Prepare for

GDPR today with

Microsoft 365
 February Prepare for GDPR today with Microsoft 365 2
2018

Table
of contents

01. Executive Sumary

02. Landscape

03. Assess and manage your compliance risk

04. Protect your most sensitive data

05. Closing
 February Prepare for GDPR today with Microsoft 365 3
2018

01. Executive Summary

We live in a time where digital technology Because achieving organizational compliance

is profoundly impacting our lives, from can be very challenging, understanding your
the way we connect with each other to compliance risk should be your first priority.
how we interpret our world. As the private Compliance Manager is a cross–Microsoft
sector continues to push the boundaries of Cloud services solution designed to help
innovation, policy makers work to ensure that organizations meet complex compliance
the appropriate personal data oversight and obligations like the GDPR.
safeguards are in place through compliance
standards such as the European Union’s Beyond understanding your compliance risk,
General Data Protection Regulation (GDPR). protecting personal data and other sensitive
content is key. With the information protection
To thrive in this privacy-focused era, you need capabilities within Microsoft 365 we provide
a trusted partner who can help you not only an integrated classification, labeling and
overcome the challenges but make the most of protection experience, enabling persistent
the opportunities that lie ahead. The Microsoft protection of your data wherever it is – across
Cloud is uniquely positioned to help you meet devices, apps, cloud services and on-premises.
your GDPR compliance obligations. Microsoft
365 brings together Office 365, Windows 10, No matter where you are in your GDPR
and Enterprise Mobility + Security—offering efforts, the Microsoft Cloud and our intelligent
a rich set of integrated solutions that leverage compliance solutions in Microsoft 365 can help
AI to help you assess and manage your you on your journey to GDPR compliance.
compliance risk, protect your most important
data, and streamline your processes.
 February Prepare for GDPR today with Microsoft 365 4
2018

02. Landscape
We live in a time where digital technology is profoundly
impacting our lives, from the way we connect with each
other to how we interpret our world. Central to this
digital transformation is the ability to store and analyze
massive amounts of data to generate deeper insights
and more personal customer experiences.
 February Prepare for GDPR today with Microsoft 365 5
2018

As the private sector continues to push the boundaries

of innovation, policy makers work to ensure that the
appropriate personal data oversight and safeguards are in
place through compliance standards such as the European
Union’s Global Data Protection Regulation (GDPR).

The GDPR is a The GDPR is is a comprehensive and complex regulation

designed to protect the personal data of EU residents.
comprehensive and The requirements address internal policies, processes,

complex regulation people and technology. They range from designating

a data protection officer for larger organizations, to
designed to protect when notifications of personal data breaches must be

the personal data of provided to data protection authorities and affected

individuals. Organizations across the world are focused
EU residents. on compliance, because while the GDPR applies to
organizations established in the EU, it also applies to
organizations – wherever they are located – who offer
goods or service in the EU or monitor the behavior of
residents in the EU.

To thrive in this privacy-focused era, you need a trusted

partner who can help you not only overcome the
challenges but make the most of the opportunities that
lie ahead. At Microsoft, our mission is to empower every
person and every organization on the planet to achieve
more. And trust is always at the core of everything we
do. Microsoft works closely with local governments and
policy makers to help shape the regulations that impact
technology because we understand that compliance
policies can actually help accelerate innovation and
digital transformation. Adhering to a common set of
compliance standards is one way to mitigate the kind of
high profile data losses that erode customer confidence
across the industry and ultimately helps us maintain
 February Prepare for GDPR today with Microsoft 365 6
2018

greater long-term trust with the customers and Your journey to GDPR compliance includes
partners who choose the Microsoft cloud to identifying what personal data you have
help them achieve more in both their personal and where it resides, governing how it is
and professional lives. used and accessed, establishing adequate
security controls, and preparing to respond to
Our research suggests that companies not only requests from individuals whose personal data
see the long-term value of building trust by you have. This may sound like a lot of work,
protecting customer data, but in fact believe but Microsoft is here to help. We’ve taken
their investments in compliance will positively a principled approach to building privacy,
impact other areas of their business—like security, compliance, and transparency into
productivity and collaboration. When IT everything we do, which means that they are
decision makers in Europe and the U.S. were integrated into the products and services you
asked to identify their top concern in achieving use every day.
GDPR compliance, “protecting customer data”
was the #1 response while avoiding fines The Microsoft Cloud is uniquely positioned
ranked #8. More than half of respondents to help you meet your GDPR compliance
said the GDPR brings added benefits like obligations, with the largest certified
collaboration, productivity, and security. Cloud compliance portfolio, services architected to
solutions like Microsoft 365 are a big reason be secure by design, and the most extensive
that businesses see opportunity in compliance. global datacenter footprint in the industry.
Of those surveyed, 41 percent said they Our cloud solution is built for power, scale,
are likely to move more of their company’s and flexibility. Microsoft 365 brings together
infrastructure to the cloud to become Office 365, Windows 10, and Enterprise
compliant. And among leading cloud vendors, Mobility + Security—offering a rich set of
Microsoft was identified as most trusted by integrated solutions that leverage AI to help
a wide margin (28 percent), followed by IBM you assess and manage your compliance
(16 percent), Google (11 percent), and Amazon risk, protect your most important data, and
(10 percent). All told, 92 percent of IT decision streamline your processes.
makers in companies that store data primarily
in the cloud identified as being confident in With the GDPR being enforceable beginning
their GDPR readiness, compared with just 65 May 25, 2018, there are a number of steps you
percent of those who prefer to store can take today with Microsoft 365 to help
data on-premises. you prepare.
 February Prepare for GDPR today with Microsoft 365 7
2018

03. Assess and manage

your compliance risk
Because achieving organizational compliance can be
very challenging, understanding your compliance risk
should be your first priority. Compliance Manager is
a cross–Microsoft Cloud services solution designed
to help organizations meet complex compliance
obligations like the GDPR.
February Prepare for GDPR today with Microsoft 365 8
2018

It helps the person who oversees the data protection

strategy for your organization (sometimes called a data
protection officer) to manage the compliance and risk
assessment process.

Compliance Manager helps you perform an on-going

risk assessment that reflects your compliance posture
against data protection regulations when using
Microsoft Cloud services, such as Office 365, Azure,
and Dynamics 365. As achieving GDPR compliance is
a shared responsibility between data processors and
data controllers, you can see from the Compliance
Manager dashboard that 60% of the controls are
managed by Microsoft, and the tool provides you
detailed information about how Microsoft implemented
and tested those controls. For the remaining 40% of
the controls managed by you, Compliance Manager
enables you to conduct self-assessment so that you
can monitor your compliance stature continuously.
In each assessment tile, a Compliance Score reflects
your overall compliance performance based on a risk
weight assigned to each control. The score helps you
to estimate where your organization stands in terms of
achieving compliance, and enables you to make better
decisions on tasks prioritization. However, the score
does not express an absolute measure of how compliant
you are, so it should not be interpreted as a guarantee.

We know that the compliance process can be very

disjointed. Compliance personnel are the experts
of industrial regulations and standards, while IT
professionals are the experts of technology solutions.
 February Prepare for GDPR today with Microsoft 365 9
2018

It’s challenging to find talent with expertise in both

areas to help define, implement, and assess controls.
Therefore, we provide recommended customer actions
in each customer-managed control to help you connect
the technology solutions with the GDPR regulatory
requirements. You can follow the step-by-step guidance
to improve your data protection capabilities and design
your own business process for internal self-assessments.

To simplify your compliance process, Compliance

Manager provides a control management tool to
help you assign, track, and record your compliance-
related activities, and audit-ready reporting to help
you be more prepared for internal or external audits.
Authorized users in your organization can upload
documents, such as screenshots of configuration,
business process documents, internal training
materials, and more, as evidence for your compliance
activities. You can view the links to evidence that your
organization collected in the audit-ready reports.

Compliance Manager is available for all Office 365

Business and Enterprise subscribers in public cloud.
GCC customers can access Compliance Manager,
however users should evaluate whether to use the
Read the Compliance document upload feature of compliance manager, as
Manager whitepaper to learn the storage for document upload is compliant with
more about the product. Office 365 Tier C only.
 February Prepare for GDPR today with Microsoft 365 10
2018

04. Protect your most

sensitive data
Beyond understanding your compliance risk, protecting
personal data and other sensitive content is key.At
its core, GDPR is about protecting the personal data
of individuals – making sure there is proper security,
governance and management of such data. To help
ensure that you’re effectively protecting not only
February Prepare for GDPR today with Microsoft 365 11
2018

personal data but also other sensitive content that’s

relevant to your compliance goals, you should implement
solutions and processes that enable you to identify,
classify, protect and monitor the data that is most
important to you – no matter where it lives or travels.

Identification and classification

With the information protection capabilities within
Microsoft 365 we provide an integrated classification,
labeling and protection experience, enabling persistent
protection of your data wherever it is – across devices,
apps, cloud services and on-premises.

Azure Information Protection scanner, which is now

generally available addresses hybrid and on-premises
scenarios by allowing you to configure policies to
automatically discover, classify, label and protect
documents in your on-premises repositories such as
the File Servers and on-premises SharePoint servers.
The scanner can be configured to periodically scan
on-premises repositories based on company policies.
Read “Azure Information Protection scanner in public
preview” to learn more about the scanner. You can
deploy the scanner in your own environment by
following instructions in this technical guide.

The next step is to protect data anywhere and prevent

data loss. Today, data travels through many locations –
across devices, apps, cloud services, and on-premises.
It is important to build protection into the file, so this
protection persistently stays with the data itself.
 February Prepare for GDPR today with Microsoft 365 12
2018

As Microsoft’s information protection solutions in protecting their data without compromising

expand and develop, we take great strides in their productivity. In that regard, we now
ensuring Cloud App Security integrates these support native labeling and protection of
advancements into our existing services. sensitive data on your Mac devices. This
will enable Mac users to easily classify, label
Data labeling and encryption and protect Word, PowerPoint and Excel
documents. Considering that a significant
Azure Information Protection (AIP) provides amount of sensitive information is in PDF
persistent data protection by classifying, format, we’ve also integrated with Adobe to
labelling, and protecting sensitive files and help you natively read labeled and protected
emails. Labels are used to define the sensitivity PDF documents in Adobe Reader on Windows.
of a document or email, such as “General” As we deepen the integration of AIP with
or “Confidential.” Additionally, AIP allows for Adobe, we’ll soon also enable native labeling
encryption and authorization, ensuring users and protection of PDFs using Adobe Acrobat
must successfully authenticate to access the Pro on Windows.
material.
Windows 10 Enterprise
Microsoft Cloud App Security (MCAS) can read
files labeled by AIP and set policies based on
protection features
the file labels. Furthermore, the service will scan
Ensuring your devices are protected is
and classify sensitive files in cloud apps and
another key aspect of information protection.
automatically apply AIP labels for protection –
Windows 10 Enterprise provides Identity and
including encryption. Read the “Automatically
Information Protection capabilities that will
apply labels to sensitive files in cloud apps” blog
help you comply with GDPR requirements by
and technical documentation to learn more
implementing security measures to protect
about this feature.
personal data.  

Our goal is to provide you comprehensive

Identity protection capabilities delivered by
protection of your sensitive data across a wide
Windows Hello for Business and Windows
variety of platforms and applications. We also
Hello companion devices further enhances
ensure users get the same seamless experience
 February Prepare for GDPR today with Microsoft 365 13
2018

your ability to leverage biometrics and Information Protection. This means that the
multifactor authentication to protect same default labels will be used across both
personal and sensitive data. Windows Office 365 and Azure Information Protection,
Defender Credential Guard significantly and labels you create in either of these services
improves security against credential theft will automatically be synchronized in the other
by implementing an architectural change service – eliminating the need to create labels
in Windows designed to help eliminate in two different places. The consistent labeling
hardware-based isolation attacks rather model also helps ensure that sensitivity labels
than simply trying to defend against them. – regardless of where they were created – are
Information protection capabilities in Windows recognized and understood across Azure
10 Enterprise including device protection using Information Protection, Office 365 Advanced
BitLocker, data separation between personal Data Governance, Office 365 DLP and Microsoft
and business data, and data loss prevention Cloud App Security. For example, if you create
using Windows Information Protection, a label in the Office 365 Security & Compliance
which is tightly coupled with Microsoft 365 Center for “Confidential – Personal Data”, this
cloud services such as Office 365 and Azure label will also appear in the Azure Information
Information Protection. Protection admin portal. This is a big step
forward in helping provide a consistent and
To review more about how Windows 10 predictable approach to data labeling.
Enterprise can assist with meeting GDPR
requirements, please visit this article. The shared labeling schema will also make it
easier for end-users to apply the appropriate
Office 365 and AIP sensitivity label and protection while working
on documents or sending emails. We are
labeling schemas
building labeling capabilities natively into the
core Office apps – including Word, PowerPoint,
In the spirit of working towards providing a
Excel and Outlook – no need to download or
more consistent classification, labeling and
install any additional plug-ins. For example,
protection model that will be used across
if an end-user is working on a document that
our information protection technologies,
contains personal data, such as an employee
we are previewing a shared labeling schema
ID number, the worker can easily select the
that will be used across Office 365 and Azure
 February Prepare for GDPR today with Microsoft 365 14
2018

appropriate label, such as “Confidential”, right

within the app. To start, we are previewing the
native labeling experience for Office apps on
Mac and Outlook Web App. We plan to extend
native labeling capabilities to Office apps
We plan to extend
running on iOS, Android and Windows in
the future. native labeling
capabilities to Office
Common and custom
apps running on iOS,
data types
Android and Windows
The ability to automatically classify personal in the future.
data is a critical part of helping you achieve
your GDPR goals. Today we have over 85 out- make it easier to configure the detection,
of-the-box sensitive information types that classification and protection of GDPR related
can be used to detect and classify your data. personal data. To learn more about the
This includes several of the most common current sensitive information types, review
personal information data types, such as this article. You can also create and customize
credit card numbers, national ID numbers your own sensitive information types –
and passport numbers. We will continue to because we know that you may have your
add to these built-in sensitive information own unique data types, such as employee ID
types and will soon provide a GDPR template numbers. Learn more about how to create
to help detect and classify personal data and customize your own sensitive information
relevant to GDPR. While many of the existing types in this article.
sensitive information types are relevant to
the GDPR, the upcoming GDPR template
will help consolidate these into a single
template, as well as add several new personal
data types to detect (such as addresses,
telephone numbers, medical information).
The new sensitive information template will
 February Prepare for GDPR today with Microsoft 365 15
2018

Closing The European Union’s General Data Protection Regulation

(GDPR) calls for enforcement to commence on May
25, 2018, and you should not delay evaluating your
obligations under the regulation. Trust is central to
Microsoft’s mission to empower every person and every
organization on the planet to achieve more. So that you
can trust the Microsoft products and services you use,
such as Microsoft 365, we take a principled approach with
strong commitments to privacy, security, compliance, and
transparency. This approach includes helping you on your
journey to meet the requirements of the GDPR.
If your organization collects, hosts, or analyzes
personal data of EU residents, GDPR provisions require
that you only use third-party data processors who
commit contractually to implement the technical and
organizational requirements of the GDPR.
Microsoft 365 provides a highly secure, complete and
intelligence solution for digital work. By bringing together
the best of Office 365, Windows 10, and Enterprise
Mobility + Security, we can help accelerate your journey to
compliance with the GDPR by:

• Assessing compliance risk

• Protecting personal and sensitive data

• Streamlining processes

In addition to understanding the capabilities provided to

you in Microsoft 365, we recently released a new GDPR
benchmark assessment to further round out our GDPR
resources already available on the Microsoft Trust Center.
February Prepare for GDPR today with Microsoft 365 16
2018

This white paper is a commentary on the European

Union’s General Data Protection Regulation (GDPR),
as Microsoft interprets it, as of the date of publication.
We’ve spent a lot of time with GDPR and like to think
we’ve been thoughtful about its intent and meaning. But
the application of GDPR is highly fact-specific, and not
all aspects and interpretations of GDPR are well-settled.

As a result, this white paper is provided for informational

purposes only and should not be relied upon as legal
advice or to determine how GDPR might apply to you
and your organization. We encourage you to work with
a legally qualified professional to discuss GDPR, how it
applies specifically to your organization, and how best
to ensure compliance.

MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN
THIS WHITE PAPER. This white paper is provided “as-is.”
Information and views expressed in this white paper,
including URL and other Internet website references,
may change without notice.

This document does not provide you with any legal

rights to any intellectual property in any Microsoft
product. You may copy and use this white paper for your
internal, reference purposes only.