Today we’re letting our customers know about our upcoming Data Subject Request (DSR) processing capability in the Azure portal, which will provide tenant admins a simple, powerful tool to quickly fulfill the Data Subject Requests that are central to compliance with the European Union General Data Protection Regulation (GDPR). We will fully support these DSR capabilities before May 25, 2018, the date when enforcement of the GDPR begins and when Microsoft has committed to be GDPR compliant across our cloud services.
The GDPR is the most significant change to EU privacy law in two decades and sets a new global standard for privacy rights, governing the handling and use of personal data. A fundamental tenet of the GDPR is the set of rights it grants individuals, or data subjects, in connection with their personal data collected by an organization (known as the data controller).
If your organization collects, hosts, or analyzes the personal data of EU residents, GDPR provisions require you to use data processors that guarantee their ability to implement the technical and organizational requirements of the GDPR. The GDPR also requires you to respond to requests from individuals, or data subjects, to receive a copy of their personal data, correct or delete it, restrict its processing, or export it in an electronic format so it can be moved to another controller.
The new Azure portal DSR capability will help you to fulfill DSRs. Using it, you can identify information associated with a data subject and will be able to execute DSRs against system-generated logs (data Microsoft generates to provide a given service). This an exciting capability for enterprise customers, as it was previously not possible to access or delete data in system-generated logs. Microsoft is pleased to provide this additional functionality as part of its enduring commitment to privacy.
In addition, Azure enables the fulfillment of DSRs against customer data (data you and your users upload or create) through pre-existing application programming interfaces (APIs) and user interfaces (UIs) across the breadth of services provided. The combination of the Azure portal and pre-existing Azure capabilities will enable you to respond to these types of requests for personal data that reside in the Microsoft cloud:
- Access: Provide a copy of personal data to the data subject.
- Rectify: Make changes or implement other requested actions on customer data, where applicable.
- Delete: Permanently remove personal data that resides in the Microsoft cloud.
- Export: Provide an electronic copy (in machine readable format) of personal data to the data subject, and upon request, transmit these electronic files to another data controller.
The new DSR capability in the Azure portal
You will be able to use the Azure portal to identify and locate customer and employee user profiles, as well as user work information that contain personal data in your Azure Active Directory (AAD) environment. AAD is the Microsoft cloud-based, multi-tenant directory and identity management service. Using the information about the data subject in the portal interface, you can then execute the DSR.
Office 365 also announced a public preview of the new Data Privacy tab in Office 365 Security & Compliance Center to support data subject requests (DSR). The new Office 365 DSR experience provides the tools to create a case for a data subject request, search and refine relevant data across Office 365 locations such as Exchange, SharePoint, OneDrive, Groups, and now Microsoft Teams and export this data to be reviewed further prior to being transferred to the requestor. Learn more on the Office 365 blog.
Microsoft was the first global cloud services provider to publicly commit to GDPR compliance and to offer written contractual commitments. Now more than ever, we believe privacy is a fundamental right. The GDPR is an important step forward to further clarify and enable individual privacy rights and Microsoft looks forward to sharing additional updates regarding how we can help you comply with this new regulation and, in the process, advance personal privacy protections.
The GDPR requires that both Microsoft, as cloud service provider, and you, as a cloud tenant, fulfill the requirements of the GDPR, so this is a journey to compliance we are making together. We invite you to learn about the DSR capabilities of the Azure portal today. If you’re attending the RSA Conference in San Francisco this week, stop by our Booth #3501 and visit our GDPR station. For additional information, visit the Azure GDPR page, and the Service Trust Portal for details on Microsoft’s GDPR capabilities.