O365 & GDPR

As my role of #PFE (Premier Field Engineer) at #Microsoft, I have an opportunity to meet and work with IT Managers, Project Managers, Leads and Architects. Lately one topic, irrespective of customer, location and event, came up in our discussion, and that was GDPR. By now, it does not need any introduction, as new regulation coming into effect on 25th May 2018 (about 50 days to go at the time this was written).

General Data Protection Regulation is new set of regulatory changes coming into effect in EU to safeguard data related to EU citizen/resident/neutral person. These regulations will be applicable for organizations, government agencies, non-profits, and companies who are handling data of a person in EU (citizen/resident/neutral person) irrespective of the origin of the organization. More information about GDPR can be found at

Microsoft’s GDPR page: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

O365 is a subscription based online service which helps in Personal and Team productivity (Collaboration) at your daily work through different tools, such as Mailbox, OneDrive, Office (Word, Excel, PowerPoint), SharePoint, Skype, Teams etc. The information is stored/kept in o365 can have Sensitive and Private data associated to individuals, group or organization.

Organizations using o365 act as a Controller of the Data, and Microsoft acts as a Processors since services are provided and Hosted by it. To get compliant on GDPR, it is a Shared responsibility of these two entities. Microsoft o365 offers privacy by design, provides a robust system through tools and features which allows organizations to treat the data based on its type. As a controller, companies need to utilize these tools and features to configure o365 according on their needs.

The IT Administrators have responsibility to configure the requirements, and these requirements must come to them from Compliance Managers, IT Architects /Managers working with GDPR projects. Also, it is important to understand that Compliance is not one-time activity and needs to be take care on ongoing basis. As a Processor, Microsoft will continue investing in features and functionality to enable compliance with GDPR, and IT administrators needs to implement/update them time to time as their compliance requirement might change.

Security and Compliance (Protection Center / S&C Center) provides a “One Stop Shop” for all compliance and security needs of o365.

However There are still few features related to compliance are handled from workload specific admin centers. Microsoft has divided all GDPR requirements into 4 categories and I am going to use them to talk about features.

Discover: To get compliant with GDPR, it is important to find several types of data and where does it live. Personal data is one of the key privacy element and this needs to be discoverable. O365 have Content Search and E-discovery (and Advance E-Discovery) to help in discover data from Exchange, SharePoint and OneDrive. These searches are based on keyword query and support KQL (Keyword Query Language). For SharePoint and OneDrive Content, you can create queries to find all Externally Shared content and with sensitive data in it. One of the recent addition, is searching information based on its Label(Classification). GDPR requirements such as DSR (Data Subject Request) and Litigation, can be covered with these features.

ESPC call for speakers 2024
Manage: When you have a system, which is storing data or information, it needs to be managed. Governance is key to ensure that your organization has control over the data. This is only possible with right data classification in place. S&C center in o365 provides Data Classification and Data Governance capabilities. Appropriate labelling and classification will help in setting right retention and deletion policies. Also, IT admins can create DLP polices for identifying and handling sensitive Data types. There are OOB 82 sensitive information type, that can be configured to be identified.

Protect: One of the Key objective of GDPR is to improve Information security and hence increased confidence of end users about their data. Advance Threat protection helps in securing data with the Mailboxes with features like Malware detection, Anti Phishing Policies, Safe attachment, Safe Links, Anti-Spam , Attack Stimulator (recent addition) etc. Customer Lockbox can help you meet compliance obligations for explicit data access authorization during service operations. Cloud app security and Audit logs, allows you to set different alerts against several activities, behavior, Elevated risk or abnormal usages.

Report: GDPR requires organization to be transparent about the data that they process or store. They must provide information about their documentations and processes that use to handle the data. How is a personal data handled within and outside (if shared with another vendor or partner), and if that is tracked or not? O365 Audit logs enable IT administrators to keep track of key activities. Also, Service Assurance in o365 provides independent 3rd party audit reports and Security practices for Customer data. It also provides extensive information about implementation and testing for security, privacy and compliance controls used in o365.

This article will not be complete if I do not mention about Compliance Manager. It was GA few weeks back and excellent tooling to enable organizations to manage their compliance work at a single portal. There are few standard templates available for regulations, including GDPR. Please read more about this in following links



As this Article is an attempt to highlight features in #o365 helping your journey with #GDPR, and I am sure, I have not covered all. I will try to cover the four pillars of Discover, Manage, Protect and report separately in details in future articles.

Thanks, and Wish you a great journey with GDPR.

Ranjan, A. (2018). Available at:https://www.linkedin.com/pulse/o365-gdpr-ashish-ranjan/ [Accessed 6 April 2018].

Share this on...

Rate this Post: