Skip to main content

Safeguard individual privacy with the Microsoft Cloud

Watch the Safeguarding individual privacy rights with the Microsoft Cloud webcast to learn about essential General Data Protection Regulation (GDPR) topics— plus how Microsoft 365 and the Microsoft Cloud help keep your organization compliant.

Watch the webcastRead the M365 Blog

Get started with GDPR

Prepare your organization for the new regulation

The General Data Protection Regulation (GDPR) contains many requirements about collecting, storing, and using personal information, including how you:

  • Identify and secure the personal data in your systems
  • Accommodate new transparency requirements
  • Detect and report personal data breaches
  • Train privacy personnel and other employees

There’s a lot to do to get ready; we suggest that you begin reviewing your privacy and data management practices now so that you can take steps to comply before the regulation takes effect in May 2018. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.

Key changes under GDPR

We recommend that you begin your journey to compliance with the GDPR by focusing on four key steps. Microsoft products and services provide powerful solutions to tackle these steps. To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, see GDPR resources.

The first step towards GDPR compliance is to assess whether the GDPR applies to your organization, and, if so, to what extent. This analysis starts with understanding which data you have and where it resides. The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.

If your organization has such data—in customer databases, feedback forms filled out by your customers, email content, photos, CCTV footage, loyalty program records, human resources databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR.

To understand whether the GDPR applies to your organization and—if it does, which obligations it imposes—it’s important to inventory your organization’s data. This will help you understand which data is personal, and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.

Recommended products and services Microsoft cloud services make it easier to locate and identify the personal data you collect, so you can more easily find and evaluate the data across your organization. Microsoft recommends the following products and services to help your organization meet the GDPR requirements in the Discover phase.

The GDPR provides data subjects—individuals to whom data relates—with more control over how their personal data is captured and used. Effectively managing your data involves both data governance and data classification.

Data governance. To satisfy your obligations to data subjects, you need to understand which types of personal data your organization processes, how your organization processes such data, and for what purposes. The data inventory discussed previously is a first step towards achieving this understanding. Once the inventory is complete, it’s also important to develop and implement a data governance plan. A data governance plan can help you define policies, roles, and responsibilities for the access, management, and use of personal data, and can help you ensure that your data handling practices comply with the GDPR.

Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your organization can be particularly helpful for responding to data subject requests, because it enables you to identify more readily and process personal data requests.

Recommended products and services Microsoft cloud services make it possible to centralize processing by more effectively managing applicable policies, data categorizations, and use cases. Microsoft recommends the following products and services to help your organization meet the GDPR requirements in the Manage phase.

Organizations increasingly understand the importance of information security—but the GDPR raises the bar. It requires that organizations take appropriate technical and organizational measures to protect personal data from loss or unauthorized access or disclosure.

The Microsoft cloud is specifically built to help you understand risks and to defend against them, and is more secure than on-premises computing environments in many ways. For example, our datacenters are certified to internationally recognized security standards, protected by 24-hour physical surveillance, and have strict access controls. How we secure our cloud infrastructure is only part of a comprehensive security solution and each of our products, whether in the cloud or on premises, has security features to help you secure your data.

Recommended products and services Microsoft cloud services synthesize unparalleled threat intelligence and provide tools that help you get the greatest benefit from that intelligence for your security efforts. Microsoft recommends the following products and services to help your organization meet the GDPR requirements in the Protect phase.

The GDPR sets new standards in transparency, accountability, and record-keeping. You will need to be more transparent about not only how you handle personal data, but also how you maintain documentation that defines your processes and use of personal data. Organizations that process personal data need to keep records about the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data, and the legal basis of such transfers; organizational and technical security measures; and data retention times that apply to various datasets. One way to achieve this is by using auditing tools, which can help ensure that any processing of data—whether it be collection, use, sharing, or otherwise—is tracked and recorded.

Recommended products and services Microsoft cloud services centralize and streamline technical and administrative steps that are required for compliance, such as demonstrating due diligence and handling data access requests. Microsoft recommends the following products and services to help your organization meet the GDPR requirements in the Report phase.

two males looking at laptop with stacks of servers in the background

Fulfill GDPR Data Subject Requests (DSRs) on Microsoft services

Microsoft provides tools and documentation to ensure the ability to fulfill requests to correct, amend, delete, or export the personal data of individuals that are at the core of GDPR compliance.

Learn about DSR support from Microsoft

Detect and secure personal data with Microsoft 365

Watch Protecting Personal Data for GDPR with Microsoft 365, 2-part webinar and discover tools that help your organization manage and protect personal information.

Register to watch Part 1

Help meet your GDPR privacy obligations

Enhance your capabilities to support the privacy rights of individuals with tools and documents that help you respond to data subject requests (DSRs) and personal data breaches, as well as the information you need to create your own data protection impact assessments (DPIAs) across Microsoft Cloud services.

Visit Privacy area on Service Trust Portal

Read the Security, Privacy, and Compliance blog

Resources

Find a partner

At Microsoft, we are working with our global partners to address customer needs around GDPR. We have several partners today offering Microsoft-based solutions to meet GDPR requirements. The list of partners are currently helping to meet the demand for GDPR support.

At Microsoft, we are working with our global partners to address customer needs around GDPR. We have several partners today offering Microsoft-based solutions to meet GDPR requirements. The list of partners are currently helping to meet the demand for GDPR support.

View list of global GDPR partners

Manage your compliance from one place with Compliance Manager