GDPR and Microsoft’s Compliance Manager Service

Microsoft has ramped up compliance in response to business concerns various compliances, FedRAMP, ISO and especially over General Data Protection Regulation (GDPR).  The enforcement date of GDPR being the 25^th of May 2018, compliance is imperative and Microsoft is providing help.
GDPR is by far the most encompassing and digital citizen-centric regulation in existence. It not only covers data in the EU but outside the EU as well.  The penalties can be 4% of annual global turnover or just over $23 million whichever is greater.  That should be an incentive to comply with any organization.  Then there is the matter of consent.  They essential remove the cleaver “legalese” from the equation regarding user data.  They require clear, distinguishable and clear language in consent forms.
GDPR establishes guidelines for breach notification, right to access, right to be forgotten, data portability, privacy by design and require what they called a Data Protection Officer. Each of these subjects merits a full exploration on its own but I will simply link you here.
If your organization conducts business anywhere in the European Union (EU) then you will be happy to learn about Microsoft’s Compliance Manager for Microsoft Cloud Services. Compliance Manager is currently in preview but already covers Azure, Dynamics 365 and Office 365. Whilst at the time of this writing Germany a key market is not covered under the preview, I am confident that it will be prior to GDPR’s enforcement date.
Compliance Manager divides the controls in two. The controls managed by Microsoft and the controls that rely on the organization.

Responsibility Division

For those controls that require implementation by the organization. Compliance Manager provides recommended actions to implement these controls. It even allows the assignment of the task to other admins. It displays the varying status of a control and can be marked as implemented, alternative implementation, planned or simply not in scope. The result of a control can be marked as passes, failed low risk, failed medium risk and failed high risk.
Compliance Manager functions with role-based access controls used to delegate the compliance of controls and task. It provides all the information needed to articulate auditors need. The most important portion is a clear status, date, description of the compliance and result of the control. The icing on the cake is the audit ready reporting that exports reports to excel with all the details required.
Microsoft Compliance Manager is not going to solve every organizations GDPR. Microsoft clearly states that “Compliance Manager only provides recommendations and should not be interpreted as a guarantee of compliance”.  While this is true it is a step in the right direction for both Microsoft and for organizations to start to get a better handle on regulatory compliance.
Do you want access to the preview? You can via the Service Trust Portal. Please try it out and provide Microsoft with feedback, be vocal it’s the only way we as a community can voice our concerns and have Microsoft improve their products and services.

More Information

Security & Privacy Blog post
Microsoft Compliance Manager Demo Video