This is continuation for the first part. In case you missed it, you can read it from here.
Alerts, reviewers, and investigation workflow
Under Finnish Act on the Protection of Privacy in Working Life, only personnel with a specific legal basis should be granted a permission to review employee messages. Employees must also be informed in advance about who can access what.
Features at risk:
Communication Compliance > Alerts & Reviews
Flagged content is visible to HR, Legal, Compliance, or external reviewers. Under Finnish Act on the Protection of Privacy in Working Life, only personnel with a specific legal basis should review employee messages. Employees must be informed in advance about who can access what.
Possible mitigation methods:
Define minimal access policies and role-based reviewer assignments. Log all reviewer activity for audit purposes. Use the “Justified access” principle to document access rationale. Limit investigations to narrow scopes with a clear legal justification (e.g., anti-harassment policy). Document each case and notify employees of the process in advance. Use anonymized version of user names to prevent users in Communication Compliance Analysts role group from seeing who is associated with policy alerts.
Long-term data retention of flagged communications
Long-term storage of personal data without a strong reason may breach GDPR storage limitation principles. According to the GDPR Article 5(1)(e), data must not be stored longer than necessary. Also, ongoing review can be interpreted as continuous surveillance, which is not allowed unless strictly justified.
Features at risk:
Communication Compliance > Policy settings > Retention period. This determines how long flagged messages and review data are stored.
When a communication compliance policy finds a message that matches the policy, the solution stores a copy of the message (not the original message). You can use the Policy Match Preservation setting, which goes into effect on June 1, 2025, to specify the amount of time that policy matches are saved in communication compliance. The possible values for the setting are 1 month, 6 months, 1 year, or 7 years (1 year is the default).
The risk is to keep the default retention value and therefore retaining sensitive flagged communications beyond necessity.
Possible mitigation methods:
Set custom retention periods (e.g., 30–90 days). Delete flagged data after investigation closure unless legally justified. Avoid keeping the default value or very long retention settings.
Policy-based actions or remediation activities
Under Finnish Act on the Protection of Privacy in Working Life, only personnel with a specific legal basis should be granted a permission to review employee communications. If employees are not properly informed or if reviewers have unrestricted access, this may violate principles of proportionality and necessity.
Features at risk:
Communication Compliance > Remediation Actions, including the ability to send messages to users, recommend training modules or HR follow-up or apply policy tips or nudges to reduce unwanted behaviour. The risk for this kind of activity is that it may be interpreted as punitive or disciplinary if not carefully framed. Also, Under Finnish Act on the Protection of Privacy in Working Life, only those who absolutely need access can review employee communications.
Possible mitigation methods:
Use remediation for training purposes, not punishment. Communicate that flagged content leads to coaching, not consequences, unless in violation of law or policy.
Summary table of the areas and Purview’s Communication Compliance features:
| Area | Risk Level | Purview and CC Feature(s) | Regulation Involved | Required Safeguard |
| Personal message monitoring | High | Channels (Teams, Slack, etc.) | Act on the Protection of Privacy in Working Life | Scope limitation, avoid personal content |
| AI classifiers | Medium | Offensive Language, Threat, Sexual Harassment classifiers | GDPR Art. 22, Data Protection Act | Human review, transparency |
| Alerts & Reviewer access | Medium | Review dashboard, alert policies | GDPR + Act on the Protection of Privacy in Working Life, Data Protection Act | Role-based access, logging |
| Data retention | High | Policy settings > Retention | GDPR Art. 5(1)(e), Data Protection Act | Clear retention limits |
| Remediation actions | Medium | Notify user, send training | Act on the Protection of Privacy in Working Life | Preventive framing, not punitive |
| Regulatory compliance scans | Low | Compliance manager, Sensitive info types, DLP integrations | GDPR + Act on the Protection of Privacy in Working Life, Data Protection Act | Legitimate interest, DPIA |
Recommended and safer use-cases (with appropriate setup)
- Monitoring for regulatory compliance (e.g., anti-money laundering, MiFID II in financial sector)
- Detecting data leakage (e.g., IP or confidential data sent outside)
- Internal investigations triggered by concrete allegations or legal requirements
- Training-based remediation, not punitive measures
Checklist of the implementation:
- Conduct a DPIA (Data Protection Impact Assessment).
- Define a clear policy and scope (e.g., which types of communications, what risk signals, etc.).
- Consult legal team familiar with Finnish regulations and EU GDPR.
- Engage with employee representatives early in the process.
- Inform and train employees transparently.
- Implement role-based access control and data minimization in Purview policies.
- Consider limiting monitoring to business-related channels only.
Disclaimer
The content of this blog is provided for informational purposes only and reflects the author’s professional perspective as a security and compliance consultant. It is not intended as legal advice.
While every effort has been made to ensure accuracy and relevance—especially in relation to Finnish data protection, labor, and workplace privacy regulations—the author is not a lawyer and this content should not be relied upon as a substitute for qualified legal counsel. Organizations planning to implement Microsoft Purview Communication Compliance or similar technologies are strongly encouraged to consult with legal professionals experienced in Finnish legistlation, and sector-specific regulations before taking action.
Share this post:
Leave a Comment