Skip to main content

General Data Protection Regulation

The European Union’s (EU’s) General Data Protection Regulation (GDPR) imposes new rules on companies, government agencies, not-for-profits, and other organizations that offer goods and services to people in the EU or that collect and analyze data tied to EU residents—no matter where they are in the world. Its vast reach extends beyond technology to encompass people and processes. And opens an array of opportunities for your practice.

GDPR defined

The General Data Protection Regulation will set a new global bar for privacy rights, security, and compliance, regulating the collection, storage, use, and sharing of personal data. Very broadly, personal data is defined under the GDPR as any data that relates to an identified or identifiable natural person. Data can reside in many different media, from customer and HR databases, photos, and feedback forms to emails and CCTV footage. GDPR analysis begins with understanding what data exists and where it resides. And that’s where your expertise comes in.


A complex regulation, the GDPR may require significant changes in how your customers collect, process, and manage data. Microsoft has a history of and extensive expertise with complying with complex regulations—including both EU-U.S. Privacy Shield and EU Model Clauses—protecting data, championing privacy.

Data stewards

When your customers use Microsoft cloud services, they’re entrusting us with their most valuable asset—their data.

  • Microsoft has the most comprehensive set of compliance offerings, certifications, and attestations of any cloud service provider.
  • We apply some of the most rigorous security and compliance standards in the world—audited and reported to customers regularly by accredited, independent third parties—to safeguard your customers’ data.

Solid foundation

What measures does Microsoft employ to help safeguard customer data?

  • Physical security. 24-hour monitoring, seismic bracing, and multifactor authentication for physical access to data centers.
  • Data security. Features like encryption, logical isolation of your customers’ data, and strong authentication.
  • Operational best practices. Prevent breach and assume breach to monitor, anticipate, and mitigate threats.

GDPR contractual commitments

Microsoft has pledged that our technology will be GDPR-compliant by May 2018. As your customers’ third-party data processor, we stand behind that promise with key, GDPR-related contractual commitments for our cloud services.

According to a Microsoft-commissioned Forrester Consulting study, Microsoft 365 can be a very profitable component of a GDPR customer solution. In fact, Forrester estimates there’s a potential for a:

  • 50% 3-year revenue uplift of Microsoft 365 Enterprise versus Office 365
  • 67% 3-year managed services revenue uplift
  • 33% (or 1/3) increase in Microsoft 365 Enterprise margins over a 3-year period as a result of increased efficiency and higher-margin offerings

Forrester. Assess Your Data Privacy Practices with The Forrester Privacy and GDPR Maturity Model. April 2017.


Microsoft has invested heavily in developing intelligent, comprehensive compliance offerings that can help you assess and manage your customers’ risk and achieve GDPR compliance. And Microsoft 365 provides an ideal platform on which you can build a profitable solutions to simplify the task of identifying, classifying, and governing personal data—enabling your customers to comply with the GDPR transparency, accountability, and record keeping requirements.

Identity protection

Azure Active Directory. Centralize identity, so there is a single directory to manage, and users can access all the resources they need with a single credential. Supports multifactor authentication, hardware-based protections, including biometrics, risk-based access, and sophisticated management for privileged accounts.

Azure AD Privileged Identity Management. Offers the ability to discover, restrict, and monitor administrators and their access to resources and services like Office 365. Users who need administrative access can get it for a preconfigured, limited amount of time (just-in-time access) after they have proved their identity through multifactor authentication.

Windows 10. Offers the full benefit of multifactor authentication for logging onto devices.

  • Windows Hello supports PIN and biometrics options (fingerprint/facial recognition), which are built into the operating system.
  • Windows Defender Credential Guard uses virtualization-based security and a container to isolate Windows authentication. Moving the authentication stack and single sign-in tokens out of Windows into an isolated container keeps them secure against attackers who may have fully compromised the operating system.

Threat protection

Windows Defender Advanced Threat Protection. Provides the latest preventative protection from advanced cyberthreats, detecting attacks and zero-day exploits, and offering centralized management for your customers' end-to-end security lifecycles.

Microsoft Intelligent Security Graph. Microsoft analyzes an unparalleled collection of security signals (detected threats) from vast sources to strengthen the security in Microsoft products and services. Rich, cyber insights from vast security intelligence, machine learning, and behavioral analytics help customers stay on top of evolving threats, improve investigations, and speed up response.

Office 365 Threat Intelligence. Leverages billions of data points from the Microsoft Intelligent Security Graph to proactively uncover and protect against advanced threats. Deep insights into these threats help to quickly and effectively enable alerts, dynamic policies, and security solutions.

Information protection

Azure Information Protection. Helps ensure persistent classification and protection of sensitive data— no matter where it’s stored or who it’s shared with. Also provides end-to-end protection and control for sensitive data, including data classification and labeling, data protection, data usage monitoring, and responding to malicious data usage activities.

Compliance Manager with Compliance Score. Simplify regulation-to-audit compliance processes for Microsoft cloud services, conduct ongoing risk assessments, and gain actionable insights and step-by-step guidance to help improve data protection capabilities. Built-in control management and audit-ready reporting tools included.

Office 365 Advanced Data Governance. Capabilities apply machine learning to help find, retain, and protect important data throughout its lifecycle, while automatically eliminating trivial, redundant, and obsolete data that, if compromised, could pose risk.

In research commissioned by Microsoft, 58% of partners agree that Microsoft is a leader in GDPR, and 83% feel that Microsoft has a competitive advantage over other cloud solution providers.

MDC Partner Research. Microsoft 365 Security and Compliance Solution Selling Qualitative Research Findings. January 2018.

Partner opportunity

The 25 May 2018 EU GDPR deadline, initially seen as a regulatory milestone, has morphed into both a short-term and a long-term opportunity for your practice. In the shorter term, you can lead with Microsoft 365 solutions to move customers to the cloud, helping them to lower the cost and complexity involved with meeting their obligations under the GDPR. In the longer term, you can provide a spectrum of Microsoft 365 customer solutions and services—including expanding into productivity and collaboration scenarios.

Managed services

The shortage of skilled security and compliance professionals means that your customers rely on you to provide the services they don’t have in-house to help achieve GDPR compliance and reduce risk.

  • Use Microsoft compliance solutions to simplify regulation-to-audit compliance processes, conduct ongoing risk assessments, and configure policies to automatically discover, classify, label, and protect sensitive data in hybrid environments—across the cloud and on premises.
  • Consider offering services, including consulting, change management, technology reselling and support, cross-selling, upselling, end-user training, and deployment.
Differentiated offerings

When you add compliance to your portfolio, you can differentiate your practice, and deepen customer trust.

  • Take advantage of Microsoft Graph intelligence to provide proactive security monitoring, data breach notification and management, evidence of risk mitigation, proof of compliance, and more.
New partnerships

If compliance isn’t your strong suit, consider collaborating with other partners whose expertise complements your own.

  • Establishing partner-to-partner (P2P) relationships can position you to provide customers with new or more comprehensive compliance solutions, including the emerging Data Protection

Next steps

Use the GDPR Foundations Training kit to help provide customers with a basic understanding of the GDPR, then demonstrate how the combination of Microsoft 365 and your services can help your customers attain compliance.

Leverage the go-to-market resources in the GDPR Sales kit to help you build customer awareness, generate leads, and close deals with your own Microsoft 365 GDPR offer.


Engage customers
Prepare for customer conversations
Partner best practices