Accelerate your GDPR journey

How will the GDPR affect your business?

The General Data Protection Regulation (GDPR) is the European Union’s new data protection law. It’s designed to give individuals greater control over their personal data, and it imposes new obligations on organisations that collect, handle or analyse that data – including organisations outside the EU.

The GDPR came into force on May 25th 2018. Accelerate your journey to GDPR compliance with the steps below, and discover answers to some of the most critical questions about the GDPR and what it might mean for you.


Key changes under GDPR

eye icon for personal privacy

Personal privacy

Individuals have the right to:

bell icon for control and notifications

Controls and notifications

Companies and organisations must:

Form with a magnifying glass on it for transparency


Companies and organisations must have policies that:

person working on a computer for IT and training

IT and training

Companies and organisations will need to:

4 key steps you can take today towards GDPR compliance

Discover – Identify personal data and where it resides

Audit your data and your processes to assess the extent to which the GDPR applies to your organisation.

Learn more >

Manage – Govern how personal data is used

Create transparent policies that clearly outline how, when and why your organisation collects and processes personal data.

Learn more >

Protect – Establish security controls to protect your data.

It’s your responsibility to protect personal data. Build a risk management plan and utilise Microsoft’s secure cloud infrastructure and advanced security features.

Learn more >

Report – Execute on data requests and required documentation

The GDPR sets new standards in transparency, accountability and record-keeping. Leverage the auditing tools embedded in Microsoft cloud services to help you meet the new standards.

Learn more >

Frequently Asked Questions

What is the GDPR? drop-down

The General Data Protection Regulation (GDPR) is the European Union’s new data protection law. It replaces the Data Protection Directive, which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organisations that collect, handle or analyse personal data. The GDPR also gives national regulators new powers to impose significant fines on organisations that breach the law.
What are the main requirements of the GDPR? drop-down

The GDPR imposes a wide range of requirements on organisations that collect or process personal data, including a requirement to comply with six key principles:

  • • Transparency, fairness and lawfulness in the handling and use of personal data
  • • Limiting the processing of personal data to specified, explicit and legitimate purposes
  • • Only collecting and storing the minimum amount of personal data required for a purpose
  • • Ensuring the accuracy of data, including the ability to erase and edit it
  • • Limiting the storage of personal data
  • • Ensuring security, integrity and confidentiality of personal data
Does the GDPR apply to my organisation? drop-down

The GDPR is applicable to organisations of all sizes and all industries. Specifically, the GDPR applies to:

  • • processing of anyone’s personal data, if the processing is done in the context of the activities of an organisation established in the EU (regardless of where the processing takes place);
  • • processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behaviour.
My organisation processes some data. How do I know if it’s covered by the GDPR? drop-down

The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. This can include information such as IP addresses, sales databases, customer service data, feedback forms and more.
What is “privacy by design” and “by default”? drop-down

Under the GDPR, you are expected to incorporate privacy features and functionality into your products and services from the time they are first designed. You should develop features based on factors like the nature of the processing and the privacy risks it poses; the need for security; and the cost of implementation. You must also implement measures to ensure that, by default, no more data is processed than is necessary.
What happens if we’re not compliant with the GDPR? drop-down

The maximum fine for serious infringements will be the greater of €20 million or four percent of an organisation’s annual global revenue – whichever is greater. In addition, the GDPR empowers consumers (and organisations acting on their behalf) to bring civil litigation against organisations that breach the GDPR.
Which key terms in the GDPR do I need to be aware of? drop-down

Article 4 of the GDPR includes a list of defined terms used in the regulation. Here are the key terms you need to understand:

  • Controller. A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines how and why data is processed.
  • Processor. A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller.
  • Personal data. This is any information relating to an identified or identifiable natural person, also called a ‘data subject’. A person can be identified, directly or indirectly, by reference to an identifier such as their name, identification number, location data an online identifier, or to factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
  • Processing. This refers to any operation or set of operations performed on personal data, or sets of personal data, by automated or manual means. Operations can include collection, recording, organisation structuring, storage and more.
  • Pseudonymisation. This is the act of processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that information is kept separately.

You should read the full text of Article 4 of the GDPR for detailed descriptions of each key term.
What about security under the GDPR? drop-down

Under the GDPR, your organisation is required to take measures to keep personal data secure. These measures include “organisational measures,” such as limiting the number of people inside your organisation who can access personal data, and “technical measures,” such as encryption.

The GDPR doesn’t specify or mandate the exact security measures organisations must take. Instead, it you’re expected to determine which security measures to take on your own, depending on factors like the nature of the personal data you collect, its sensitivity and the risks involved in the processing.

There are many types of security risks to consider. Common risks include physical intrusion, rogue employees, accidental loss and online hackers. Developing a risk management plan and taking risk mitigation steps, such as password protection, audit logs and implementing encryption, can help ensure compliance.
What does the GDPR require if a data breach occurs? drop-down

The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, or alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In the event of such a breach, you’re required to notify regulators within 72 hours of detecting it. You may also need to notify your customers (or ‘data subjects’) if there is a significant risk of harm to them due to the breach.
You say that organisations must be ‘transparent’. What does that mean? drop-down

It means you need to be honest and clear in how you explain why and how you process people’s data. The GDPR includes detailed individuals about what you must tell individuals about your processing of personal data and this includes, among other things, information about:

  • • Why you’re processing personal data;
  • • How long you will store that data (or, the criteria for determining how long you need to store data);
  • • With whom personal data will be shared; and
  • • Whether the personal data will be transferred outside the European Economic Area.

You must present this information in a way that is clear and accessible. For this reason, it’s a good idea to review your disclosures against GDPR’s requirements carefully.

More about security

Security, compliance and data protection is a whole-of-business concern. Learn more about IT security and how you can better protect your customers, and your business.

Get fit for the GDPR with Microsoft 365

Get fit for the GDPR with Microsoft 365

Find out how you can meet your GDPR compliance goals with Microsoft 365.

Assess your readiness

Assess your readiness

How far are you on your journey to GDPR? Use our self-assessment tool and find out.

Webinar: GDPR – What you need to know

Webinar: GDPR – What you need to know

Prepare for GDPR compliance and find out how Microsoft meets your needs.

Webcast: Thriving in the GDPR era and how Microsoft 365 can help

Webcast: Thriving in the GDPR era and how Microsoft 365 can help

Learn how Microsoft can help you become GDPR compliant through our intelligent compliance solutions such as Microsoft 365 and our expert community of partners.

3 steps to accelerate GDPR compliance

3 steps to accelerate GDPR compliance

Microsoft is uniquely positioned to help you with the GDPR. View this infographic to see the three steps you should take on your GDPR journey.

Whitepaper: GDPR for Education

Whitepaper: GDPR for Education

A guide for educational institutions, designed to provide valuable information about GDPR compliance in education, with concrete examples and to-do lists.

Download >
Whitepaper: Digital Transformation in the Cloud

Whitepaper: Digital Transformation in the Cloud

With this book enterprise leaders may learn the steps they can take to seize the opportunities that lie ahead, while minimizing the risks during digital transformation of their company.

Download >

Looking for more?

There’s more to security than just compliance. Learn more about data protection, external threats, malware and how to keep your employees safe.


Let’s find a solution together

We’re here to help you understand your obligations under GDPR and accelerate your journey to compliance. Get in contact and let’s get started.

Please note the information on this page does not represent a legal opinion or advice. It is the sole responsibility of the customer to analyse the GDPR rules and ensure compliance.