Data Protection Impact Assessments (DPIAs)

Under the GDPR, as a controller you are required to undertake DPIAs prior to data processing that is likely to result in a high risk to the rights and freedoms of individuals—in particular, processing using new technologies. The GDPR provides the following non-exhaustive list of cases in which DPIAs must be carried out:

• Automated processing for the purposes of profiling and similar activities that has legal effects or similarly significantly affects data subjects;
• Processing on a large scale of special categories of personal data – data revealing racial or ethnic origin, political opinion, and the like—or of data relating to criminal convictions and offences;
• Systematic monitoring of a publicly accessible area on a large scale.

The GDPR also requires that you must consult with your Data Protection Authority (DPA) before you begin any processing if you cannot identify sufficient mitigations to minimize high risks to data subjects.

Microsoft practices privacy by design and privacy by default in its engineering and business functions. As part of these efforts, Microsoft performs comprehensive privacy reviews on data processing operations that have the potential to cause impacts to the rights and freedoms of data subjects. Privacy teams embedded in the service groups review the design and implementation of services to ensure that personal data is processed in a respectful manner that accords with international law, user expectations, and our express commitments. These privacy reviews tend to be very granular—a particular service may receive dozens or hundreds of reviews. Microsoft rolls up these granular privacy reviews into Data Protection Impact Assessments (DPIAs) that cover major groupings of processing, which the Microsoft EU Data Protection Officer (DPO) then reviews. The DPO assesses the risks related to the data processing to ensure that sufficient mitigations are in place. If the DPO finds unmitigated risks, he or she recommends changes back to the engineering group. DPIAs will be reviewed and updated as data protection risks change.

Microsoft, as a processor, has a duty to assist controllers in ensuring compliance with the DPIA requirements laid out in the GDPR.

To support our customers, relevant sections of Microsoft’s DPIAs are abstracted and will be provided through this section in future updates with the intent of allowing controllers relying on Microsoft services to leverage the abstracts in order to create their own DPIAs.