Safeguard individual privacy with the Microsoft Cloud
Watch the Safeguarding individual privacy rights with the Microsoft Cloud webcast to learn about essential General Data Protection Regulation (GDPR) topics— plus how Microsoft 365 and the Microsoft Cloud help keep your organization compliant.Watch the webcastRead the M365 Blog
How our products help with GDPR compliance
Microsoft products and services are available today to help you meet the GDPR requirements, and we are investing in additional features and functionality.
Through our cloud services and on-premises solutions we’ll help you locate and catalog the personal data in your systems, build a more secure environment, simplify your management and monitoring of personal data, and give you the tools and resources you need to meet the GDPR reporting and assessment requirements.
Learn more about our products and the GDPR
Microsoft designed Azure with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Azure can help you on your journey to reducing risks and achieving compliance with the GDPR.
Identifying what data you have and controlling who has access to it is a critical requirement of the GDPR. Azure enables you to manage user identities and credentials and control access to your data in several ways:
- Azure Active Directory (Azure AD) helps you ensure that only authorized users can access your computing environments, data, and applications. It features tools such as Multi-Factor Authentication for highly secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.
- Azure Information Protection helps ensure that your data is identifiable and secure, a key requirement of the GDPR—regardless of where it’s stored or how it’s shared. You can classify, label, and protect new or existing data, share it securely with people within or outside your organization, track usage, and even revoke access remotely. Azure Information Protection also includes rich logging and reporting capabilities to monitor the distribution of data, and options to manage and control your encryption keys.
Protecting personal data in your systems, and reporting on and reviewing for compliance are key requirements of the GDPR. The following Azure services and tools will help you meet these GDPR obligations:
- Azure Security Center provides you with visibility and control over the security of your Azure resources. It continuously monitors your resources, provides helpful security recommendations, and helps you prevent, detect, and respond to threats. Azure Security Center’s embedded advanced analytics help you identify attacks that might otherwise go undetected.
- Data Encryption in Azure Storage secures your data at rest and in transit. You can, for example, automatically encrypt your data when it is written to Azure Storage using Storage Service Encryption. Additionally, you can use Azure Disk Encryption to encrypt operating systems and data disks used by virtual machines. Data is protected in transit between an application and Azure so that it remains secure at all times.
- Azure Key Vault enables you to safeguard your cryptographic keys, certificates, and passwords that help protect your data. Key Vault uses hardware security modules (HSMs) and is designed so that you maintain control of your keys and therefore your data, including ensuring that Microsoft cannot see or extract your keys. You can monitor and audit use of your stored keys with Azure logging, and import your logs into Azure HDInsight or your SIEM for additional analysis and threat detection.
- Log Analytics: Azure provides configurable security auditing and logging options that can help you identify and repair gaps in your security policies to prevent breaches. Additionally, Log Analytics helps you collect and analyze data generated by resources in either your cloud or on-premises environments. It provides real-time insights using integrated search and custom dashboards to readily analyze millions of records across all workloads and servers regardless of their physical location.
For more information, please visit our overview of Azure Security Services and Technologies
Read more on Azure and GDPR
Microsoft designed Dynamics 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Dynamics 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.
Controlling who has access to personal data is a key to securing that data, and data security is a critical requirement of the GDPR. Dynamics 365 enables you to manage and control access to your data in several ways:
- Role-based security in Microsoft Dynamics 365 allows you to group together a set of privileges that limit the tasks that can be performed by a given user. This is an important capability, especially when people change roles within an organization.
- Record-based security in Dynamics 365 allows you to restrict access to specific records.
- Field-level security in Dynamics 365 allows you to restrict access to specific high-impact fields, such as personally identifiable information.
- Azure Active Directory (Azure AD) helps you protect Dynamics 365 from unauthorized access by simplifying the management of users and groups and allowing you to assign and revoke privileges easily. Azure AD includes tools such as Multi-Factor Authentication for highly-secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.
Another core requirement of the GDPR is to protect the personal data that you control or process. Dynamics 365 is designed to optimize the security of your data:
- Security Development Lifecycle is a mandatory Microsoft process that embeds security requirements into every phase of the development process. Dynamics 365 is built using the Security Development Lifecycle.
- Encryption in transit between your users’ devices and our data centers, as well as while at rest in a Microsoft database, helps protect your Dynamics 365 data at all times.
For more information please visit our Dynamics 365 Trust Center.
Read more on Dynamics 365 and GDPR
Microsoft designed Office and Office 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Office and Office 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.
One essential step to meeting the GDPR obligations is discovering and controlling what personal data you hold and where it resides. There are many Office 365 solutions that can help you identify or manage access to personal data:
- Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows organizations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
- Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organization.
- Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
- Customer Lockbox for Office 365 can help you meet compliance obligations for explicit data access authorization during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.
Another core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:
- Advanced Threat Protection in Exchange Online Protection helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
- Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—provided by Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.
- Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches. In addition, it allows you to set up activity policies to track and respond to high risk actions.
- Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.
For more information please visit our Office 365 Trust Center.
Read more on Office 365 and GDPR
Securing and managing personal data is critical to you, your customers, and to complying with the coming requirements of the GDPR. Microsoft designed Enterprise Mobility + Security to safeguard customer data both in the cloud, and on-premises, with industry-leading security capabilities. This includes personal data no matter where it might travel across your users, devices, and apps. Enterprise Mobility + Security offers innovative technology and solutions today that can help you on your journey to reducing risks and achieving compliance with the GDPR. Microsoft designed Enterprise Mobility + Security with industry-leading security capabilities to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Enterprise Mobility + Security can help you on your journey to reducing risks and achieving compliance with the GDPR. The GDPR obligations include discovering what personal data you hold and where it resides, controlling how your users access and use personal data, and establishing security controls to prevent, detect, and respond to vulnerabilities and data breaches.
Enterprise Mobility + Security features identity-driven security technologies that help you discover, control, and safeguard personal data held by your organization, reveal potential blind spots, and detect when data breaches occur:
- Azure Active Directory (Azure AD) helps you ensure that only authorized users can access your computing environments, data, and applications. It features tools such as Multi-Factor Authentication for highly secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative access privileges through control, management and reporting of these critical administrative roles.
- Microsoft Azure Information Protection helps ensure that your data is identifiable and secure, a key requirement of the GDPR—regardless of where it’s stored or how it’s shared. You can classify, label, and protect new or existing data, share it securely with people within or outside of your organization, track usage, and even revoke access remotely. Azure Information Protection also includes rich logging and reporting to monitor the distribution of data, and options to manage and control your encryption keys.
- Microsoft Advanced Threat Analytics helps pinpoint breaches and identifies attackers using innovative behavioral analytics and anomaly detection technologies. Advanced Threat Analytics is deployed on-premises and works with your existing Active Directory deployment. It employs machine learning and the latest user and entity behavioral analytics to help find advanced persistent threats and detect suspicious activities and malicious attacks used by cybercriminals, to help identify breaches before they cause damage to your business.
For more information please visit our Microsoft Enterprise Mobility + Security site.
Read more on Microsoft EMS and GDPR
Microsoft designed SQL Server and Azure SQL Database with industry-leading security measures and privacy policies to safeguard your data in the database, including the categories of personal data identified by the GDPR. Built-in SQL security capabilities can help you on your journey to reducing risks and achieving compliance with the GDPR.
Controlling who has access to your database and managing how data is used and accessed is a critical requirement of the GDPR. SQL Server and Azure SQL Database provide controls for managing database access and authorization at several levels:
- Azure SQL Database firewall limits access to individual databases within your Azure SQL Database server by restricting access exclusively to authorized connections. You can create firewall rules at the server and database levels, specifying IP ranges that are approved to connect.
- SQL Server authentication helps you ensure that only authorized users with valid credentials can access your database server. SQL Server supports both Windows authentication and SQL Server logins. Windows authentication offers integrated security, and is recommended as the more secure option, where the authentication process is entirely encrypted. Azure SQL Database supports Azure Active Directory authentication, which offers a single sign-on capability and is supported for managed and integrated domains.
- SQL Server authorization enables you to manage permissions according to the principle of least privilege. SQL Server and SQL Database use role-based security, which supports granular control of data permissions via the management of role memberships and object-level permissions.
- Dynamic data masking (DDM) is a built-in capability that can be used to limit sensitive data exposure by masking the data when accessed by non-privileged users or applications. Designated data fields are masked in query results on the fly while the data in the database remains unchanged. DDM is simple to configure and requires no changes to the application. For users of Azure SQL Database, dynamic data masking can automatically discover potentially sensitive data and suggest the appropriate masks to be applied.
- Row-level security (RLS) is an additional built-in capability that enables SQL Server and SQL Database customers to implement restrictions on data row access. RLS can be used to enable fine-grained access over rows in a database table, for greater control over which users can access which data. Because the access restriction logic is in the database tier, this capability greatly simplifies the design and implementation of application security.
Another core requirement of the GDPR is protecting personal data against security threats. SQL Server and SQL Database provide a powerful set of built-in capabilities that safeguard data and identify when a data breach occurs:
- Transparent data encryption protects data at rest by encrypting the database, associated backups, and transaction log files at the physical storage layer. This encryption is transparent to the application, and uses hardware acceleration to improve performance.
- Transport Layer Security (TLS) provides protection of data in transit on SQL Database connections.
- Always Encrypted is an industry-first feature that is designed to protect highly sensitive data in SQL. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the database engine. The mechanism is transparent to applications, as encryption and decryption of data is done transparently in an Always Encrypted–enabled client driver.
- Auditing for SQL Database and SQL Server audit track database events and write them to an audit log. Auditing enables you to understand ongoing database activities, as well as analyze and investigate historical activity to identify potential threats or suspected abuse and security violations.
- SQL Database Threat Detection detects anomalous database activities indicating potential security threats to the database. Threat Detection uses an advanced set of algorithms to continuously learn and profile application behavior, and notifies immediately upon detection of an unusual or suspicious activity. Threat Detection can help you meet the data breach notification requirement of the GDPR.
For more information, please visit our Security Center for SQL Server Database Engine and Azure SQL Database.
Read more on SQL Server and GDPR
Microsoft designed Windows 10 and Windows Server 2016 with industry-leading security measures and privacy policies to help safeguard your data in the cloud, including the categories of personal data identified by the GDPR.
The security capabilities available today in Windows 10 and Windows Server 2016 can help you on your journey to reducing risks and achieving compliance with the GDPR. A key requirement of the GDPR is protecting personal data. Microsoft believes effective security needs to be end-to-end, from the desktop to the servers where the data resides. Windows 10 and Windows Server 2016 include industry-leading encryption, anti-malware technologies, and identity and access solutions that enable you to move from passwords to more secure forms of authentication:
- Windows Hello is a convenient, enterprise-grade alternative to passwords that uses a natural (biometrics) or familiar (PIN) method to validate your identity, providing the security benefits of smartcards without the need for additional peripherals.
- Windows Defender is a robust anti-malware solution that works right out of the box to help you stay protected. Windows Defender is quick to detect and protect you against emerging malware, and it can immediately help protect your devices when a threat is first observed in any part of your environment.
- Windows Defender Advanced Threat Protection (ATP) provides security operations teams with advanced breach detection, investigation, and response capabilities across all your endpoints, with up to six months of historical data. Windows Defender ATP helps address a key requirement of the GDPR that companies have clear procedures for detecting, investigating, and reporting data breaches.
- Device Guard allows you to lock down your devices and servers to protect against new and unknown malware variants and advanced persistent threats. Unlike detection-based solutions such as antivirus programs that need constant updating to detect the latest threats, Device Guard locks down devices so they can only run the authorized applications you choose, which is an effective way to combat malware.
- Credential Guard is a feature that isolates your secrets on a device, like your single sign-on tokens, from access even in the event of a full Windows operating system compromise. This solution fundamentally prevents the use of hard to defend attacks such as “pass the hash.”
- BitLocker Drive Encryption in Windows 10 and Windows Server 2016 provides enterprise-grade encryption to help protect your data when a device is lost or stolen. BitLocker fully encrypts your computer’s disk and flash drives to prevent unauthorized users from accessing your data.
- Windows Information Protection picks up where BitLocker leaves off. While BitLocker protects the entire disk of a device, Windows Information Protection protects your data from unauthorized users and applications running on a machine. It also helps you prevent data from leaking from business to non-business documents or to locations on the web.
- Shielded Virtual Machines allow you to use BitLocker to encrypt disks and virtual machines (VMs) running on Hyper-V to prevent compromised or malicious administrators from attacking the contents of protected VMs.
- Just Enough Administration and Just in Time Administration allows administrators to perform their regular jobs and actions, while enabling you to limit the scope of capabilities and time that administrators can run. If a privileged credential is compromised, the scope of damage is severely limited. This technique provides administrators with only the level of access they require during the time they are working on the project.
Read more on Windows 10 and GDPR
Read more on Windows Server 2016 and GDPR
Streamline GDPR Data Subject Requests (DSRs) in Azure and Office 365
Office 365 is now previewing and Azure has announced the ability to quickly and easily fulfill requests to correct, amend, delete, or export the personal data of individuals that are at the core of GDPR compliance.
Help meet your GDPR privacy obligations
Enhance your capabilities to support the privacy rights of individuals with tools and documents that help you respond to data subject requests (DSRs) and personal data breaches, as well as the information you need to create your own data protection impact assessments (DPIAs) across Microsoft Cloud services.
Find a partner
At Microsoft, we are working with our global partners to address customer needs around GDPR. We have several partners today offering Microsoft-based solutions to meet GDPR requirements. The list of partners are currently helping to meet the demand for GDPR support.