Microsoft Enhances GDPR Compliance Tools for Azure and Office 365
Microsoft this week announced tooling enhancements to help organizations using Azure and Office 365 services meet the European Union's General Data Protection Regulation (GDPR) requirements.
The GDPR is a data privacy law that stipulates how the data of EU residents should be handled by organizations. Individuals can request information about stored data, and ask that it be modified or deleted by the organization. The organization, in GDPR lingo, is known as a "data controller." The law even applies to organizations located outside the EU. There are stiff fines for data privacy violators, up to €20 million or 4% of an organization's annual revenue turnover, whichever is greater. The GDPR will become active law on May 25, 2018.
Microsoft is promising that its services will be GDPR compliant by that date, and it has spun out a bunch of tools for organizations using its services to also stay in compliance with the GDPR. Some of the tools supporting GDPR compliance include:
This week, Microsoft announced that it released a preview of a new Data Subject Access Request interface in the Security and Compliance Center via a new tab addition, as well as in the Azure Portal.
The Data Subject Access Request interface is also available in the Service Trust Portal, according to an announcement by the Microsoft 365 team. The Service Trust Portal also has new "Breach Notification" documentation. The portal will be getting a "Data Protection Impacts Assessments" section in coming weeks, according to this Microsoft Tech Community post.
A Data Subject Access Request gets carried out by an organization when a person makes a request, such as to provide the data that's been stored or to delete or modify the data. The individual can also request that the data be provided in an electronic format that can be "moved another data controller," according to Microsoft.
The new Data Subject Access Request interface preview lets organizations perform a search for "relevant data across Office 365 locations." It will search across "Exchange, SharePoint, OneDrive, Groups and now Microsoft Teams." It exports the data for review "prior to being transferred to the requestor," Microsoft explained.
The Data Subject Access Request interface preview also works with Microsoft's Advanced Data Governance service, so it can be event based. Here's how the Office 365 team explained the matter:
One DSR scenario an organization may encounter is when a departing employee requests that their data is provided to them. To help with this scenario and others like it, the Event-based retention feature of Advanced Data Governance is now generally available for Office 365 E5 customers.
Microsoft is promising that the Data Subject Access Request capabilities will be out of preview before the May 25 deadline. Microsoft is also promising that IT pros will be able to "execute DSRs against system-generated logs."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.