Get GDPR compliant with the Microsoft Cloud
Overview
In May 2018, the General Data Protection Regulation (GDPR) will come into force. It is a European privacy law that will require big changes and potentially significant investments by organisations all over the world – including Microsoft and our customers. It will take time, tools, processes and expertise for you to comply with the GDPR. To do this, you may need to make changes to your privacy and data management practices. And failure to do so could prove costly – as companies that do not meet the requirements could face reputational harm and substantial fines of 20 million euros, or 4 percent of annual worldwide turnover, whichever is greater.
Microsoft is here to help. With the most comprehensive set of compliance offerings of any cloud service provider, the Microsoft Cloud is here to support your compliance initiatives. Our commitment to privacy is proven by our actions. Microsoft was the first enterprise cloud services provider to implement the rigorous controls needed to earn approval for our contractual model clauses governing the transfer of data outside of the European Union. We were the first cloud provider to achieve compliance with ISO’s important 27018 cloud privacy standard. Microsoft Azure has 53 major certifications and attestations – more than any other major public cloud provider.
The information contained here is to share with you our approach to GDPR and help support you as you begin reviewing your privacy and data management practices in anticipation of the GDPR coming into force.
read more: Get GDPR compliant with the Microsoft Cloud | “Beginning your GDPR Journey” Whitepaper | MS Contractual Commitments to GDPR blog
What is Microsoft doing today on GDPR?
GDPR is part of our holistic cloud compliance investments
Microsoft is committed to our principles of cloud trust – across security, privacy, transparency and compliance. We have a broad portfolio of cloud services that address the rigorous security and privacy demands of our customers, who comprise over 90 percent of Fortune 500 companies. As the GDPR enforcement begins, here is what else you can expect from us:
- Technology that meets your needs – You can leverage our broad portfolio of enterprise cloud services to meet your GDPR obligations for areas including deletion, rectification, transfer of, access to and objection to processing of personal data. Furthermore, you can count on our extensive global partner ecosystem for expert support as you use Microsoft technologies.
- Contractual commitments – We are standing behind you through contractual commitments for our cloud services, including timely security support and notifications in accordance with the new GDPR requirements. In March 2017, our customer licensing agreements for Microsoft cloud services will include commitments to be GDPR compliant when enforcement begins.
- Sharing our experience – We will share Microsoft’s GDPR compliance journey so you can adapt what we have learned to help you craft the best path forward for your organization.
While Microsoft is committed to helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility. New requirements – like greater data access and deletion rules, risk assessment procedures, a Data Protection Officer role for many organizations and data breach notification processes – will mean changes for your organization. When it comes to GDPR compliance, it’s not just European organizations that are affected, but also those outside of the EU who process data in connection with the offering of goods and services to, or monitoring the behaviour of, EU residents. As such, it’s important to understand your obligations related to GDPR regardless of where your organization resides.
What follows is product by product detail on the resources and features available today in our services which can help with your compliance and GDPR reviews.
read more: Supporting your journey to GDPR compliance with the GDPR
How does Windows 10 help support GDPR compliance?
A key GDPR requirement is protecting personal data. Windows 10 and Windows Server 2016 include industry leading encryption, anti-malware technologies, and identity and access solutions that enable users to move from passwords to more secure forms of authentication. With Windows 10 you can…
- Prevent unauthorized users from accessing your data with BitLocker Drive Encryption
- Protect your data when a device is lost or stolen with BitLocker Drive Encryption
- Protect your data from unauthorized users & applications with Windows Information Protection
- Prevent data from leaking with Windows Information Protection
read more: Windows 10 & Windows Server 2016 and the GDPR | Windows 10 Security | Windows Server 2016 Security
How does Azure help support GDPR compliance?
Identifying what data you have and controlling who has access to it is a critical requirement of the GDPR. Protecting the personal data of individuals and reporting and reviewing for compliance are also key GDPR requirements. With Microsoft Azure you can…
- Ensure only authorized users can access your data with Azure Active Directory (Azure AD)
- Ensure that your data is identifiable and secure with Azure Information Protection
- Secure your data at rest and in transit with Data Encryption in Azure Storage
- Safeguard your keys, certificates and passwords that help protect your data with Azure Key Vault
read more: Microsoft Azure and the GDPR | Azure Security Services and Technologies
How does Office & Office 365 help support GDPR compliance?
One essential step to meeting GDPR obligations is discovering and controlling what personal data your organization holds and protecting the personal data of individuals against security threats. With O365 you can…
- Identify over 80 common sensitive data types with Data Loss Prevention
- Find, classify, set policies on, and take action to manage data with Advanced Data Governance
- Meet compliance obligations for explicit data access authorization with Customer Lockbox
read more: Office 365 & Office and the GDPR | Office 365 Trust Centre | 80 common sensitive data types
How does Enterprise Mobility + Security (EMS) help support GDPR compliance?
Meeting GDPR obligations requires discovering what personal data your organization holds and where it resides, controlling how personal data is used and accessed, and protecting it by establishing security controls to prevent, detect, and respond to vulnerabilities and data breaches. EMS features identity-driven technologies that can help:
- Protect data that may be stored on personal computers and mobile devices with Microsoft Intune
- Ensure that your data is identifiable and secure with Microsoft Azure Information Protection
read more: Enterprise Mobility + Security and the GDPR | Microsoft Enterprise Mobility + Security site
How does Dynamics 365 help support GDPR compliance?
Controlling who has access to personal data is key to securing that data, and data security is a critical requirement of the GDPR. Another core requirement of the GDPR is to protect the personal data that you control or process. Dynamics 365 enables you to manage, control access and optimize security of your data in several ways:
- Restrict access to specific high-impact fields, such as personally identifiable information
- Protect your Dynamics 365 data at all times with Encryption
read more: Dynamics 365 and the GDPR | Dynamics 365 Trust Center
How does SQL Server & Azure SQL Database help support GDPR compliance?
Microsoft designed SQL Server and Azure SQL Database with industry-leading security measures and privacy policies to safeguard your data in the database, including the categories of personal data. You can…
- Limit sensitive data exposure Dynamic data masking (DDM)
- Protect highly sensitive data in SQL with Always Encrypted
- Help meet the data breach notification requirement of the GDPR with SQL Database Threat Detection
read more: SQL Server/Azure SQL Database and the GDPR | Security Centre for SQL Server & Azure SQL Database