Microsoft Priva – How to create a Privacy Management Policy

Share on facebook
Share on linkedin
Share on twitter
Share on email
Share on facebook
Share on linkedin
Share on twitter
Share on email

Privacy is top of mind for organizations and consumers today, and concerns about how private data is handled are steadily increasing. Regulations and laws such as the European Union’s General Data Protection Regulation (GDPR) impact people around the world, setting rules for how organizations store personal data and giving people rights to manage personal data collected by an organization.

To meet regulatory requirements and build customer trust, organizations need to take a “privacy by default” stance. Rather than manual processes and a load of tools, organizations need a comprehensive solution to address common challenges such as:

  • Protecting the increasing amounts of unstructured data from privacy issues arising from human error
  • Helping employees adopt sound data handling practices and training them to spot and fix issues
  • Understanding the potential risks in the amount and type of personal data they store and share
  • Fulfilling data subject requests, or subject rights requests, efficiently and on-time

Privacy management for Microsoft 365 helps you meet these challenges so you can achieve your privacy goals.

How privacy management helps your organization

Privacy management provides capabilities that can help you with:

  • Proactively identify and protect against privacy risks such as data hoarding, problematic data transfers, and data oversharing
  • Gain visibility into the storage and movement of personal data
  • Empower employees to make smart data handling decisions
  • Enable users to effectively manage data and take steps to comply with evolving privacy regulations
  • Manage subject rights requests at scale

Privacy management capabilities are available through Microsoft Priva and offers two products: Priva Privacy Risk Management, which provides visibility into your organization’s data and policy templates for reducing risks; and Priva Subjects Rights Requests, which provides automation and workflow tools for fulfilling data requests. You can choose to purchase one or both modules to suit your organization’s needs.

Confirm subscriptions and licensing

Privacy management is available within the Microsoft 365 compliance center and can be purchased by organizations with the following licenses:

  • Microsoft 365 E3, E5, A3, A5
  • Office 365 E1, E3, E5, A1, A3, A5

In this blog I’m going to take you through the process when creating a custom Privacy management Policy via Priva Privacy Risk Management. With a custom policy you can use a guided process to customize a template with your own settings. Out of the box there are four policy templates available:

  • Data overexposure
  • Data transfers
  • Data minimization
  • Custom

Before we start the process of creating a custom Privacy management Policy I want to guarantee that when usernames appear in privacy management features their actual names are anonymized to mask their identities. You can adjust this setting in the following location:

Privacy management Policies>Settings>Anonymization (see screenshot). At this location it is also possible to adjust things like Data retention periods and Data review tags, but I will not consider these in the context of this blog.

Creating a custom policy



Let’s start creating a custom policy now that the privacy setting is correct. Click Privacy management Policies and click on “Create a policy” in the top right corner. Scroll down and choose (custom) Create.

Data minimization



By means of this policy we want to reduce unnecessary and unused personal data. That is why we choose the “Data minimization” option. Provide the policy with a name and a clear description and click “Next”.

Individual sensitive information types



For this blog I have chosen not to use Classification groups, but Individual sensitive information types. I have chosen to add Dutch citizen service numbers, Dutch Drivers license numbers and Dutch passport numbers. Click “Next” at the bottom of the page to continue.

Apply this policy to all groups and users



Select here if the policy applies to all groups and users or applies to a specific group and users. I have chosen to . Click “Next” at the bottom of the page.


I have left all the settings as default, but you can, for example, indicate a specific SharePoint site. Click “Next” to continue.

Policy conditions


Choose the conditions for the policy. In my case, I chose for “Items hasn’t been modified in the previous 60 days”. Click “Next” to continue.

Policy conditions


You can choose to send a notification email to users when there is a policy match detection. Include a link to your preferred privacy training to help prevent future occurrences. I have chosen not to use this option. Click “Next” to continue.



Decide the frequency of alerts to admins when a policy match is detected. I have chosen not to generate alerts in this blog. There are several options available here, so be sure to check out all off the options available there.

Microsoft Priva Alerts



When a policy runs in test mode, it won’t send user notification emails when a match is detected. You can view insights generated by matches and adjust settings while in test mode. If you toggle the switch to “Off,” your policy will be turned on and will generate user notifications. I chose to run in test mode first. Click “Next” to continue.

Microsoft Priva policy mode

Review the chosen settings and click “Submit” to complete the policy creation process.

Review settings


As you can see it is quite easy to create a policy and in the context of this blog a policy to clean up unnecessary and unused personal data.


Our latest articles

Want Craft updates sent straight to your inbox?

By clicking send you'll receive occasional emails from Craft. You always have the choice to unsubscribe within every email you receive.



Want CRAFT updates sent straight to your inbox?