Accelerate GDPR compliance with the Microsoft Cloud.
Microsoft believes privacy is a fundamental right. Our cloud solutions can help you achieve GDPR compliance. In May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect.
Preparing for a new era in privacy regulation.
The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.
Microsoft has extensive expertise in protecting data, championing privacy, and complying with complex regulations. We believe that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We want to help you focus on your core business while efficiently preparing for the GDPR. We are committed to GDPR compliance across our cloud services when enforcement begins May 25, 2018, and provide GDPR related assurances in our contractual commitments.
How our products help you meet GDPR requirements.
Our existing enterprise products and services can help jumpstart your journey
Microsoft products and services are available today to help you meet the GDPR requirements, and we are investing in additional features and functionality.
Through our cloud services and on-premises solutions we’ll help you locate and catalog the personal data in your systems, build a more secure environment, simplify your management and monitoring of personal data, and give you the tools and resources you need to meet the GDPR reporting and assessment requirements.
Microsoft enterprise products and services and the GDPR
Microsoft Azure
Microsoft designed Azure with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Azure can help you on your journey to reducing risks and achieving compliance with the GDPR.
Microsoft Dynamics 365
Microsoft designed Dynamics 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Dynamics 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.
Microsoft Enterprise Mobility + Security
Securing and managing personal data is critical to you, your customers, and to complying with the coming requirements of the GDPR. Microsoft designed Enterprise Mobility + Security to safeguard customer data both in the cloud, and on-premises, with industry-leading security capabilities. This includes personal data no matter where it might travel across your users, devices, and apps. Enterprise Mobility + Security offers innovative technology and solutions today that can help you on your journey to reducing risks and achieving compliance with the GDPR.
eDiscovery
eDiscovery can provide the mechanism for completing ‘Subject Access Requests’; Advanced Threat Protection; and Office365 auditing to help monitor and investigate actions taken on your data.
Microsoft Office and Office 365
Microsoft designed Office and Office 365 with industry-leading security measures and privacy policies to safeguard your data in the cloud, including the categories of personal data identified by the GDPR. Office and Office 365 can help you on your journey to reducing risks and achieving compliance with the GDPR.
Microsoft SQL Server/Azure SQL Database
Microsoft designed SQL Server and Azure SQL Database with industry-leading security measures and privacy policies to safeguard your data in the database, including the categories of personal data identified by the GDPR. Built-in SQL security capabilities can help you on your journey to reducing risks and achieving compliance with the GDPR.
Windows 10 and Windows Server 2016
Microsoft designed Windows 10 and Windows Server 2016 with industry-leading security measures and privacy policies to help safeguard your data in the cloud, including the categories of personal data identified by the GDPR.
The security capabilities available today in Windows 10 and Windows Server 2016 can help you on your journey to reducing risks and achieving compliance with the GDPR.
Where do I start?
Start preparing for the GDPR now
The GDPR contains many requirements about collecting, storing, and using personal information, including how you:
- Identify and secure the personal data in your systems.
- Accommodate new transparency requirements.
- Detect and report personal data breaches.
- Train privacy personnel and employees.
Given how much is involved, you shouldn’t wait until the regulation takes effect in May 2018 to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.
Begin your journey to compliance by focusing on four key steps
Microsoft products and services provide powerful solutions to tackle these steps in your journey to compliance with the GDPR. To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see How our products help you meet GDPR requirements.
Where do I start?
Start preparing for the GDPR now
The GDPR contains many requirements about collecting, storing, and using personal information, including how you:
- Identify and secure the personal data in your systems.
- Accommodate new transparency requirements.
- Detect and report personal data breaches.
- Train privacy personnel and employees.
Given how much is involved, you shouldn’t wait until the regulation takes effect in May 2018 to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.
Begin your journey to compliance by focusing on four key steps
Microsoft products and services provide powerful solutions to tackle these steps in your journey to compliance with the GDPR. To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see How our products help you meet GDPR requirements.
General FAQ
Is Microsoft making any commitments in its volume licensing agreements to comply with the GDPR?
Yes. We have already released our first contractual commitments related to the GDPR and we anticipate updates and refinements as we get closer to May 25, 2018 (when the regulation takes effect).
The GDPR requires organizations that control or process personal data tied to EU residents to only use third-party data processors that meet the GDPR’s requirements for personal data processing. In March 2017, Microsoft made available contractual guarantees that provide the assurances you need from us long before GDPR enforcement begins.
Our GDPR contract terms govern our processing and security of personal data, transfers of personal data to third countries, confidentiality requirements for individuals authorized to access personal data, and use of sub-processors. They also define our commitments to help you: respond to data subjects’ requests to correct, amend, or delete their personal data; delete or return personal data when our provision of services ends; respond to personal data breaches; and demonstrate your compliance with the GDPR.
Our GDPR terms are available to our enterprise customers now. If you are interested in obtaining them, please contact your account manager. Ultimately, the terms will be integrated into our Online Services Terms and thereby will be available automatically to all our customers without need for amendment.
EU data protection authorities are continuing to deliver additional guidance on the GDPR. In the future, they may approve codes of conduct, certification mechanisms, and standard contractual clauses. At Microsoft, we will continue to refine our policies, procedures, and technologies as the EU evolves its GDPR requirements, and we will ensure that our customers can take full advantage of any improvements.
How will the GDPR affect my company?
The GDPR contains many requirements about how you collect, store, and use personal information. This means not only how you identify and secure the personal data in your systems but also how you accommodate new transparency requirements, how you detect and report personal data breaches, and how you train privacy personnel and employees.
Given how much is involved, you should not wait until the regulation takes effect to prepare. You need to begin reviewing your privacy and data management practices now. Failure to comply with the GDPR could prove costly, as companies that do not meet the requirements and obligations could face substantial fines and reputational harm.
What rights must companies enable under the GDPR?
The GDPR provides EU residents with control over their personal data through a set of “data subject rights.” This includes the right to:
- Access readily-available information in plain language about how personal data is used
- Access personal data
- Have incorrect personal data deleted or corrected
- Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”)
- Restrict or object to processing of personal data
- Receive a copy of personal data
- Object to processing of data for specific uses, such as marketing or profiling
How much can companies be fined for noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain requirements of the GDPR. Additional individual remedies could increase your risk if you fail to adhere to the GDPR requirements.
What is personal data?
Personal data is any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. Personal data can include:
- Name
- Email address
- Social media posts
- Physical, physiological, or genetic information
- Medical information
- Location
- Bank details
- IP address
- Cookies
- Cultural identity
Does the GDPR apply to both data processors and data controllers?
Yes, the GDPR applies to both data controllers and processors. A data controller is in charge of the data; a data processor processes the data for the controller. Controllers must only use processors that take measures to meet the requirements of the GDPR. A controller determines why and how to process personal data while the processor performs operations on personal data on behalf of the controller.
Under the GDPR, processors face additional duties and liability for noncompliance, or acting outside of instructions provided by the controller. Compliant processor duties include:
- Processing data only as instructed
- Using appropriate technical and organizational measures to process personal data
- Deleting or returning data to the controller
- Securing permission to engage other processors
Does my business need to appoint a Data Protection Officer (DPO)?
It depends on several factors identified within the regulation. If your company must appoint a Data Protection Officer (DPO), the DPO is responsible for informing employees of their compliance obligations as well as conducting the monitoring, training, and audits required by the GDPR.
How does the GDPR change an organization’s response to personal data breaches?
The GDPR will change data protection requirements and employ stricter obligations for data processors and data controllers regarding notice of personal data breaches that result in a risk to individual rights and freedoms. Under the new regulation, the data processor must notify the data controller of any such personal data breach after having become aware of it without undue delay. Once aware of a breach, the data controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay. Microsoft products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server/Azure SQL Database, and Windows 10—have solutions available today to help you detect and assess security threats and breaches and meet the GDPR’s breach notification obligations.
Does the GDPR deal with encryption?
Encryption is identified in the GDPR as a protective measure that renders personal data unintelligible when it is affected by a breach. Therefore, whether or not encryption is used may impact requirements for notification of a personal data breach. The GDPR also points to encryption as an appropriate technical or organizational measure in some cases, depending on the risk. Encryption is also a requirement through the Payment Card Industry Data Security Standard and part of the strict compliance guidelines specific to the financial services industry. Microsoft products and services such as Azure, Dynamics 365, Enterprise Mobility + Security, Office 365, SQL Server/Azure SQL Database, and Windows 10 offer robust encryption for data in transit and data at rest.
How much will it cost to meet compliance with the GDPR?
Meeting compliance with the GDPR will cost time and money for most organizations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance program in place.
Where can I learn more about the GDPR?
To learn more about the GDPR, please visit EU GDPR page.
To learn more about how Microsoft products and services can help you prepare to comply with the GDPR, please see How our products help you meet GDPR requirements.