News

Microsoft Adds GDPR Improvements to Office 365, Azure

• By Kurt Mackie
• April 23, 2018

With the European Union's General Data Protection Regulation (GDPR) requirements set to become law on May 25, Microsoft is working to get its cloud services and customers compliant.

The company last week announced some tooling enhancements to help organizations using Azure and Office 365 services meet GDPR requirements. The improvements are aimed at ensuring that both Microsoft's services and the organizations using them will be GDPR-compliant by the law's enforcement date.

The GDPR is a data privacy law that stipulates how the data of EU residents should be handled by organizations. Individuals can request information about stored data, and ask that it be modified or deleted by the organization. The organization, in GDPR lingo, is known as a "data controller." The law even applies to organizations located outside the EU. There are stiff fines for data privacy violators, up to €20 million or 4 percent of an organization's annual revenue turnover, whichever is greater.

Some of the Microsoft tools supporting GDPR compliance include:

• Service Trust Portal, which provides GDPR information resources, but it also can be used to take actions on stored data
• Security and Compliance Center in the Office 365 Admin Center, another portal for taking actions
• Office 365 Advanced Data Governance for classifying data
• Azure Information Protection for tracking and revoking documents
• Compliance Manager for keeping track of regulatory compliance
• Azure Active Directory Terms of Use for obtaining user informed consent

Last week, Microsoft announced that it released a preview of a new Data Subject Access Request interface in the Security and Compliance Center via a new tab addition, as well as in the Azure Portal.

The Data Subject Access Request interface is also available in the Service Trust Portal, according to an announcement by the Microsoft 365 team. The Service Trust Portal also has new "Breach Notification" documentation. The portal will be getting a "Data Protection Impacts Assessments" section in coming weeks, according to this Microsoft Tech Community post.

A Data Subject Access Request gets carried out by an organization when a person makes a request, such as to provide the data that's been stored or to delete or modify the data. The individual can also request that the data be provided in an electronic format that can be "moved another data controller," according to Microsoft.

The new Data Subject Access Request interface preview lets organizations perform a search for "relevant data across Office 365 locations." It will search across "Exchange, SharePoint, OneDrive, Groups and now Microsoft Teams." It exports the data for review "prior to being transferred to the requestor," Microsoft explained.

The Data Subject Access Request interface preview also works with Microsoft's Advanced Data Governance service, so it can be event based. Here's how the Office 365 team explained the matter:

One DSR scenario an organization may encounter is when a departing employee requests that their data is provided to them. To help with this scenario and others like it, the Event-based retention feature of Advanced Data Governance is now generally available for Office 365 E5 customers.

Microsoft is promising that the Data Subject Access Request capabilities will be out of preview before the May 25 deadline. Microsoft is also promising that IT pros will be able to "execute DSRs against system-generated logs."