Skip to main content
Microsoft Security

This post is authored by Daniel Grabski, Executive Security Advisor, Microsoft Enterprise Cybersecurity Group.

As an Executive Security Advisor for enterprises in Europe and the Middle East, I regularly engage with Chief Information Security Officers (CISOs), Chief Information Officers (CIOs) and Data Protection Officers (DPOs) to discuss their thoughts and concerns regarding the General Data Protection Regulation, or GDPR. In my last post about GDPR, I focused on how GDPR is driving the agenda of CISOs. This post will present resources to address these concerns.

Some common questions are “How can Microsoft help our customers to be compliant with GDPR?” and, “Does Microsoft have tools and services to support the GDPR journey?” Another is, “How can I engage current investments in Microsoft technology to address GDPR requirements?”

To help answer these, I will address the following:

Tools for CISOs

There are tools available that can ease kick-off activities for CISOs, CIOs, and DPOs. These tools can help them better understand their GDPR compliance, including which areas are most important to be improved.

GDPR benchmarking tool.

Image 1: GDPR benchmarking tool

As an example, see below the mapping to the first question in the Assessment. This is based on how Microsoft technology can support requirements about collection, storage, and usage of personal data; it is necessary to first identify the personal data currently held.

Azure Data Catalogue.

Image 2: Azure Data Catalogue

Security & Compliance Center and Advanced eDiscovery.

Image 3: Security & Compliance Center and Advanced eDiscovery

A sample outcome, based on one of the questions regarding GDPR requirements, as shown in Image 4.

Example of the GDPR requirements mapped with features in the Microsoft platform.

Image 4: Example of the GDPR requirements mapped with features in the Microsoft platform

Resources for CISOs

Microsoft’s approach to GDPR relies heavily on working together with partners. Therefore, we built a broader version of the GDPR benchmarking tool available to customers through the extensive Microsoft Partner Network. The tool provides an in-depth analysis of an organization’s readiness and offers actionable guidance on how to prepare for compliance, including how Microsoft products and features can help simplify the journey.

The Microsoft GDPR Detailed Assessment is intended to be used by Microsoft partners who are assisting customers to assess where they are on their journey to GDPR readiness. The GDPR Detailed Assessment is accompanied by supporting materials to assist our partners in facilitating customer assessments.

In a nutshell, the GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity. Image 5 below presents a high-level overview of the steps.

The GDPR Detailed Assessment is a three-step process where Microsoft partners engage with customers to assess their overall GDPR maturity.

Image 5

The duration for the partner engagement is expected to last 3-4 weeks, while the total effort is estimated to be 10 to 20 hours, depending on the complexity of the organization and the number of participants as you can see below.

Duration of the engagement.

Image 6: Duration of the engagement

The Microsoft GDPR Detailed Assessment is intended for use by Microsoft partners to assess their customers’ overall GDPR maturity. It is not offered as a GDPR compliance attestation. Customers are responsible to ensure their own GDPR compliance and are advised to consult their legal and compliance teams for guidance. This tool is intended to highlight resources that can be used by partners to support a customer’s journey towards GDPR compliance.

We are all aware that achieving organizational compliance may be challenging. It is hard to stay up-to-date with all the regulations that matter to organizations and to define and implement controls with limited in-house capability.

To address these challenges, Microsoft announced a new compliance solution to help organizations meet data protection and regulatory standards more easily when using Microsoft cloud services – Compliance Manager. The preview program, available today, addresses compliance management challenges and:

Image 7 shows a dashboard summary illustrating a compliance posture against the data protection regulatory requirements that matter when using Microsoft cloud services. The dashboard summarizes Microsoft’s and your performance on control implementation on various data protection standards and regulations, including GDPR, ISO 27001, and ISO 27018.

Compliance Manager dashboard.

Image 7: Compliance Manager dashboard

Having a holistic view is just the beginning. Use the rich insights available in Compliance Manager to go deeper to understand what should be done and improved. Each Microsoft-managed control illuminates the implementation and testing details, test date, and results. The tool provides recommended actions with step-by-step guidance. It aides better understanding of how to use the Microsoft cloud features to efficiently implement the controls managed by your organization. Image 8 shows an example of the insight provided by the tool.

Information to help you improve your data protection capabilities.

Image 8:  Information to help you improve your data protection capabilities

During the recent Microsoft Ignite conference, Microsoft announced Azure Information Protection scanner. The feature is now available in public preview. This will help to manage and protect significant on-premise data and help prepare our customers and partners for regulations such as GDPR.

We released Azure Information Protection (AIP) to provide the ability to define a data classification taxonomy and apply those business rules to emails and documents. This feature is critical to protecting the data correctly throughout the lifecycle, regardless of where it is stored or shared.

We receive a lot of questions about how Microsoft can help to discover, label, and protect existing files to ensure all sensitive information is appropriately managed. The AIP scanner can:

I encourage you to enroll for the preview version of Azure Information Protection scanner and to continue to grow your knowledge about how Microsoft is addressing GDPR and general security with these helpful resources:


About the author:

Daniel Grabski is a 20-year veteran of the IT industry, currently serving as an Executive Security Advisor for organizations in Europe, the Middle East, and Africa with Microsoft Enterprise Cybersecurity Group. In this role he focuses on enterprises, partners, public sector customers and critical infrastructure stakeholders delivering strategic security expertise, advising on cybersecurity solutions and services needed to build and maintain secure and resilient ICT infrastructure.