General Data Protection Regulation Summary

 General Data Protection Regulation Summary

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. This document guides you to information to help you honor rights and fulfill obligations under the GDPR when using Microsoft products and services. A Recommended action plan for GDPR and Accountability Readiness Checklists provide additional resources for assessing and implementing GDPR compliance.

Terminology
Helpful definitions for GDPR terms used in this document:

Data Controller (Controller): A legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Customer Data: Data that is created and stored during the day-to-day operation of a business. What is the
GDPR? The
GDPR gives people the right to control the personal data collected by organizations. These rights can be exercised through a Data Subject Request (DSR).
Organizations are required to provide timely information about DSRs and data breaches and conduct data protection impact assessments (DPIA).

There are a few things to keep in mind when implementing or evaluating GDPR requirements.

Develops or evaluates data privacy policies in accordance with the GDPR.
Organization's Data Secure Score.
Who is your data controller?
What data protection processes should be performed?
A recommended action plan and accountability readiness checklist for GDPR can provide additional insight.

The following actions relate to GDPR standards. Follow the links in the listing for more details on the implementation.

Data Subject Request (DSR). A formal request by a data subject to the controller to take action (change, restriction, access) in relation to his or her personal data.
Notice of Infringement. Under the GDPR, a personal data breach is “a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, transmission, storage or processing of personal data”.
Data Protection Impact Assessment (DPIA). The GDPR requires data controllers to prepare a DPIA for data transactions that “might present a high risk to the rights and freedoms of individuals.”
As noted above, the GDPR Recommended Action Plan and Accountability Readiness Checklist provides guidance for implementing or evaluating GDPR compliance using Microsoft products and services.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager has a pre-built assessment for this regulation for Enterprise E5 customers. Find the template for building the assessment in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Data Subject Request (DSR)
The GDPR grants individuals (or data subjects) certain rights in connection with the processing of their personal data, including the right to correct inaccurate data, erase data or restrict its processing, receive their data and fulfill a request to transmit their data to another controller.
Controllers are responsible for responding in a timely manner under the GDPR. See Data Subject Requests for technical details.

DSR Frequently Asked Questions What steps are required to complete the
DSR?

DSR includes six operations: Search, Access, Recover, Restrict, Export, and Delete.

What is the data source?
Most organizational data is generated by Office applications such as Excel and Outlook. You can also find DSR-related data in system logs and insights generated by Microsoft products and services.

What data should I retrieve?

Personal information can be found in customer data, analytics generated by Microsoft products and services, and system logs.

How is personal data retrieved?
Personal information retrieval may vary by Microsoft product and service. Search tools include content search or in-app search capabilities. Administrators can access system logs related to user activity.

In what format should personal data be provided?

GDPR “Right to data portability” allows data subjects to request a copy of their personal data in a “structured, commonly used and machine-readable format” and request that the organization transfer those files to another data controller .
What does the GDPR require and what are my responsibilities as the controller?

As controller, the GDPR requires you to be able to:

Give data subjects a copy of their personal data, together with an explanation of the categories of their data that are being processed, the purposes of that processing, and the categories of third parties to whom their data may be disclosed.
Help every individual exercise their right to correct inaccurate personal data, erase data or restrict its processing, receive their data in a readable form, and where applicable, fulfill a request to transmit their data to another controller.
What does the GDPR require and what are the responsibilities of Microsoft as processor?

We must implement the appropriate technical and organizational measures to assist you in responding to requests from data subjects exercising their rights as discussed above.
Where can I find GDPR information for my local server?

Here you can find several articles related to the GDPR. Created by Microsoft, they provide the recommended on-premises workload approach for SharePoint Server, Exchange Server, Project Server, Office Web Apps Server, Office Online Server, and on-premises file sharing.

How does Microsoft allow you to respond to data subject requests?

Online Services, as controllers, offer a range of options for responding to Data Subject requests.
Microsoft enterprise online services and administrative controls help you act on personal data responsive to data subject rights requests, allowing you to discover, access, rectify, restrict, delete, and export personal data that resides in the controller-managed data stored in Microsoft's cloud. Online Services also provides data in machine-readable form should you need it.

Data Protection Impact Assessment
Under GDPR, data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are 'likely to result in a high risk to the rights and freedoms of natural persons.' There is nothing inherent in Microsoft products and services that need the creation of a DPIA. Rather, it depends on the details of your Microsoft configuration.
For a list of details to consider in the office, see DPIA Table of Contents

DPIA FAQ
When Should I Perform a DPIA?

Controllers must be DPIA compliant to address personal data security risks or data breaches. A specific example of the risks of Office is discussed in Determining whether you need a DPIA.
What do I need to pass the
DPIA?

GDPR requires the DPIA to include:

An assessment of the necessity and proportionality of data processing in relation to the purposes of the DPIA.
An assessment of the risks to the rights and freedoms of data subjects.
Intended measures to address the risks, safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR.
What are my responsibilities as a Controller?

Under the GDPR, as a controller you are required to undertake DPIAs prior to data processing that is likely to result in a high risk to the rights and freedoms of individuals—in particular, processing using new technologies. The GDPR provides the following non-exhaustive list of cases in which DPIAs must be carried out:

Automated processing for the purposes of profiling and similar activities that has legal effects or similarly significantly affects data subjects;
Processing on a large scale of special categories of personal data-data revealing racial or ethnic origin, political opinion, and the like—or of data relating to criminal convictions and offenses;
Systematic monitoring of a publicly accessible area on a large scale.
The GDPR also requires that you must consult with your Data Protection Authority (DPA) before you begin any processing if you cannot identify sufficient processes to minimize high risks to data subjects.

What are the responsibilities of Microsoft?

Microsoft practices privacy by design and privacy by default in its engineering and business functions. As part of these efforts, Microsoft performs comprehensive privacy reviews on data processing operations that have the potential to cause impacts to the rights and freedoms of data subjects. Privacy teams embedded in the service groups review the design and implementation of services to ensure that personal data is processed in a respectful manner that accords with international law, user expectations, and our express commitments.
These privacy reviews tend to be detailed. Certain services may receive dozens or even hundreds of reviews. Microsoft bundles these detailed privacy reviews into a Data Protection Impact Assessment (DPIA). This assessment covers the key processing groups and is reviewed by the Microsoft EU Data Protection Officer (DPO). The DPO will assess the risks associated with data processing to ensure that sufficient mitigation measures are in place. If the DPO finds an unrecoverable risk, it is encouraged to push the change back to the engineering team. We review and update the DPIA as data protection risks change.
Microsoft, as a processor, has a duty to assist controllers in ensuring compliance with the DPIA requirements laid out in the GDPR. To support our customers, relevant sections of Microsoft's DPIAs are abstracted and will be provided through this section in future updates with the intent of allowing controllers relying on Microsoft services to leverage the abstracts in order to create their own DPIAs.

Breach Notification
The GDPR mandates notification requirements for data controllers and processors for a breach of personal data. As a data processor, Microsoft ensures that customers are able to meet the GDPR's breach notification requirements. Data controllers are responsible for assessing risks to data privacy and determining whether a breach requires notification of a customer's DPA.
Microsoft provides the information needed to make that assessment. More information about how Microsoft detects and responds to a breach of personal data in Data Breach Notification Under the GDPR.

Breach notification FAQs
What constitutes a breach of personal data under the GDPR?

Personal data means any information related to an individual that can be used to identify them directly or indirectly. A personal data breach is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
'

What are your duties as a controller?

In the event of a breach of personal data that could lead to a high risk to people's rights and freedoms (eg discrimination, identity theft, fraud, financial loss or reputational damage), the GDPR requires you to:

Notice Appropriate Protected Authority Data (DPA) within 72 hours of becoming aware of it, such as after Microsoft notifies you. If you do not notify DPA within this period, you must explain to DPA the reason. This DPA notice is required even if there is a risk to individuals that is not likely to lead to a high risk.
Notify the data subject of the breach without undue delay.
Document the breach, including a description of the nature of the breach, such as the number of people affected, the number of data records affected, the consequences of the breach, and any remedial actions proposed or taken by the organization. As the
processor, what are Microsoft's responsibilities?

If we become aware of a personal data breach, the GDPR requires us to notify you without delay. Where Microsoft is the data processor, our obligations reflect both the requirements of the GDPR and standard contractual clauses around the world. We consider all confirmed personal data breaches to be within our jurisdiction. No threshold for risk of harm.
Notify customers if Microsoft or a sub-processor is directly affected by a data breach. Organizations have processes in place to quickly identify and communicate with identified security incident owners. In addition, all subprocessors have a contractual obligation to report any violations to Microsoft and to provide appropriate warranties.

How does Microsoft detect a data breach?

All of our services and employees adhere to internal incident management procedures to ensure that appropriate precautions are taken to prevent data breaches in the first place.
However, our platform of online services has special security measures to detect rare data breaches.

How does Microsoft respond to data breaches?

Microsoft has the following to assist you in the event of a personal data breach. - Security personnel trained in the specific procedures to be followed. - Policies, procedures, and controls are in place to ensure that Microsoft maintains detailed records. This response includes documents that record the facts of the incident, its consequences and remedial actions, and track and store the information in the incident management system.
How will Microsoft notify me in the event of a data breach?

Microsoft has policies and procedures in place to notify you promptly. To satisfy your notice requirements to the DPA, we will provide a description of the process we used to determine if a breach of personal data has occurred, a description of the nature of the breach and a description of the measures we took to mitigate the breach.

Accountability Readiness Checklists for the GDPR
These checklists provide a convenient way to access information you may need to support the GDPR using Microsoft products. You can manage checklist items with Microsoft Purview Compliance Manager by referencing the Control ID and Control Title under Customer Managed Controls in the GDPR tile.
GDPR FAQ
Does Microsoft promise its customers around the GDPR?

yes. The GDPR requires controllers (eg organizations using Microsoft Online Enterprise Services) to only use processors (eg Microsoft) that provide sufficient guarantees to meet the essential requirements of the GDPR. Microsoft has taken the initiative by making these commitments available to all Volume Licensing customers as part of their agreements.

How does Microsoft support regulatory compliance?
Microsoft provides tools and documentation to support your GDPR accountability. This includes supporting data subject rights, conducting our own data protection impact assessments, and working together to address personal data breaches.

What obligations are included in the GDPR terms?

The terms of the Microsoft GDPR reflect the obligations required of processors under Article 28. Article 28 requires the processor to perform the following duties:
We process personal data only in accordance with the instructions of the controller, including in relation to transfers.
guarantees the confidentiality of persons processing personal data.
Take appropriate technical and organizational measures to ensure the level of security of personal data commensurate with the risk.
Assists controllers in fulfilling their obligations to respond to requests from data subjects to exercise their GDPR rights.
: Meets violation notification and support requirements.
Assists controllers in data protection impact assessments and consultations with supervisory authorities.
Delete or return personal information at the end of service provision.
supports controllers as evidence of GDPR compliance.
Why does Microsoft facilitate the transfer of personal data outside the EU?

Microsoft has long used standard contractual clauses (also known as model clauses) as the basis for data transfers in corporate online services.
The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner. Microsoft has incorporated the Standard Contractual Clauses into all of our Volume Licensing agreements via the Online Services Terms. For personal data from the European Economic Area, Switzerland, and the United Kingdom, Microsoft will ensure that transfers of personal data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR. In addition to Microsoft's commitments under the Standard Contractual Clauses for processors and other model contracts, Microsoft continues to abide by the terms of the Privacy Shield framework but will no longer rely on it as a basis for the transfer of personal data from the EU/EEA to the United States.

What are the other Microsoft compliance offerings?
As a global company with customers in nearly every country in the world, Microsoft has a robust compliance portfolio to assist our customers. To view a complete list of our compliance offerings including FedRamp, HIPAA/HITECH, ISO 27001, ISO 27002, ISO 27018, NIST 800-171, UK G-Cloud, and many others visit our compliance offering topics.

How will GDPR affect my company?

The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:

Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a "lawful basis" to process that data.
Limit the processing of personal data to specific, explicit and lawful purposes. You may not reuse or disclose personal data for any purpose that is "incompatible" with the purpose for which the data was originally collected.
Minimize the collection and storage of personal data to a level appropriate and relevant to the intended purpose.
guarantees the accuracy of personal data and the possibility of erasure or correction. You must take steps to ensure that your personal data is accurate and rectified in the event of an error.
Restriction of personal data storage. You should ensure that personal data is retained only for as long as is necessary to fulfill the purpose for which the data was collected.
ensures the security, integrity and confidentiality of personal data. Your organization must take steps to ensure the security of personal data through technical and organizational security measures.
. Microsoft is here to help you on your GDPR journey, but you need to understand what your organization's specific GDPR obligations are and how to fulfill them.
What rights should companies be granted under the GDPR?

The GDPR gives EU residents control over their personal data through a set of “data subject rights”. This includes the right to:

Access to information about how personal data is used.
: Access to personal data held by organizations.
Delete or correct invalid personal data.
Correction and deletion of personal data under certain circumstances (also referred to as the "right to be forgotten").
Restrict or object to automatic processing of personal data.
Get a copy of personal data. What is a
processor and controller?

The controller is any natural or legal person, public authority, agency or other body that, alone or in collaboration with others, determines the purposes and means of the processing of personal data.
A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Does GDPR apply to processors and controllers?

Yes, GDPR applies to both controllers and processors. Controllers must only use processors that take steps to comply with GDPR requirements. Under the GDPR, processors have additional obligations and responsibilities for actions that do not comply with or violate the instructions provided by the controller compared to data protection directives.
Processor responsibilities include but are not limited to:

Process data only as directed by the controller.
We use appropriate technical and organizational measures to protect personal data.
Assist the controller with the request of the data subject.
Verify that the affected subprocessor meets these requirements. How much can a company be fined for not complying with
regulations?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements. Additional individual remedies could increase your risk if you fail to adhere to GDPR requirements.

Does my business need to appoint a Data Protection Officer (DPO)?

It depends on several factors identified within the regulation. Article 37 of the GDPR states that controllers and processors shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
How much does GDPR compliance cost?

Organizations with well-designed cloud service models and effective data management programs can make the transition smoother, but for most organizations, GDPR compliance takes time and money.

How do I know if the data processed by my organization is subject to GDPR?

The GDPR governs the collection, storage, use and exchange of “personal data”. Personal data is broadly defined by the GDPR as any data relating to an identified or identifiable natural person.
Personal data can include, but is not limited to, online identifiers (for example, IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health, and financial information and much more. It can even include information that does not appear to be personal-such as a photo of a landscape without people-where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.

Processing of certain "special" categories of personal data, such as personal data that reveals a person's racial or ethnic origin, or concerns their health or sexual orientation, is subject to more stringent rules than the processing of "ordinary" personal data. This evaluation of personal data is highly fact-specific, so we recommend engaging an expert to evaluate your specific circumstances.
Our organization only processes data on behalf of others. Do I still need to comply with GDPR?

yes. Although the rules are somewhat different, the GDPR applies to organizations that collect and process data for their own purposes ("controllers") and organizations that process data on behalf of others ("processors"). This requirement is a departure from existing data protection directives that apply to controllers.
What specifically is deemed personal data?

Personal data is any information relating to an identified or identifiable person. There is no distinction between a person's private, public, or work roles. Personal data can include:

Yes, however the GDPR strictly regulates transfers of personal data of European residents to destinations outside the European Economic Area.
To allow these transfers, you may need to create some legal mechanism, such as a contract, or adhere to an authentication mechanism. The mechanisms Microsoft uses in the Online Services Terms are detailed.

There are data storage requirements as needed. Do these requirements take precedence over the right to erasure?

where there are legitimate grounds for continuing to process and store the data, such as "to comply with a statutory obligation requiring processing under Union or Member State law to which the Controller applies" (Article 17(3)(b)) , GDPR recognizes that organizations may be required to retain data.
However, legal counsel should be employed to ensure that the storage grounds are balanced with the data subject's rights and freedoms and expectations at the time of data collection.

Does GDPR govern encryption?

Encryption is defined in the GDPR as a protective measure that renders personal data incomprehensible when affected by a breach. Therefore, data breach notification requirements may be impacted whether or not encryption is used. The GDPR also points to encryption as an appropriate technical or organizational measure depending on the risk in some cases.
Encryption is also a requirement of the payment card industry data security standard and is part of stringent regulatory enforcement specific to the financial services industry. Microsoft products and services such as Azure, Dynamics 365, Enterprise Mobility + Security, Office Microsoft 365, SQL Server/Azure SQL Database, Windows 10 and Windows 11 provide strong encryption for data in transit and at rest.

How will GDPR change organizations' responses to personal data breaches?

The GDPR changes data protection requirements and establishes stricter obligations on processors and controllers with respect to personal data breach notifications. The new provisions require the processor to notify the data controller without undue delay after becoming aware of a breach of personal data.
Once aware of a personal data breach, the controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay. Additional guidance on this topic is being developed by the EU's Article 29 Working Party.

Microsoft products and services—such as Azure, Dynamics 365, Enterprise Mobility + Security, Microsoft Office 365, and Windows 10—have solutions available today to help you detect and assess security threats and breaches and meet the GDPR's breach notification obligations.

Additional resources
Address your needs around GDPR with one of our global partners offering Microsoft-based solutions
Know how Microsoft manages your data, where it's located, who can access it and the terms, and more.
How Microsoft detects, responds to and notifies you of personal data breaches under GDPR
Assess your GDPR readiness today.