Is SharePoint GDPR Compliant? What UK Businesses Need to Know

SharePoint is used by millions of UK businesses to store documents. But is storing personal data in SharePoint GDPR-compliant? Our document management GDPR compliance guide covers the principles. This article addresses the SharePoint-specific question.

What Microsoft Does (and Doesn't) Cover

Microsoft's responsibility: Microsoft is a data processor when you use SharePoint. They are responsible for the security of the infrastructure, service availability, data centre physical security, and their own staff access to your data. Microsoft's compliance with ISO 27001, SOC 2, and UK data protection law at the infrastructure level is well-documented.

Your responsibility: You are the data controller. You are responsible for: who has access to your SharePoint data, what retention periods apply, whether data is shared appropriately, and whether you can respond to data subject requests. Microsoft provides the tools; you configure them.

The Five Things You Must Configure

1. Access controls and permissions

Personal data must only be accessible to staff who need it for their role. Default SharePoint permissions are often too permissive — new libraries inherit site permissions, giving all site members access to everything. You need library-level permissions for sensitive document types: HR records, financial data, client confidential files. Review and tighten permissions; don't rely on defaults.

2. Retention labels and policies

GDPR requires that personal data is deleted when no longer needed. SharePoint doesn't delete anything automatically without retention labels configured in Microsoft Purview. This requires Microsoft 365 Compliance admin access and deliberate configuration. Most SMEs have never done this. Without it, personal data in SharePoint accumulates indefinitely — a clear GDPR breach.

3. Audit logging

SharePoint has audit logging capability, but it must be enabled and configured. Unified audit logs in Microsoft 365 record access, sharing, and deletion events — but by default they may not capture everything you need, and the retention of audit logs (90 days in most plans, longer in E3/E5) may not meet your compliance requirements. Enable and test audit logging before relying on it.

4. External sharing controls

SharePoint allows external sharing — links sent to people outside your organisation. If not controlled, personal data can be shared externally by any user with access to a document. Review your SharePoint external sharing settings: disable sharing with anonymous links for any library containing personal data; require sign-in for all external share recipients; set link expiry on shared links.

5. Data residency

UK GDPR requires that personal data transferred outside the UK/EEA has adequate safeguards. Microsoft offers UK-based data residency for SharePoint through Microsoft 365 Multi-Geo or by selecting UK South/UK West as your data centre region during tenant setup. Check your Microsoft 365 admin centre: Settings → Org Settings → Data locations. If it shows a location outside the UK/EEA, you need to confirm what transfer mechanisms apply.

GDPR Checklist for SharePoint

• ☐ Library permissions reviewed — sensitive data restricted to authorised users only
• ☐ Retention labels created and applied for each document type with personal data
• ☐ Audit logging enabled and retention of audit logs confirmed
• ☐ External sharing settings reviewed — anonymous links disabled for sensitive libraries
• ☐ Data residency confirmed as UK or EEA
• ☐ Data Processing Agreement with Microsoft in place (via Microsoft Products and Services Data Protection Addendum)
• ☐ SharePoint sites and libraries documented in your Record of Processing Activities
• ☐ Process in place to respond to Subject Access Requests across SharePoint content

The Bottom Line

SharePoint is a legitimate platform for storing personal data, and Microsoft provides the tools to make it GDPR-compliant. But those tools require deliberate configuration. An unconfigured SharePoint tenancy with default settings is not GDPR-compliant for personal data storage — it's too permissive, doesn't auto-delete, and doesn't have adequate audit logging configured.

If you don't have the Microsoft 365 admin expertise to configure these features, a dedicated DMS that comes compliance-configured out of the box may be a simpler path to the same outcome.