The General Data Protection Regulation (GDPR) for Office 365

In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations all over the world—including Microsoft and our customers.

Known as the General Data Protection Regulation (GDPR), the law imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.

Microsoft believes the GDPR represents an important step forward for individual privacy rights. It gives EU residents more control over their “personal data” (which is precisely defined by the GDPR). The GDPR also seeks to ensure personal data is protected no matter where it is sent, processed, or stored. The law updates European privacy regulations for the first time in more than two decades, bringing them more in line with current technologies, and increases the uniformity of privacy regulations across the EU’s member states.

The GDPR is also a complex regulation that may require vast changes in how you gather and manage data. Microsoft has a long history of helping our customers comply with complex regulations. When it comes to preparing for the GDPR, we’ve got your back.

Supporting your journey to compliance with the GDPR

We want to help you focus on your core business while efficiently preparing for the GDPR. Our goal is to streamline your compliance with the GDPR through smart technology, innovation, and collaboration.

Microsoft products and services are available today to help you meet the GDPR requirements, and we are investing in additional features and functionality. Through our cloud services and on-premises solutions we’ll help you locate and catalog the personal data in your systems, build a more secure environment, simplify your management and monitoring of personal data, and give you the tools and resources you need to meet the GDPR reporting and assessment requirements.

We will share what we learn on our journey to compliance to make yours easier. We will show you how our existing enterprise products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server and Azure SQL Database, and Windows 10—can jumpstart that journey today.

Where do I start?

The GDPR contains many requirements about how you collect, store and use personal information. This means not only how you identify and secure the personal data in your systems, but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.

Given how much is involved, you should not wait until the regulation takes effect in May 2018 to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.

We recommend you begin your journey to compliance with the GDPR by focusing on four key steps:

(1) Discover: Identify what personal data you have and where it resides. (2) Manage: Govern how personal data is used and accessed. (3) Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. (4) Report: Keep required documentation, and continuously review and update your data protection policies and practices.

Microsoft products and services provide powerful solutions to tackle these steps in your journey to compliance with the GDPR.

To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server/Azure SQL Database, and Windows 10.

Microsoft’s commitment to the GDPR

The goals of the GDPR are consistent with Microsoft’s long-standing commitment to security, privacy, and transparency.

We are working to bring our products and services into compliance with the GDPR by May 2018. We are updating the features and functionality in all of our services to meet the GDPR requirements, and we are updating our documentation and our customer agreements to reflect the GDPR requirements.

Microsoft offers the most comprehensive set of compliance capabilities of any cloud service provider. And, we lead the industry in engaging with customers, regulatory bodies, and standards boards to advance compliance and serve customers’ needs. We will remain closely engaged with you as we prepare together for the GDPR to go into effect.

Microsoft designed Office and Office 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Office and Office 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.

One essential step to meeting the GDPR obligations is discovering and controlling what personal data you hold and where it resides. There are a number of Office 365 solutions that can help you identify or manage access to personal data:

  • Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information. In addition, DLP allows organizations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organization.
  • Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
  • Customer Lockbox for Office 365 can help you meet compliance obligations for explicit data access authorization during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.

Another core requirement of the GDPR is protecting personal data against security threats. Current Office 365 features that safeguard data and identify when a data breach occurs include:

  • Advanced Threat Protection in Exchange Online Protection helps protect your email against new, sophisticated malware attacks in real time. It also allows you to create policies that help prevent your users from accessing malicious attachments or malicious websites linked through email.
  • Threat Intelligence helps you proactively uncover and protect against advanced threats in Office 365. Deep insights into threats—provided by Microsoft’s global presence, the Intelligent Security Graph, and input from cyber threat hunters—help you quickly and effectively enable alerts, dynamic policies, and security solutions.
  • Advanced Security Management enables you to identify high-risk and abnormal usage, alerting you to potential breaches. In addition, it allows you to set up activity policies to track and respond to high risk actions.
  • Finally, Office 365 audit logs allow you to monitor and track user and administrator activities across workloads in Office 365, which help with early detection and investigation of security and compliance issues.

For more information please visit our Office 365 Trust Center.

To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see the sections on Azure, Dynamics 365, Enterprise Mobility + Security, SQL Server/Azure SQL Database, and Windows 10.

For more detail visit the Microsoft Trust Center.