News

Microsoft Steps Up to GDPR and Releases Compliance Tools

• By Kurt Mackie
• 05/25/2018

Microsoft on Friday highlighted its multiple resources for staying in compliance with the European Union's General Data Protection Regulation (GDPR), which becomes effective law today.

The GDPR is a privacy regulation that applies to EU-country residents, but the law extends to any entity handling data about those residents, even if the entities are located outside EU countries. It imposes stiff fines for data privacy violators, up to €20 million or 4% of an organization's annual global revenue turnover, whichever is greater. 

Microsoft observed the May 25 GDPR commencement date with a speech in Brussels by Brad Smith, Microsoft's president (available on demand with signup here). He said that Microsoft has been a strong supporter of the GDPR ever since it was proposed in 2012. Microsoft views privacy as a fundamental human right, he said, adding that trust is more important than ever as people exchange data. The company put more than 1,600 of its engineers onto the task of getting ready for the GDPR.

"People simply won't use technology they don't trust," Smith said.

These ideas were earlier described by Julie Brill, corporate vice president and deputy general counsel at Microsoft, in a May 21 announcement. Brill noted that Microsoft was "one a small number of companies participating in the official events in Brussels on Friday." She also announced Microsoft's plans to "extend the rights that are at the heart of GDPR to all of our consumer customers worldwide."

Brill specifically mentioned supporting "Data Subject Rights." In GDPR legal language, a data subject is a person, and they have the right to make certain requests on "Data Controllers," which are the people or organizations that store data about the subject. There are also "Data Processors" regulated under the GDPR. A Data Processor handles the data controlled by the Data Controllers.

Who Controls the Data?
This GDPR language seems simple enough, but it can get confusing. For instance, for Windows 10 users, Microsoft usually can be considered to be the Data Controller because it pulls data from Windows 10 devices, according to a "Windows 10 and the GDPR" document. On the other hand, for Microsoft's Windows Analytics service and its Windows Defender Advanced Threat Protection service, the subscribing organization is considered to be the Data Controller, while Microsoft just serves as the Data Processor, the document explained.

The potential confusion between Data Controller and Data Processor is already being exploited by ad search giant Google with regard to content publishers, according Susan Bidel, a senior analyst at research firm Forrester, in a blog post. Google has "positioned itself as a data controller," she said, and it's now requiring content publishers to obtain consent from users on Google's behalf, shifting the legal liabilities onto content providers while permitting Google to use the data as it wants, to summarize her argument.

Analyst and research firm Gartner recently published a study on assessing GDPR readiness when using the Google Cloud Platform, Amazon Web Services and Microsoft Azure. It also includes a discussion on the distinctions between Data Controllers and Data Processor roles, according a blog post by Richard Watson, a research vice president at Garner Inc.

In any case, Data Controllers have 30 days to meet a Data Subject Request, which is a request from a person to see their data, modify it, delete it entirely (the "right to be forgotten") or move it to another Data Controller.

On the Dynamics 365 side, IT pros who are global administrators have the ability to export system-generated logs for a Data Subject Request, but it can take from one to 30 days to complete, according to this Dynamics 365 Data Subject Request document. The information gets exported as "structured machine-readable files such as XML, CSV, or JSON," according to the document.

Updated GDPR Tools
Also on Friday, Microsoft announced more progress on its various tools designed to help organizations stay in compliance with GDPR rules. Its last progress report was back in April, when it described the overall tooling, with some products being at the preview stage. Now, it seems, the bulk of its GDPR support tools has reached "general availability" (GA) status, meaning that they are deemed ready for use by organizations.

Quite a lot of the tools that can be used for GDPR compliance are services offered from Microsoft's Azure datacenters. Microsoft also has a Service Trust Portal, an online site that serves as a compliance resource center, as well as a means for organizations to take actions on their stored data. For instance, the Service Trust Portal can be used to carry out Data Subject Requests, communicating data breaches and reviewing Data Protection Impact Assessments, according to a Microsoft Tech Community post.

The following tools for use with GDPR compliance have reached GA status, according to a Microsoft Azure announcement on Friday:

• Azure Data Subject Requests for the GDPR, a means of responding to user requests, which is accessible through the Azure Portal
• Azure Policy, a free addition to Azure Resource Manager and Azure Security Center that enables group policy controls, including meeting GDPR regional data storage requirements
• Compliance Manager GDPR improvements in the Service Trust Portal, adding facilities for assigning, tracking and recording "GDPR compliance activities," which is generally available for Azure customers. Compliance Manager originally hit GA status back in February with support for Azure, Dynamics 365 and Office 365
• Azure Security and Compliance GDPR Blueprint, which provides reference architectures and guidance for "building and launching cloud-powered applications that meet the requirements of the GDPR," and
• An Azure Data Log Export capability, which is described in this Microsoft Mechanics video

Other Tools
Other relevant tooling capabilities to help with GDPR compliance were described by Alym Rayani, director of Microsoft 365, in a Friday announcement (note: this link may not work in Google Chrome browsers).

Rayani added Microsoft's information protection tooling to the mix. For instance, organizations can use Office 365 Data Governance and the Azure Information Protection service to classify and label data in order to be capable of responding to a Data Subject Request.

He also touted SQL tools for labeling data, such as Azure SQL Database Data Discovery and Classification, as being useful for addressing GDPR compliance. This month, Microsoft described packaging this capability into a new product called "SQL Advanced Threat Protection," which also includes Threat Detection and Vulnerability Assessment components. There's also a SQL Information Protection service, which was previewed back in March.

Dynamics 365 users now have a "Relevance Search" and "Person Search Report" that can be used to identify personal data as part of GDPR compliance.

Microsoft also has resources for IT pros at its Windows Privacy page. There's also a free GDPR assessment portal.