Now you can take advantage of the latest security, privacy, and compliance features of Microsoft Azure. In this site, you’ll learn about the trusted cloud, how your data is stored and accessed, and our comprehensive approach to securing your IT environment.
Azure helps enable data privacy for GDPR compliance
The information in this section is designed to help both compliance professionals and IT implementers understand how Microsoft Azure can assist you in discovering, managing, and protecting your data in the cloud, and compiling the necessary reports and documentation to help meet GDPR requirements.
Compliance is an on-going process and a shared responsibility. Microsoft Azure offers a powerful set of tools to make the process easier and extensive documentation on how to use them. Microsoft is investing in additional features and functionality to help organizations achieve their GDPR goals.
Whether you’re a compliance officer, a decision-maker considering Azure as a cloud solution, a current Azure administrator seeking help with a specific GDPR-compliant implementation, or an interested party looking for general information on how the GDPR relates to Azure and cloud computing, the information here can provide you with a starting point to get what you need.
Every journey needs a roadmap. Your roadmap to GDPR compliance begins with focusing on four key steps, and Microsoft Azure products and services provide robust tools and solutions for tackling each step. Learn more about how Microsoft products and services can help you on the road to General Data Protection Regulation (GDPR) compliance.
The first step towards GDPR compliance is to assess whether the GDPR applies to your organization, and, if so, what data under your control is subject to the GDPR. This analysis includes understanding what data you have and where it resides. Adopting a classification scheme that applies throughout your organization helps you respond to data subject requests because it allows you to more quickly identify and process personal data requests.
- Microsoft Azure helps you search and identify personal data with Azure Search, Azure Data Catalog, and Azure Active Directory, along with specialized tools such as Power Query and Query Explorer.
- Microsoft Azure helps facilitate data classification with Azure Information Protection labels and data source annotation in Azure Data Catalog.
The GDPR provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Microsoft Azure enables data governance practices and processes via Microsoft Azure Active Directory. Azure Role-Based Access Control helps manage access to Azure services containing personal data.
- Azure Data Factory and Azure HDInsight help you trace and locate personal data.
- The Azure infrastructure can host customized privacy notices to help meet GDPR notification requirements.
- Azure Active Directory enables requesting and obtaining consent to use of data, and Azure SQL Database can be used to document data subjects who have granted affirmative consent.
- Inaccurate or incomplete personal data can be identified and rectified using Azure Search, Azure Active Directory, Azure SQL Explorer, and Query Explorer.
- Personal data can be erased using Azure Active Directory, Azure SQL Database, and Query Explorer.
- Data housed in Azure File Storage or Azure Table Storage can be deleted using the File Service REST API.
- Personal data can be exported in a common structured format using Azure Active Directory, Azure SQL Database, the Cosmos DB Migration Tool, and the Azure Storage REST API.
- The processing of personal data can be restricted by limiting access using AAD Privileged Identity Management.
Microsoft Azure services are developed using the Microsoft Secure Development Lifecycle which incorporates privacy-by-design and privacy-by-default methodologies. Azure and related tools can help you comply with GDPR data protection requirements by providing ways to secure/encrypt personal data at rest and in transit, detect and respond to data breaches, and facilitate regular testing of security measures
- Administrators can use the Storage REST API over HTTPS, Transparent Data Encryption and the Always Encrypted database engine, as well as Azure Disk Encryption and Azure Storage Service Encryption to protect personal data. Azure VPN Gateway encrypts personal data in transit and you can manage encryption keys using Azure Key Vault.
- Azure helps ensure confidentiality, integrity, and availability of personal data using Advanced Threat Analytics, Application Gateway, Azure Active Directory, Azure Backup, Azure Key Vault, ExpressRoute, Log Analytics, Multi-Factor Authentication, Network Security Groups, Site Recovery, Traffic Manager, and VPN Gateway.
- Microsoft incorporates security measures into the development of all Azure products as part of its Secure Development Lifecycle.
- Microsoft maintains tight internal controls to sensitive data as well as multiple levels of monitoring, logging, and reporting for all Azure products. Microsoft maintains physical controls at its data centers.
- Azure Security Center (ASC) helps prevent and detect threats with tools that monitor traffic, collect logs, and analyze these data sources. Security Health Monitoring in ASC helps identify potential vulnerabilities. Microsoft has a detailed Security Incident Response Management and notification process specific to Azure.
- Azure provides tools to assess the security state of your Azure services and identify opportunities to better protect personal data, including Azure Security Center security recommendations and the Vulnerability Assessment tool.
Microsoft conducts ongoing security testing of the Azure platform and consents to certain customer-managed tests when customers request permission. Microsoft maintains security certifications for Azure, including ISO 27001, SOC 1 & 2 Type 2, FedRAMP, and PCI Level 1.Learn more about the Azure Security Center
Learn how to protect personal data with Azure
The GDPR sets new standards in transparency, accountability, and record-keeping. Organizations processing personal data will need to keep detailed records to be compliant. Microsoft cloud services offer embedded auditing services that can help you meet this standard.
- Azure Active Directory logs detail sign-in activity and application usage.
- Log Analytics can aggregate and analyze Windows Event logs, IIS logs, and Syslogs.
- Azure Monitor helps track API calls in customers’ Azure resources.
- Azure Security Center helps collect and review security logs across Azure applications and services.
- Azure Diagnostics provides access to Event logs for Azure VMs.
- Azure Storage Analytics can trace data requests made against Azure Storage.
The GDPR sets requirements regarding the flows of personal data into and out of the EU, and flows of personal data to third-party service providers. Exposure to unnecessary cross-border data transfer is reduced by Microsoft’s use of a regional datacenter strategy for most Azure Services.
To help protect data housed by services that don’t support specification of a region for data storage, Microsoft offers contractual commitments for all its enterprise cloud services, including Azure. The commitments include detailed data protection terms, the EU Model Clauses, and compliance with the EU-US Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Microsoft also maintains an inventory of third-party service providers who may have access to customer data and limits access to customer data by third parties.
Organizations that process personal data may be required to conduct Data Protection Impact Assessments (DPIA). To help customers who are seeking information that may help them perform a DPIA addressing their use of Azure, Microsoft provides detailed information about its processing of customer data and the security measures used to protect that data. This information is accessible via the Microsoft Trust Center.Learn more about privacy
Learn how to document and report data protection with Azure
Streamline GDPR Data Subject Requests (DSRs) in Azure
Azure has announced the ability to quickly and easily fulfill requests to correct, amend, delete, or export the personal data of individuals that are at the core of GDPR compliance.Learn about the Azure DSR capability