GDPR Compliance for the Modern Workplace with Microsoft


The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Although created as an EU regulatory compliance, it affects most organizations around the world that conduct business with EU-based customers. In a session I attended in May 2018 at the North American SharePoint Conference, Sesha Mani, a Microsoft PM Manager for SharePoint and OneDrive, shared content about Microsoft’s viewpoints on GDPR and how the Microsoft 365 suite of products is designed to help customers find and maintain compliance.

In the session, Sesha shared some interesting statistics from a survey Microsoft ran regarding GDPR. Two facts that caught my attention were “41% of organizations are likely to move to the cloud to gain compliance with GDPR. 92% of IT decision makers with data currently residing in the cloud are confident in their ability to be compliant.” Microsoft’s GDPR survey revealed that the number one concern for GDPR compliance for IT decision makers in Europe and in the U.S. is protecting customer data. GDPR consists of lengthy and complex requirements that focus on four fundamentals:

  1. Enhanced personal privacy rights
  2. Increased duty to protect data
  3. Mandatory breach reporting
  4. Steep penalties for non-compliance

These four fundamentals drive the need for organizations to gain tighter controls, obtain and utilize better data governance tools, and to create and execute improved data policies and processes. This is especially true for the modern workplace. We all work in the modern workplace as end users who carry multiple devices at all times—sometimes three or four devices that are a combination of personally owned and corporate owned. These end users mix personal and corporate data and applications on their devices. The workforce is mobile and geographically dispersed, driving a need for anywhere, anytime access to data and applications. That’s why SaaS-based applications with multi-cloud environments are especially useful, but it also makes drawing the security and compliance perimeter around these environments more challenging than ever.

Microsoft 365 (M365) Enterprise is designed to solve for modern security and compliance needs. M365 Enterprise can help simplify GDPR compliance with tools that can help your organization assess and manage compliance risk, protect customer/personal data, monitor security breaches, and streamline processes. M365 Enterprise comes with Office 365 (O365) E3 or E5, Enterprise Mobility + Security (EM+S) E3 or E5, and Windows 10 Enterprise.

Let’s go over the tools available to you within M365 Enterprise that may help you in dealing with GDPR compliance. The following definitions, plus deeper information, can be found on Microsoft’s Office 365 and Azure Trust Center websites.

  1. O365 Compliance Center: In Office 365’s Admin Center, you can now find the Compliance Center, where you can manage all your compliancy in one central place. There are multiple compliance standards outside of GDPR that are shifting the regulatory landscape variations by industry and country. In Microsoft’s GDPR survey, 47% of executives were unsure which data compliance standards applied to their organizations. This makes the Office 365 Compliance Center even that much more important. In the Compliance Center, you can view your compliance posture against the ever-evolving regulations in real-time, take recommended actions to improve your data protection capabilities, and conduct pre-audits to prepare for audits your organization may face.
  2. O365 Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types, including financial, medical, and personally identifiable information. In addition, DLP allows organizations to configure actions to be taken upon identification to protect sensitive information and prevent its accidental disclosure. Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies, and take action to manage the lifecycle of the data that is most important to your organization.
  3. Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online, and Exchange Online. In addition, powered by machine learning technologies, Office 365 Advanced eDiscovery can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents.
  4. O365 Customer Lockbox can help you meet compliance obligations for explicit data access authorization during service operations. When a Microsoft service engineer needs access to your data, access control is extended to you so that you can grant final approval for access. Actions taken are logged and accessible to you so that they can be audited.
  5. Azure Active Directory Premium (EM+S): Azure Active Directory Premium is part of Microsoft’s Enterprise Mobility + Security suite of products. With Azure AD Premium, you can focus on access control for end users that are accessing O365 and other SaaS-based applications. Azure Active Directory Premium helps you ensure that only authorized users can access your computing environments, data, and applications. It features tools such as multi-factor authentication for highly secure sign-in. Additionally, Azure AD Privileged Identity Management helps you reduce risks associated with administrative privileges through access control, management, and reporting.
  6. Azure Information Protection (EM+S) helps ensure that your data is identifiable and secure—a key requirement of the GDPR—regardless of where it’s stored or how it’s shared. You can classify, label, and protect new or existing data, share it securely with people within or outside your organization, track usage, and even revoke access remotely. Azure Information Protection also includes rich logging and reporting capabilities to monitor the distribution of data, and options to manage and control your encryption keys.
  7. Microsoft Cloud App Security (EM+S) helps you discover all the cloud apps in your environment, identify users and usage, and get a risk score for each app. You can then decide if you’d like your users to access these apps. Cloud App Security then provides visibility, control, and threat protection for the data stored in those cloud apps. You can shape your cloud security posture by setting policies and enforcing them on Microsoft and third-party cloud applications. Finally, whenever Cloud App Security discovers an anomaly, it sends you an alert.
  8. Microsoft Intune (EM+S) helps you protect data that may be stored on personal computers and mobile devices. You can control access, encrypt devices, selectively wipe data, and control which applications store and share personal data. Intune can help you inform users about your management choices by posting a custom privacy statement and terms of use. It also gives you the ability to rename or remove devices.
  9. Microsoft Advanced Threat Analytics (EM+S) helps pinpoint breaches and identifies attackers using innovative behavioral analytics and anomaly detection technologies. Advanced Threat Analytics is deployed on-premises and works with your existing Active Directory deployment. It employs machine learning and the latest user and entity behavioral analytics to help find advanced persistent threats and detect suspicious activities and malicious attacks used by cybercriminals, to help identify breaches before they cause damage to your organization.
  10. Windows 10 Defender Advanced Threat Protection (ATP) provides security operations teams with advanced breach detection, investigation, and response capabilities across all of your endpoints, with up to six months of historical data. Windows Defender ATP helps address a key requirement of the GDPR that companies have clear procedures for detecting, investigating, and reporting data breaches.
  11. Windows 10 Device Guard allows you to lock down your devices and servers to protect against new and unknown malware variants and advanced persistent threats. Unlike detection-based solutions, such as anti-virus programs that need constant updating to detect the latest threats, Device Guard locks down devices so they can only run the authorized applications you choose, which is an effective way to combat malware.
  12. Windows 10 BitLocker Drive Encryption provides enterprise-grade encryption to help protect your data when a device is lost or stolen. BitLocker fully encrypts your computer’s disk and flash drives to prevent unauthorized users from accessing your data.

In summary, GDPR contains many requirements about collecting, storing, and using personal information, including how you identify and secure the personal data in your systems, accommodate new transparency requirements, detect and report personal data breaches, and train privacy personnel and other employees. As you can see, there are many functionalities built into the Microsoft 365 Enterprise platform that can assist you with your journey to GDPR compliance. Reach out to your Connection Account Manager to learn how our Microsoft Services can help you get started with Microsoft 365 Enterprise and begin to take control of your modern workplace security and compliance needs.