Microsoft Previews Tool To Manage Compliance with GDPR
- By Kurt Mackie
- November 17, 2017
Microsoft's Compliance Manager dashboard tool is now in preview, helping organizations track the regulatory compliance status of the Microsoft solutions running in their environments, as well as in their customers' environments.
While Compliance Manager can be used for various compliance assessment purposes, its most pressing use is associated with achieving organizational compliance with the European Union's General Data Protection Regulation (GDPR) requirements. Microsoft had showed an early screenshot of Compliance Manger back in May, when it described its overall GDPR readiness efforts.
Other uses of the tool include showing compliance with standards. For instance, Compliance Manager can be used to check compliance with ISO 27001, which is associated with information security management system compliance. It can also check compliance with ISO 27018, associated with protecting personally identifiable information when used with public cloud services.
The GDPR regulations add privacy protections for EU member-state residents when they use electronic services or when data about them gets stored by organizations. The GDPR's legal protections apply even if the data storage happens outside EU member states. Organizations will be required to provide stored privacy details to individuals upon request, as well.
Under the GDPR rules, organizations essentially will need to protect and track the storage of customer information or possibly be subject to fines. Violations are calculated as the greater of €20 million or 4 percent of an organization's annual turnover globally. The GDPR's Directive regarding the processing of user personal data will come into effect legally on May 25, 2018.
Compliance Manager Use
Compliance Manager can be used by organizations if they have signed up to use paid or trial subscriptions to various Microsoft cloud services, such as Office 365, Microsoft Azure or Dynamics 365. However, for this preview release, Compliance Manager only shows details about Office 365 services, according to Microsoft's FAQ page.
Microsoft expects that Compliance Manager will reach the "general availability" commercial-release stage sometime "in 2018." At that time, it's also expected to support other Microsoft cloud services, such as Azure and Dynamics 365.
Compliance Manager is just designed to provide information about Microsoft's cloud services. However, Microsoft could add support for non-Microsoft cloud services in the future, "based on customer feedback," according to the FAQ.
Currently, the Compliance Manager preview isn't available for testing Office 365 services in Germany or China (or areas where 21Vianet hosts Office 365 services).
The Compliance Manager tool is hosted at Microsoft's "Service Trust Portal," which is a Web page that also houses the audit reports that back Microsoft's compliance efforts. Microsoft documents how to use the Compliance Manager preview at this page.
Microsoft has a concept behind the Compliance Manager tool in which Microsoft bears some responsibilities (shown as "Microsoft Controls" in the tool's dashboard), while customers that use its services have their responsibilities (shown as "Customer Controls" in the dashboard). Essentially, IT pros must do their own testing and specify when various Customer Controls elements are in compliance. Microsoft illustrated that process in this Compliance Manager demo video.
The Compliance Manager dashboard provides a visual display of risk assessment, both for Microsoft Controls and Customer Controls. It's possible to drill down into Microsoft's recommended actions when there are steps needed to achieve compliance. Organizations have role-based access control within Compliance Manager to specify which personnel can view the reports.
Microsoft added some fine print associated with the use of Compliance Manager. For instance, customers are responsible for evaluating the effectiveness of its recommendations. Moreover, Microsoft's announcement explained that the "recommendations from Compliance Manager should not be interpreted as a guarantee of compliance."
Compliance Manager could prove to be a major Microsoft marketing tool for the use of other services stamped under the "Microsoft 365" licensing brand. The case was outlined by Ron Markezich, corporate vice president for Microsoft, in this announcement. For instance, he noted that organizations can automatically classify and set policies for Office 365 data using the Office 365 Advanced Data Governance service and the Azure Information Protection scanner (in preview). Data can be found for GDPR compliance purposes using the Office 365 eDiscovery search service, he added.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.