February 16, 2021
  • Home
  • /
  • Blog
  • /
  • Is Office 365 GDPR Compliant?

Is Office 365 GDPR Compliant?

The GDPR (General Data Protection Regulation) has been in the headlines for over a year now. It is making a buzz around the world in the technology sector. Is Office 365 GDPR compliant? Like always, Microsoft has rushed to the rescue of its clients' Security and Compliance. Do you need to know how GDPR will affect your organization? Are you looking for GDPR Compliant solutions? Searching for a team of professionals that can help you through the process? User privacy?

The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018 to protect the personal data of its citizens. These rules apply to all businesses that have customers in the European Union. With a significant share of its user base in the region, Microsoft was one of the pioneering companies to incorporate tools and features to protect individual privacy rights. According to Microsoft’s Annual Reports in 2019, 26 million users had taken advantage of these tools to protect their privacy. To address the question, "is Office 365 GDPR compliant?" the answer is yes, with a range of built-in and configurable tools. Let us understand how Office 365 is GDPR compliant and learn to use the tools and features to protect people from a personal data breach.

While some of the tools and features in Microsoft 365/ Office 365 are designed to comply with GDPR out-of-the-box, others need to be configured. Let us look at the various capabilities available in Office 365/ Microsoft 365 that can help in GDPR compliant.

Tools in Microsoft 365

Microsoft offers several tools as a part of the Microsoft 365/ Office 365 suite that helps in assessing security posture and implementing rules for adhering to GDPR regulations. So, is Office 365 GDPR compliant? Absolutely, especially with these features:

Microsoft Security Score

Microsoft has a measurement called Secure Score that helps businesses assess their security posture objectively. This assessment can be used for increasing discoverability, providing greater visibility and guidance, and enhancing end-user control, all of which helps the organization become GDPR compliant.

Data Loss Prevention

Data Loss Prevention (DLP) in the Security & Compliance Center is a capability to implement policies that specify the locations in which sensitive content must be protected, and rules comprising of conditions and actions according to which data will be protected to comply with regulations such as GDPR Compliant.

Customer Lockbox

The Customer Lockbox Office 365 is used for implementing additional privacy and security measures in workflows for organizations that need Microsoft assistance with direct access to customer data Hj, while troubleshooting issues with Exchange Online, SharePoint Online, or OneDrive for Business.

Office 365 Advanced Threat Protection 

This provides organizations the option of defining policies to safeguard themselves against malicious threats they receive via emails, links, and collaboration tools. The integrated capabilities to investigate, respond, and report threats are important requirements for GDPR compliant.

GDPR Compliance

GDPR was approved in 2016 in the parliament of the European Union. As a result, it came into effect on 25th May 2018. It includes a series of regulations that protect personal information according to the European Privacy Law. In addition to that, these laws will also regulate the usage and disposal of personal information. Consequently, all European organizations or any organization that collects personal information of European citizens come under effect of these laws.

Information Protection

  • Personal information of any person is defined as their online presence. These include IP addresses or cookies that can be traced back to them. It also includes any physical, mental, economic, social, or cultural features that may identify a person.
  • Companies should enforce reasonable protection protocols. These protocols apply to the storage, processing, and safeguarding of data. Additionally, these include encryption, confidentiality, and integrity of personal data. Similarly, restoration of data in case of disaster and testing of all data protection systems.

Redefining Consent

  • The most important clause of GDPR is its redefinition of consent. Individual consent is required for each piece of information collected from any person. It means that organizations cannot take consent in the form long license agreement.
  • An individual has the right to withdraw their consent at any time. Also, any user can request the removal of their data. In addition to that, organizations will express for what purpose they are collecting the data. If the intended purpose of collecting the data is no longer required, the data must be erased.
  • While collecting data from any person, the organization will express their identity, contact details, and purpose of collecting the data. In addition to that, companies will also give the right to lodge a complaint by users.
  • All persons will have the right to access the processes of storage and usage of their personal data. However, they will pay a small fee in case the access request is undue.

Enforcing Penalties

  • Organizations will inform the concerned authorities and users if there is a data security breach within 72 hours.
  • Companies that are not GDPR Compliant will face a penalty of up to 10 to 20 million euros. Furthermore, they could also face two to four percent of their gross turnover as a fine.

Solution for GDPR Compliance in Microsoft Cloud

Microsoft has introduced a new tool known as the Compliance Manager for GDPR compliance. It ensures that cloud applications such as Office 365, Azure, and Dynamics 365 are compliant with the required policies. You can add any policy such as GDPR and assess your organization's compliance. Furthermore, get recommendations to make your organization compliant with any given policy. It is a powerful tool that makes compliance easy by connecting technology solutions with regulation policies.

Key features of GDPR

Get Risk Assessment

Get Actionable Insights

Get Simplified Compliance

How to get a solution for GDPR compliance in Microsoft Cloud?

How to get a solution for GDPR compliance in Microsoft Cloud? For those wondering, "is Office 365 GDPR compliant?" Microsoft provides extensive resources and tools. Access documentation helpful to your GDPR accountability, and to your understanding of the technical and organizational measures Microsoft has taken to support the GDPR. Documentation for Data Protection Impact Assessments (DPIAs), Data Subject Requests (DSRs), and data breach notification is provided to incorporate into your own accountability program in support of the GDPR.

Assess and manage compliance risk

Because achieving organizational compliance can be challenging, understanding your compliance risk should be your priority. Customers have told us about their challenges with the lack of in-house capabilities to define and implement controls and inefficiencies in audit preparation activities.

The Compliance Manager and Compliance Score helps you continuously monitor your compliance status. Compliance Manager captures and provides details for each Microsoft control, which has been implemented to meet specific requirements, including implementation and test plan details, and management responses if necessary. It also provides recommended actions your organization can take to enhance data protection capabilities and help you meet your compliance obligations.

Protect personal data

GDPR is all about protecting the personal data of individuals—making sure there is proper security, governance, and management of such data to help prevent it from being misused or getting into the wrong hands. To help ensure that your organization is effectively protecting personal data as well as sensitive content relevant to organizational compliance needs, you need to implement solutions and processes that enable your organization to discover, classify, protect, and monitor data that is most important.

The information protection capabilities within Microsoft 365, such as Office 365 Data Governance and Azure Information Protection, provide an integrated classification, labeling, and protection experience—enabling more persistent protection of your data—no matter where it lives or travels. A proactive data governance strategy of classification of personal and sensitive data enables you to respond with precision when you need to find the relevant data to satisfy a regulatory request or requirement like a Data Subject Request (DSR) as a part of GDPR.

Azure’s fully managed database services, like Azure SQL Database, help alleviate the burden of patching and updating the data platform, while bringing intelligent built-in features that help identify where sensitive data is stored. Modern technologies, like Azure SQL Data Discovery and Classification, provide advanced capabilities for discovering, classifying, labeling, and protecting sensitive data at the database level. Protect personal data with technologies like Transparent Data Encryption (TDE) that offer Bring Your Own Key (BYOK) support with Azure Key Vault integration.

Respond with confidence

Ensuring processes are in place to efficiently manage and meet certain GDPR requirements, such as responding to DSRs or responding to data breaches, is a tough hurdle for many organizations.

To help you navigate the GDPR resources provided across cloud services, we introduced the Privacy tab in the Service Trust Portal last month. It provides you with the information you need to prepare for your own Data Protection Impact Assessments (DPIAs) on Microsoft Cloud services, the guidance for responding to DSRs, and the information about how Microsoft detects and responds to personal data breaches and how to receive notifications directly from Microsoft.

Handling data breaches

The onset of GDPR also means stricter regulations that organizations must adhere to in the event of a data breach. Microsoft 365 has a robust set of capabilities, from Office 365 Advanced Threat Protection (ATP) to Azure ATP, which can help protect against and detect data breaches.

Get GDPR Compliant with Us Now

As a Microsoft Gold Partner, Communication Square takes pride in being a team of professionals with dedication. We have assisted our clients to get GDPR compliant in Microsoft Cloud. So, if you’re wondering, "is Office 365 GDPR compliant?" rest assured, we can guide you through the compliance process with Microsoft's solutions. We'll be more than happy to assist you with your compliance process. Additionally, we provide support from deployment to maintenance. We'll be more than happy to assist you with your compliance process. Additionally, we provide support from deployment to maintenance. 


1. How GDPR Will Affect European Organizations?

All European organizations will come under the effect of GDPR if and only under circumstances where they collect or process the personal information of European citizens.

2. How GDPR Will Affect Non-European Organizations?

All Non-European organizations that collect or process the personal information of European citizens will also come under effect of these laws.

3. What are the GDPR consent requirements?

As part of giving private individuals more control over their personal data, the GDPR sometimes (but not always) requires companies to get a person's consent before collecting or processing their data. However, some of the requirements around consent, like how it must be “informed,” “specific,” and “unambiguous,” or even the term “consent” itself, can be vague. This guide defines all these terms so that your company knows what threshold it must meet to be GDPR compliant.

4. Which companies does the GDPR affect?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

5. Who within my company will be responsible for compliance?

The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.

6. What is the LGPD?

Brazil passed the General Data Protection Law in 2018, and it came into effect in February 2020. 

7. Why does the GDPR exist?

The short answer to that question is public concern over privacy. Europe in general has long had more stringent rules around how companies use the personal data of its citizens. The GDPR replaces the EU's Data Protection Directive, which went into effect in 1995. This was well before the internet became the online business hub that it is today. Consequently, the directive is outdated and does not address many ways in which data is stored, collected, and transferred today.

8. Does the GDPR deal with encryption?

Encryption is identified in the GDPR as a protective measure that renders personal data unintelligible when it is affected by a breach. Therefore, whether encryption is used may impact requirements for notification of a personal data breach. The GDPR also points to encryption as an appropriate technical or organizational measure in some cases, depending on the risk. Encryption is also a requirement through the Payment Card Industry Data Security Standard and part of the strict compliance guidelines specific to the financial services industry. Microsoft products and services such as Azure, Dynamics 365, Enterprise Mobility + Security, Office Microsoft 365, SQL Server/Azure SQL Database, and Windows 10 offer robust encryption for data in transit and data at rest.

9. In what formats should personal data be made available?

Searching for personal data may vary across Microsoft products and services. Search tools include Content Search or in-app search capacity. Administrators may access system-generated logs associated with a user's activity.

10. What are Processors and Controllers?

A controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A processor is a natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller. 

11. What are my responsibilities as a Controller?

Under the GDPR, as a controller, you are required to undertake DPIAs prior to data processing that is likely to result in an elevated risk to the rights and freedoms of individuals processing using modern technologies. The GDPR Compliant provides the following non-exhaustive list of cases in which DPIAs must be carried out.

12. What does the GDPR require and what are the responsibilities of Microsoft as a processor?

We must implement the appropriate technical and organizational measures to assist you in responding to requests from data subjects exercising their rights as discussed above.

13. How will Microsoft notify me in the event of a data breach?

Microsoft has policies and procedures in place to notify you promptly. To satisfy your notice requirements to the DPA, we will provide a description of the process we used to determine if a breach of personal data has occurred, a description of the nature of the breach and a description of the measures we took to mitigate the breach.

14. Am I allowed to transfer data outside of the EU?

Yes, however the GDPR strictly regulates transfers of personal data of European residents to destinations outside the European Economic Area. You may need to set up a specific legal mechanism, such as a contract, or adhere to a certification mechanism to enable these transfers. Microsoft details the mechanisms we use in the Online Services Terms.

15. How does the GDPR change an organization's response to personal data breaches?

The GDPR Compliant will change data protection requirements and make stricter obligations for processors and controllers regarding notice of personal data breaches. Under the new regulation, the processor must notify the data controller of a personal data breach, after having become aware of it, without undue delay. Once aware of a personal data breach, the controller must notify the relevant data protection authority within 72 hours. If the breach is likely to result in an elevated risk to the rights and freedoms of individuals, controllers will also need to notify impacted individuals without undue delay. Additional guidance on this topic is being developed by the EU's Article 29 Working Party.

Print Friendly, PDF & Email

Last Updated 1 week ago

About the Author

Rijah is a professional Marketing Executive & content specialist. You may know her from her greatest hits like, "No, I can't just make it go viral." or "No, you can't have everybody as your audience." and "Yes, you're absolutely going to need a copywriter!"

Rijah Naseem

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}