Take advantage of built-in Windows 10 security features that can help you protect personal data and stay secure and accelerate your path to GDPR compliance.
Microsoft Windows helps enable data privacy for GDPR compliance
The journey to General Data Protection Regulation (GDPR) compliance begins with a set of defined steps. The information on this page is designed to help both compliance professionals and IT implementers understand how Microsoft Windows 10 and Windows Server can assist you in discovering, managing, and protecting your data in the cloud, and compiling the necessary reports and documentation to help meet GDPR requirements.
Compliance is an on-going process and a shared responsibility. Microsoft Windows operating systems offer a powerful set of tools and extensive documentation on how to use them to make the process easier. Microsoft is investing in additional features and functionality to help organizations achieve their GDPR goals.
Whether you’re a compliance officer, a decision-maker considering Windows as a client/server solution, a current Windows administrator seeking help with specific GDPR-compliant implementation, or an interested party looking for general information on how the GDPR relates to Windows, the information here can provide a starting point for your journey.
Your path to GDPR compliance begins with focusing on four key steps. Microsoft Windows products and services provide powerful tools and solutions for tackling each step. Find out more about how Microsoft products and services can help you on the road to GDPR compliance.
The first steps toward General Data Protection Regulation (GDPR) compliance is to assess whether the GDPR applies to your organization, and, if so, what data under your control is subject to the GDPR. This analysis includes understanding what data you have and where it resides. Adopting a classification scheme that applies throughout your organization helps you respond to data subject requests because it enables you to identify more readily and process personal data requests.
- Administrators can use PowerShell string-matching or regex queries to search for and identify personal data in some file types in local or connected storage.
- Azure Information Protection (AIP) enables classification, labeling, and protection of data in local storage and in Windows Server file servers that support File Classification Infrastructure (FCI).
- Windows Server administrators can deploy automatic file classification in Active Directory to create personal data classification rules, and then assign values to the resource properties for files on the file server.
The General Data Protection Regulation (GDPR) provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Microsoft Windows enables data governance practices and processes via built-in permissions and access controls, along with Azure Rights Management Services (RMS).
- Administrators can use Windows permissions to manage the authorization of users, groups, and computers to access network objects and object properties.
- Domain-based Dynamic Access Control (DAC) enables you to apply and enforce access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
- With Azure RMS in Azure Information Protection (AIP), you can assign and enforce persistent restrictions on sharing files that contain personal data, as well as enforce encryption requirements.
- Organizations can host customized privacy notices within their individual public-facing applications on the Windows platform. Plus, Windows can run applications or house other technologies used to obtain consent for relevant processing activities.
- You can use Windows Search or PowerShell to locate and discontinue processing of files containing personal data, to rectify inaccurate or incomplete personal data or erase personal data when requested, and to restrict processing of personal data.
- You can use the native data export features of Windows 10 to manually transfer data in a variety of file formats.
- Windows provides a platform for accessing applications such as Dynamics 365 and Office 365 that can help you track and manage Data Subject Rights requests.
Microsoft Windows products are developed utilizing the Microsoft Secure Development Lifecycle which incorporates privacy-by-design and privacy-by-default methodologies. Windows and related tools include security features that are enabled by default and can help you to comply with General Data Protection Regulation (GDPR) requirements.
- The Just Enough Administration (JEA) technology is used to restrict IT administrative rights. This technology provides a practical, role-based approach to set up and automate restrictions that reduce the risks associated with providing users with full administrative rights.
- Shielded Virtual Machines (VMs) and guarded fabric protect VMs from malicious administrators in the fabric by encrypting the disk and state of VMs so that only VM or tenant administrators can access them.
- Administrators can use BitLocker Drive Encryption to provide volume-level encryption that can help protect personal data housed on lost, stolen, or inappropriately decommissioned machines or removable media.
- Windows Information Protection (WIP) provides a tool to protect data against accidental or intentional disclosure and gives administrators the ability to create persistent data protection policies to enforce encryption of personal data.
- Azure Information Protection (AIP) enables users to classify, label, and protect data in local storage and in Windows Server file servers that support File Classification Infrastructure (FCI).
- Windows Hello provides biometric and multi-factor authentication for stronger security.
- Windows Defender Credential Guard helps mitigate the risk of certain credential-theft attacks.
- AppLocker helps administrators create and deploy application control policies, restricting access by unauthorized users to applications that could put personal data at risk.
- Personal information stored on or accessed by devices is safeguarded by device security technologies. These include Windows Trusted Boot and Device Guard for client/end-user devices and Shielded Virtual Machines— built on top of Microsoft Hyper-V—as well as Windows Backup and Restore for servers. These technologies protect sensitive Windows processes by isolating them from user mode processes and the Windows kernel.
- Windows Defender Advanced Threat Protection (ATP) for Windows 10 enables administrators to detect and respond to advanced threats on their networks.
- Enhanced Logging enables Windows Server administrators to identify suspicious behavior by auditing access to kernel and other sensitive processes.
- Administrators can use Advanced Threat Analytics, the Test-AppLocker PowerShell cmdlet, and Device Guard (in audit mode) to facilitate regular testing of security measures.
Windows 10 provides built-in secure-by-default technologies, including Protected Processes that prevent one process from tampering with another, screening of downloadable universal Windows apps and the AppContainer sandbox in which they run, and kernel pool protection to prevent exploitation of pool memory used by the kernel.
The GDPR sets new standards in transparency, accountability, and record-keeping. Organizations processing personal data will need to keep detailed records to be compliant. Microsoft cloud services offer embedded auditing services that can help you meet this rigorous standard.
- Azure Information Protection. Document Tracking and Revocation functionality can help map locations of users to restrict transfers of personal data outside the European Union.
- Advanced Audit Policy Recommendations. These can be used to help organizations track compliance with important business-related and security-related rules.
- Active Directory Rights Management Services (AD RMS). Administrators can use AD RMS to track the use of protected documents and record flows of personal data to third-party service providers.