Microsoft 365 (previously Office 365) MS Forms, Power Automate and SharePoint for business processes with a practical example: Efficient Data protection (GDPR) Inquiry

In this blog post, we propose an efficient and user-friendly way to implement a data protection contact form based on existing Microsoft Office 365 solutions. The contact form is specifically built to fulfill the requirements for a General Data Protection Regulation (GDPR) inquiry. This solution could serve as a reference for similar business processes and/or enhanced as per needs/specifications. This is also a practical demonstration of some of the capabilities offered by Microsoft Office 365 solutions and specifically SharePoint and Microsoft Power Automate automation.

What is GDPR?

The General Data Protection Regulation (GDPR) is a unified set of laws about data that apply across the 27 (U.K. exits) countries of the EU.

As of May 25th, 2018, all companies which operate with EU consumer data, are based in EU or even companies based in non-EU countries must comply with the data protection law for citizens of the European Union.

Important regulations to follow for any data which is being collected:

1. Consent: All collected data on individuals by a company must have explicit consent from those individuals. Silence, pre-ticked boxes, or inactivity do not count as consent
2. Portability: Clients have the right to request companies to move their personal data to another location or company, and those companies must be willing to do so even if the case concerns direct competitor
3. Deletion: Companies must delete personal data when requested by an individual
4. Consumer profiling: Individuals can contest, object to, and request explanation for any automated decisions or decisions made by algorithms
5. Protection: The GDPR has specific, strict data security requirements, and especially stronger enforcement. Data encryption is mandatory
6. Breach notification: The GDPR has a specific definition of what constitutes a breach of personal or private data, along with strict and mandatory requirements for notifying affected users if a breach occurs
7. Data Protection Officer (DPO): All companies that store or process large amounts of personal data must hire/appoint a data protection officer (DPO), who will drive data security and oversee GDPR compliance

As a result of the GDPR regulations every company is required to offer a platform where individuals may request information regarding the access or storage of their data. Typical use cases would be if a user wants to request clarification for data consent, wants their data to be moved or deleted or simply requires a way to contact the Data Protection Officer (DPO).

Inquiry process

The proposed solution leverages different software solutions from the Office 365 suit:

The inquiry process is automated via two Power Automates: a request and a response Power Automate. All data is stored leveraging the SharePoint capabilities in a data protection list as well as an attachment documents library. The following is an overview of the inquiry process:

Faced challenges

1. Item Attachments vs. Document Library

Typically for a Data Protection Inquiry, one would like to send several documents with the response. The response Power Automate is therefore configured to automatically send all required documents as email attachments.

For our solution we have explored two different approaches for attachments management:

2. Document Sets vs. Folders

It is important to efficiently organize the attachments in a document library and achieve ease of access. For this purpose, we propose two approaches – Document Sets and Folders:

3. Modern & Branded Notifications

In the inquiry request and response Power Automate, we automatically send respective emails. We opted for the Send an Email (V2) action in Power Automate in combination with HTML templates.

Building HTML templates for Power Automate usage requires certain guidelines:

• Single column layout
• Tables for cross-platform compatibility
• Use inline CSS and avoid shorthand declarations
• Character encoders for special symbols
• Embed Base64 encoded images
• Don’t exceed the message size limitations
• Make use of placeholders for mapping against Power Automate dynamic content
• Preferably use tools for easier editing

Realization

Let’s build the above mentioned GDPR request process with a step by step realization procedure. Prerequisites are some prior knowledge of the Office 365 Power Automate interface and the basics of SharePoint Rest API.

First, here is the complete Power Automate-chart of the data protection request pipeline:

We will now go through the process and explain how to build the target functionalities in Flow.

Form Response & Trigger Request Workflow

The first step is the submission of a data protection form response. The form is built on top of MS Forms with out-of-the-box functionalities. It is an anonymous form that anyone who has its link can respond to. The form can be added to any webpage via the embed URL.

The requester needs to input his first name, last name, address, email, legal entity, request and consent to the privacy terms.

Triggering the request workflow is done via the “When a new response is submitted” MS Forms trigger:

Request Workflow

Following is an overview of the complete request workflow:

The workflow is triggered when a new data protection request is submitted. Afterward, a planner task for the request is created which is then followed by the creation of a new document set for storing attachments. As previously stated, the creation of a document set is not natively supported by Power Automate and therefore we use a REST call. Next, we create a new list item for the request. For ease of access, a clickable link to the document set is added as part of the list item metadata. Afterward, a notification email is sent to the shared mailbox of the data protection officers team. A confirmation email is also sent to the request submitter. Here is an example, we have used an HTML5 email template with table layout and inline Styles. We also used Base64 embedded images.

Create a Document Set

In order to create a new document set we use the “Send an HTTP Request to SharePoint” Power Automate action:

In this example, the Site Address is the URL of the site collection which contains the Data Protection Attachments Document Library. The Uri is:

 “/_vti_bin/listdata.svc/DataProtectionInquiriesLibrary”

where “DataProtectionInquiriesLibrary” is the name of the Data Protection Attachments Document Library. Headers contain an “Accept” tag with value:

 “application/json;odata=verbose”

and a “Slug” tag containing the link of the new document set (the name is in the link) and a reference to the Document Set content-type:

 “0x0120D520007624D7206F54B042A3E8453C58243284”

• Tip: To get the content type ID go to the library settings, then click on the document set content type in the “Content Types” area then look at the value of the ctype parameter in the browser Url bar. (ctype=0x0120D520007624D7206F54B042A3E8453C58243284).

Create Planner Task

The planner task for the request is created the following way:

You can get the planner ID by creating a new Planner plan, opening the plan and copying the planner ID from the browser top URL bar.

Add List Item

To create the list item, we use the “Create item” action:

We also want to add a link to the document library. Adding custom links in Power Automate requires a different approach than simply adding dynamic content to the “Create item” action. In fact, while building different Workflows, there is a high chance that one would have to fill in a link metadata field with a custom-built URL containing a description. My preferred way of doing this is through leveraging the SharePoint Rest API.

Hence, we use a “Create item” action in conjunction with an HTTP post request as shown below:

In this HTTP request, the Site Address is the URL of the site collection which contains the Data Protection Inquiries List. The Uri is:

_api/web/lists/GetByTitle('Data Protection Inquiries')/items(@{body('Create_item')?['ID']})

where “Data Protection Inquiries” is the name of the Data Protection Inquiries List. Headers contain the following tags:

accept: application/json;odata=verbose
content-type: application/json;odata=verbose
IF-Match: *
X-HTTP-Method: MERGE

The body of the request is:

{"__metadata":{"type":"SP.Data.DataProtectionInquiriesListItem"}, "DocumentSetLink": { 'Description': '⁠Title⁠', 'Url': '⁠Link to item' } }

where ‘⁠Title⁠’ is, in this case, the name of the attachments document set and ‘⁠Link to item’ contains a hyperlink for the target document set. Both ‘⁠Title⁠’ and ‘⁠Link to item’ are dynamic contents properties.

• Tip: Make sure to get the correct metadata type for the rest call. To check this, you can type “https://tenant.sharepoint.com/sites/mySite/mySiteCollection/_api/web/lists/GetByTitle(‘MyList’)” in Internet Explorer (for parsed xml results) or in your preferred browser and look for metadata (type CTRL+F and “__metadata”).

Notification Email

Two emails are sent in the request workflow: a confirmation email to the requester and a notification email to the data protection officer. Both emails are sent with the Send Email V2 action. The confirmation email is built using an HTML custom template:

And here is a preview of the confirmation email:

In order to build a custom HTML template, I would suggest starting for example from Outlook email templates. Use one of these email newsletters if you want to send a professional email to your customers or intranet users. This can be done directly from Outlook by customizing the template and saving it as HTML. Also, do not forget to add the required placeholders for inserting the Power Automate dynamic content later. It is advisable to customize these templates to suit your needs and match the branding of your company or organization.

• Tip: For HTML5 email templates it is always good to check the character and size limitations. The template language expression literal maximum limit is 131072 for the MS Power Automate “Send an Email (V2)” action.

Response Workflow

Following is an overview of the complete response workflow:

The Power Automate is triggered manually on a selected item. First, we update the requested item to “completed”. Here we define an array for holding the required attachments. Further down we can see three actions targeting the planner tasks: update a task, create a task and update task details. The request task is marked as completed and a response task is added. The response task is there to respect retention policies. Afterward, we retrieve the target document set and compile the attachments path. We then retrieve the content of all attachments under the document set.

Following is an overview of the actions required to get the target documents out of the document set:

The condition is if the target document folder path dynamic content is equal to the compiled attachments path. If yes, then the target document content is added to the attachments array. Note that in this approach we do not include support for subfolders in the document set. This could be achieved by adding an additional condition to process folders separately.

Following we get the content of all attachments of the current list item:

If the list item contains attachments, then get these attachments and for each document add the relevant content to the attachments array. This covers both previously discussed options for adding attachments.

Finally, a response email is sent as well as a copy in CC to the admin shared mailbox.

Array for attachments

In the response workflow, an attachments array is defined in order to group all email attachments from the document set as well as the list item. This approach is useful because we have multiple sources of attachments as well as multiple documents hence it would be rather inefficient to have to add every attachment separately to the send email action.

Adding an array as attachments to the MS Power Automate“Send an Email (V2)” action is done via clicking the switch to detail input for array item icon in the advanced options section and adding the attachments array variable as dynamic content:

This approach is also useful if a workflow requires sending multiple emails with the same attachments.

Outlook and Further Enhancements

In this blog post, we designed and realized an automated data protection inquiry process utilizing the Office 365 suit. The core functionalities of this process are automatic email notifications and attachments management.

There are still possibilities for further improvement and enhancement of the current solution such as:

• Split & delegate subtasks to different teams
• Process enhancement to support multiple subtask completion
• Permission handling for different Assets folders (e.g. personal data, deletion)
• Automated report generation through APIs (e.g. query personal data from Active Directory)
• Providing a portal entry for a requester to access the data (instead of email)

What do you think of this solution, what are the cool things and what things you find yourself missing the most? Let me know in the comments below! Also, if you find this article useful and would like to read similar content in the future please let me know.

Thank you for reading, it is greatly appreciated!