Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations. Microsoft adheres to a set of privacy principles and offers EU Model Clauses to all customers. We believe that the General Data Protection Regulation (GDPR) is an important step forward for clarifying and enabling individual privacy rights.
As the GDPR enforcement date nears, your organization may soon need to demonstrate that it has taken appropriate steps to protect your customers’ personal data in response to regulatory audits and information requests.
Implementing appropriate security controls is a key step to demonstrating accountability. Equally important is putting the right processes in place—such as responding to a Data Subject Request (DSR) and providing a breach notification—to help you be GDPR compliant and gain the trust of your customers.
Today, we are announcing several new resources and capabilities to help you respond to GDPR obligations with the Microsoft Cloud. These updates include:
- Public preview of new privacy resources across the Microsoft Cloud.
- New capabilities to help with DSRs across Microsoft Cloud services for GDPR.
- New audit-ready, privileged access management capabilities in Office 365.
- Enabling a single Office 365 tenant to span across multiple Office 365 datacenter geographies.
Read on for more details and several other updates.
Enhance your ability to meet GDPR obligations with the Service Trust Portal
To support GDPR, today we are announcing the public preview of new GDPR-related tools and resources—including DSRs and data breach notifications for Office 365, Dynamics 365, Azure, Windows, Intune, and Professional Services on the Service Trust Portal.
The GDPR resources include documentation on data breach notifications, which describes when and how Microsoft will notify you and others about personal data breaches, what information Microsoft will provide, and the tools you can use to help ensure the right people in your organization are notified.
We have centralized all our DSR resources into a single page, which provides tools you can leverage in the Office 365 Security & Compliance Center and the Azure Admin Center—along with documents to guide you through the process of locating, exporting, and erasing data from a Microsoft Cloud service.
Responding to DSRs across Microsoft Cloud services
To support DSRs across Microsoft Cloud services, we are implementing several new capabilities—including a Data Privacy tab in Office 365, an Azure DSR portal, and new DSR search capabilities in Dynamics 365.
- Office 365 Data Privacy tab—To help you effectively and efficiently manage your Office 365 related DSRs, we added the Data Privacy tab (in preview) to the Office 365 Security & Compliance Center. Under the Data Privacy tab, you will find a section dedicated to GDPR, which includes documentation and resources to help you on your GDPR journey, as well as a tab dedicated to the execution of a DSR.
The new DSR experience is designed to provide you with the tools to create a case for a data subject request, search and refine relevant data across Office 365 locations—such as Exchange, SharePoint, OneDrive, Groups, and now Microsoft Teams—and export the data.
One DSR scenario an organization may encounter is when a departing employee requests that their data is provided to them. To help with this scenario and others like it, the Event-based retention feature of Advanced Data Governance is now generally available for Office 365 E5 customers.
To see how the DSR experience in Office 365 works, watch the Mechanics video:
- Azure DSR portal—We plan to release the ability to process Azure DSRs before the May 25, 2018 GDPR compliance deadline. Azure tenant admins will have a simple, powerful tool to quickly process the DSR for GDPR. Using the Azure DSR portal, tenant admins can identify information associated with a user and then correct, amend, delete, or export the user’s data. Admins can also identify information associated with a data subject and will be able to execute DSRs against system-generated logs (data Microsoft generates to provide a given service).
Azure DSR portal to help process a DSR.
To learn more, visit the Azure blog.
- Dynamics 365 DSR search capabilities—To help customers respond to DSRs in Dynamics 365, we are providing two new search capabilities: Relevance Search and the Person Search Report. Relevance Search gives you a fast and simple way to find what you are looking for and is powered by Azure Search. The Person Search report offers a pre-packaged set of extendible entities, which Microsoft authored, to identify personal data that is used to define a person and the roles they might be assigned to.
Handling data breaches under the new GDPR regulations
For GDPR, organizations must meet stricter requirements in the event of a data breach. This includes notifying both regulators and those impacted by a breach—generally within 72 hours of becoming aware of a data breach. Microsoft 365 has a robust set of capabilities that can help protect, detect, and respond to data breaches. For example, Office 365 Advanced Threat Protection (ATP) protects an organization’s Office 365 ecosystem by helping prevent malicious emails or business critical files from compromising a user account. Windows Defender ATP focuses on protecting against malicious web-based files or device malware from corrupting a user account.
ATP Safe Attachments blocking malicious email attachment.
In the event Microsoft identifies a personal data breach as defined by the GDPR, we will notify your tenant administrator. Additionally, we recommend that you also designate a privacy contact alias in Azure Active Directory who will also be notified in addition to notification of admins.
Collecting, processing, and reviewing user consent with Azure Active Directory
Leverage audit-ready controls for privileged admin access
While organizations look to minimize the risk of data breaches from threats to privileged accounts, they are also finding that they need to respond to regulators and provide a documented trail of privileged access, which outlines the scenario of how a customer’s data is accessed. To help organizations protect their data and respond to these compliance obligations, today we are introducing new privileged access management capabilities in Microsoft 365—which provide audit-ready access controls that are time bound and can limit the scope of data access.
With privileged access management in Office 365, you can better protect your data by tracking or enforcing an approval workflow scoped to your high-risk tasks within Office 365. For example, broad admin privileges enable admins to execute tasks that can provide unfettered access to organizational data, such as a journal rule, which can send emails to an external mailbox and exfiltrate sensitive data undetected. Privileged access management in Office 365 enables you to apply policies that require approval before anyone can execute these high-risk tasks. Requests for access can be automatically or manually approved, and all this activity is logged and auditable. Watch this video to learn more:
We are excited about rolling out the public preview of privileged access management in Office 365. To get started, visit the Office Previews page (enter the code PAM044), and then read the detailed Tech Community blog.
Addressing global data residency requirements
Increasingly, governments, third-party regulators, and corporate compliance requirements are enacting data residency guidelines to address privacy issues. These guidelines restrict the free flow of information across borders and require that an organization’s data is stored within defined geographies. While GDPR does not mandate data residency, many customers tell us they need the flexibility to store their data in chosen geographies to meet regional, industry-specific, or organizational data residency requirements.
Multi-Geo Capabilities enables a single Office 365 tenant to span across multiple Office 365 datacenter geographies and gives customers the ability to store their Office 365 data at-rest, on a per-employee basis, in their chosen geographies. Multi-Geo has been launched for Exchange Online and OneDrive for Business. Read “Get Global data location controls with Multi-Geo Capabilities in Office 365” to learn more.
Get started today on your GDPR journey with the Microsoft Cloud
No matter where you are in your GDPR efforts, we are here to help on your journey to GDPR compliance and have several resources available to help you get started today:
Learn more about how Microsoft can help you prepare for the GDPR.
—Alym Rayani, director of Microsoft 365