News

Microsoft Gives Orgs Another Way To Monitor GDPR Compliance

• By Kurt Mackie
• July 08, 2021

Microsoft has introduced a new capability in some of its products to give organizations a way to ensure their compliance with data privacy regulations, particularly the European Union's General Data Protection Regulation (GDPR).

The "Windows diagnostic data processor configuration" became generally available this week, Microsoft announced, letting organizations get better oversight over the diagnostic data collected by Microsoft. It's now enabled in certain Microsoft tools, namely "Desktop Analytics, Update Compliance, Microsoft Managed Desktop, and the Windows Update for Business deployment service," the announcement explained.

Data Controller Oversight
Windows collects diagnostic information, and organizations have had rather non-transparent ways of limiting what gets collected. They can just select a pre-set data collection level.

Microsoft's current data collection levels include "Diagnostic Data Off" (previously called "Security"), "Required" (previously called "Basic") and "Optional" (previously called "Full"). Organizations using the Windows Update service to keep systems patched need to use the Required option. These nuances, and more, are described in this 2020 "Configure Windows Diagnostic Data" document.

Microsoft is touting the Windows diagnostic data processor configuration capability, now at general availability, as being equivalent to having data controller oversight per the GDPR.

Here's how it was put in the "Configure Windows Diagnostic Data" document:

The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.

According to a European Union glossary entry, "the data controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data." The glossary entry adds that "the actual processing may be delegated to another party, called the data processor."

It seems that Windows diagnostic data processor configuration capability is mostly conceived as a means for organizations to become compliant with the GDPR with regard to their customers. Possibly, it's also an assurance about Microsoft's data collection practices.

Here's how the announcement put it:

Now generally available, the Windows diagnostic data processor configuration further empowers you to manage your organization's diagnostic data. It provides you familiar tools to support data subject rights, including managing, exporting, or deleting data stored securely in your Azure tenant. It also lets you benefit from our technology without compromise.

The capability apparently helps organizations delete data should they get a customer request to do so, which is a GDPR prerogative. The customer, per GDPR lingo, is known as the "data subject" in such cases.

Handling data subject requests happens though "the admin portal," according to a note in this "Windows 10 and Privacy Compliance" document.

Prerequisites to Using Diagnostic Data Configuration
There are prerequisites to using the Windows diagnostic data processor configuration capability, according to Microsoft's "Configure Windows Diagnostic Data" document.

The Windows diagnostic data processor configuration capability is just supported on devices using "Windows 10 Pro, Education or Enterprise editions, version 1809 with July 2021 update or newer." In addition, the Windows devices "must be joined to Azure Active Directory."

The Windows diagnostic data processor configuration capability just applies to data collection by Windows components. It doesn't apply to the apps running on top of Windows, which have their own data collection practices.