Microsoft: our enterprise cloud services will be GDPR-compliant in time

Since end of 2016, early 2017, the General Data Protection Regulation (GDPR) fever is clearly going up. However, a quite amazing number of companies is not even close to GDPR compliance.

The GDPR is the most significant change to European Union privacy law in two decades (Microsoft Chief Privacy Officer, Brendon Lynch)

It’s not just GDPR readiness research telling us that. If you are in the ‘business’ of GDPR (meaning: you have a solution that helps with specific parts of this vast and far-reaching regulation or provide partial services as no business can take care of it all) you know what we mean: even awareness of the essential rules, basic elements such as when data is personal and the GDPR itself often proves to be quite low in reality. GDPR awareness is low with the exception of the GDPR fines and penalties as they are fixed in Chapter 8 of the GDPR.

On the other hand, there are organizations that don’t want to take any risks and do take sometimes drastic measures (such as literally fully putting a department behind heavily secured doors) whereby now and then it might be a bit too much as one thing is clear: there are practical questions when you actually really start working around GDPR and jurisprudence will be needed. But then again: better safe than sorry.

GDPR and Microsoft cloud services: what you need to know

More and more ICT players join the GDPR race. Some already had, now the bigger ones are coming. The Microsoft GDPR action has now started too with regards to the company’s cloud computing services.

On February 15th 2017, Microsoft Chief Privacy Officer, Brendon Lynch, announced that his company is committing to be GDPR compliant across its cloud services when enforcement starts on May 25th, 2018.

Microsoft Chief Privacy Officer Brendon Lynch on Twitter
Microsoft Chief Privacy Officer Brendon Lynch on Twitter

Calling the GDPR “the most significant change to European Union privacy law in two decades” (we agree) and the GDPR “part of Microsoft’s cloud compliance investments”, Brendon Lynch promises that Microsoft’s enterprise cloud services will meet customer’s GDPR obligations in several areas, that its partner ecosystem will be able to offer support, that as of March 2017 licensing agreements for Microsoft cloud services will include commitments to be GDPR compliance and that the company will offer workshops and more GDPR-related content on a dedicated section of its Trust Center. Microsoft indeed started doing that, yet the main focus is on GDPR and its cloud services for now.

Starting the road towards GDPR compliance in Microsoft’s view: 5 key steps

Microsoft also suggests that customers start their road towards GDPR compliance by focusing on the five key steps as depicted in the infographic from its GDPR section:

Microsoft recommends to begin the journey to GDPR compliance with 5 steps - source Microsoft GDPR page on Microsoft Trust Center
Microsoft recommends to begin the journey to GDPR compliance with 5 steps – source Microsoft GDPR page on Microsoft Trust Center
1. Discover

What personal data do you have where (big exercise and requiring a good understanding of the many identifiers regarding personal data, which are broadened with the GDPR).

2. Control

How is personal data used and accessed. Obviously you also need to make sure that in the near future that personal data management access and usage adheres to GDPR stipulations (why you need a gap analysis).

3. Protect

Putting all those security controls in place to prevent, find and respond to breaches and vulnerabilities (part of what we call the action stage).

4. Report

You do need an audit trail and you do need an ability to respond to requests of data subjects (citizens) and watchdogs.

5. Review 

As mentioned on our GDPR page, becoming GDPR compliant is not just a matter of being ready for May 25th, 2018. You need to continue monitoring and improving, staying compliant, reducing risk and, as your business and the technologies you use and people you employ, will change, you need to take that into account as well.