Skip to main content

How Microsoft cloud enables GDPR compliance

Networking & security Data centre and private cloud

news MS GDPR Blog Image edits  2

Michaela Nankin

Microsoft Cloud Business Specialist

Until recently, the legal catalyst to compel companies to be more responsible with the customer data they possess has been relatively relaxed. With the advent of the General Data Protection Regulation (GDPR) data protection has become a much talked about topic and a priority for most organisations to ensure they are compliant by May 2018.

At Softcat, our consultative approach focuses on helping customers understand their business level risk and vulnerability. In a recent article, we spoke about how "very few organisations truly understand their risk and even fewer have any methods of limiting it." So, I wanted to look at how GDPR fits in with customers who are on Microsoft's cloud platform and how they can utilise their technology to mitigate risk.

Data Controllers and Processors

Microsoft, like Softcat, is both a data controller and a data processor under GDPR. It is a data controller of personal data that it holds and controls such as employee and end consumer data. It is also a data processor in respect of personal data that its customers and partners process using its cloud platforms. A data controller 'determines the purposes and means of the processing of personal data' whereas a data processor 'processes personal data on behalf of the controller'. As a data processor, Microsoft have already promised to share the details of their contractual commitments in accordance with GDPR and to adhere to all articles of the regulation by May 2018.

Tools Within 365

What is potentially more interesting to organisations are the tools already native within the 365 stack of services along with the benefits of Enterprise Mobility and Security to secure and manage personal data. Organisations don't necessarily need to invest in expensive solutions to become GDPR compliant. Instead, they can utilise their current investment and harness features they may already be entitled to.

Damage Control

GDPR isn't just about mitigating the risk with security solutions but also looking at an organisations agility and ability to deal with breaches. According to Article 5 of the regulation there is a 72-hour notice period for organisations to notify the ICO, and one month to alert and engage in damage control with customers. Azure AD Premium now allows basic workflows to track investigations and organisations can calculate user risk levels, giving control back to IT should a breach occur.

Enterprise Mobility and Security

A large part of GDPR compliance is the ability to retrieve data easily, which is inherently built into the 365 service as part of E-Discovery. However, it's important for us to support our customers in making sure the correct data is retained for an appropriate amount of time. Enterprise Mobility and Security provides access control to limit usage and the ability to download customer data on a non-corporate device. For example, allowing users to use a hotel computer means they can be productive across multiple devices but you as an organisation retain control over which devices are allowed. This can also happen at an app level; for example OneDrive for Business has reasonably relaxed policies, however Salesforce CRM, which may contain sensitive customer data, requires MFA (Multi Factor Authentication) to access outside a company network on a personal device.

Microsoft's Approach

I often get asked how Microsoft helps organisations respond to attacks and what insights it can share into external and internal behaviour that could cause damage or breach on sensitive data. This is going to be very pertinent when building strong GDPR processes and Microsoft assists in three important ways.

  1. Data Loss Prevention (DLP) is intrinsic within Exchange Online, SharePoint Online and OneDrive, with a dashboard to allow complete analysis.
  2. If a customer wants to protect themselves further then Windows Defender Advanced Threat Protection allows businesses to investigate endpoints and understand adversaries whilst Advanced Threat Analytics reports on users behaviour will alert IT admin on any anomalies.
  3. When you team DLP up with Advanced Threat Protection, you are protecting against the triple threat by securing users, devices and data.

Be GDPR Compliant

Whilst Microsoft can do a lot to facilitate your journey to becoming more GDPR compliant, the main thing to remember is that the regulation is wide reaching and there isn't a black and white answer to address all your GDPR questions. Where Microsoft do stand out is in the broad advancements made within their security technology - either native within cloud services or complimentary to 365 and Azure. The solutions are secure and also pragmatic, meaning that users still feel enabled with the knowledge that they have business grade tools protecting them.
If you would like to understand how you can utilise your existing Microsoft solutions to move towards GDPR compliance, please contact your Softcat account manager or get in touch using the button below. To find out more about the other services available visit our GDPR hub.