Microsoft: GDPR Compliance Presents Challenges That Moving to the Cloud Can Ease

Compliance with the European Union’s General Data Protection Regulation (GDPR) that was implemented May 25 has presented companies with challenges. But moving to the cloud can help them overcome many of those issues, according to Microsoft executives.

“When you think about it, the GDPR could not come at a more important time,” Brad Smith, president and chief legal officer of Microsoft, said the same day GDPR was implemented.
Noting that Microsoft has strongly supported GDPR since it was first proposed in 2012 by the European Commission, he said during a webcast called “Safeguarding individual privacy rights with the Microsoft Cloud” that digital technology is “changing the way we live.”

He added: “It’s transforming how we connect with other people. It’s impacting every aspect of our work. At Microsoft, we recognize that privacy is a fundamental human right because, when you think about it, we all need to share information with other people just to go about our daily lives. But it’s more important than ever that people be able to exchange data [and] to share data on their own terms.”

As examples, he pointed out that consumers typically want to share health info data with doctors but not strangers, while businesses want to share data with partners but not to competitors.

“Trust is more important than ever,” he said, adding: “People, quite simply, won’t use technology they don’t trust. And that means that companies like ours that create technology have a huge responsibility – a huge responsibility to make sure that we protect peoples’ personal information, that we safeguard privacy, and that we ensure that kind of trust.”

Microsoft decided to “take the heart of GDPR – what’s called the data subject rights – and apply them worldwide,” he noted. The initiative required an “enormous engineering effort” by more than 1,600 engineers, who worked to get ready for GDPR implementation, he said, adding “we feel good about where we are today” and “will remain focused on GDPR.”

But “we understand that compliance with complex regulations like the GDPR can be a long and difficult process,” Alym Rayani, director of Microsoft 365, said on the webcast.

Microsoft launched a Compliance Manager tool last year to help customers achieve GDPR compliance, he noted.

And “we’re seeing that ease of compliance as one of the key drivers for moving to the cloud because of this shared responsibility model” that’s offered within the cloud, he said.

Explaining why that shared responsibility model benefits customers, Karim Batthish, director of Microsoft 365 engineering, said: “When data resides on premises, it is the customer’s responsibility to meet all the regulatory requirements. But when customers move their data to the Microsoft Cloud, both Microsoft and the customer accept and share compliance obligations for that data. In the Microsoft Cloud, we provide enhanced tools that our customers can use to meet these obligations.”

“The compliance landscape is evolving quickly,” Rayani said, noting: “New regulations are popping up. Standards are evolving.”

Microsoft is helping customers handle the complexities of those changing regulations and standards in “two core ways,” Batthish said. “First, we’re providing streamlined compliance tools…. Second, we’ve redesigned our service trust portal to be the single place where customers can discover new compliance capabilities; access documentation on Microsoft security, privacy and compliance practices; review third-party audit reports for our online services; and use new tools to help streamline compliance.”

Discussing the challenges that Microsoft faced when setting out to meet the GDPR requirements, Batthish said the company needed to, among other things, “ensure that we had controls in place to manage the use of personal data across all of our endpoints, from Azure services to Office 365” to Xbox gamer tags. It also “required an immense engineering effort to standardize our data governance in order to deliver on GDPR obligations,” he said.

Microsoft Azure specifically “developed a powerful set of tools to make compliance easier,” he also said. For example, he pointed out that Azure information protection solutions can “help customers automate the process of classifying categories of data during the discovery phase.” Also, “our identity management and security solutions can be used to minimize the number of people who have access to sensitive data,” he noted.

Meanwhile, “cyber threats are increasingly sophisticated and persistent,” he went on to say. “To combat against these, the Microsoft Intelligent Security Graph unifies preventative measures and improves the efficiency of protecting, detecting and responding to security incidents,” he said.

Not discussed on the webcast was the massive cost that non-compliance with GDPR could cost any organization in fines.