News

Microsoft Readies Its Cloud for New EU Privacy Law

• By Kurt Mackie
• May 26, 2017

As the European Union prepares to enforce its recently updated data privacy laws, Microsoft and other providers are retrofitting their services to ensure their customers are compliant with the new regulations.

The General Data Protection Regulation (GDPR) promises greater privacy controls over how personal data gets processed for EU residents. While the law applies to residents within EU member states, it also applies if their information is used outside those states. Organizations found to be in violation of the GDPR can be subject to fines calculated as the greater of €20 million or 4 percent of an organization's annual turnover globally.

The law consists of a Regulation and a Directive, which were both passed in April of last year. The Regulation describes the protection of personal data, while the Directive is focused on the processing and movement of personal data by entities, such as companies and service providers.

The Directive, even though it's already passed, will come into effect legally for the individual EU states on May 25, 2018. Consequently, organizations worldwide have less than a year to achieve compliance with the GDPR.

Microsoft this week touted its "cloud" services as being in such a state that they will achieve full compliance with the GDPR on May 25, 2018. Services such as "Office 365, Dynamics 365, Azure, including Azure data services, Enterprise Mobility + Security, and Windows 10" will be compliant, Microsoft promised in an announcement.

In addition, Microsoft is selling its services to organizations to help them get compliant with the GDPR. Documents can be tracked and revoked using Azure Information Protection. Data can be labeled using the Office 365 Advanced Data Governance service.

Organizations should take steps today to plan for GDPR compliance. According to Microsoft, they should:

• Discover the data that's subject to the GDPR
• Manage how personal data is used and accessed
• Protect the data by establishing controls, and
• Report on data use, including plans for managing data requests and providing public notifications about breaches

Microsoft is touting its Enterprise Mobility + Security products as being helpful for carrying out those steps.

Microsoft also plans to release a new "Risk and Compliance" dashboard, indicating GDPR compliance, for organizations using its services. The dashboard, expected to arrive "later this year," will show the state of customer controls and Microsoft controls for GDPR compliance across various services, according to this screenshot:

This week, Microsoft published a GDPR compliance section within the Microsoft Trust Center. It contains white papers published this month on the topic, as well as a video featuring Julia White, corporate vice president at Microsoft plus Brad Smith, president and chief legal officer at Microsoft. Smith noted in the video that the GDPR may become a broader standard than just for EU countries.

"We believe the GDPR is an important step forward for clarifying and enabling individual privacy rights," Smith said in the video. "And while it's a regulation for Europe, in fact, it's rapidly emerging as a new standard for the world."

In other GDPR news, Commvault, a provider of data protection and information management services, promised it can help organizations achieve compliance. Its Commvault Data Platform indexes data and can find personally identifiable information within unstructured data. It can find the information in archives, backups and endpoint protection services, as well as cloud environments, according to an announcement.

Individuals under the GDPR have the right to be forgotten, as well as the right to be notified when their information has been hacked. Organizations, on the other hand, have the right to retain data within a time frame needed to fulfill a contract or legal obligation, according to the EU's Q&A document.