre or cloud

Protecting your data is business-critical

Microsoft information protection (MIP)

Data loss prevention

Insider risk management

Microsoft cloud app security

Microsoft information governance

What licensing options do I have?

Interested?