Microsoft 365 GDPR action plan — Top priorities for your first 30 days, 90 days, and beyond

This article includes a prioritized action plan you can follow as you work to meet the requirements of the General Data Protection Regulation (GDPR). This action plan was developed in partnership with Protiviti, a Microsoft partner specializing in regulatory compliance.

The GDPR introduced new rules for companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents. The GDPR applies no matter where you or your enterprise are located.

Action plan outcomes

These recommendations are provided across three phases in a logical order with the following outcomes:

Phase Outcomes
30 days Understand your GDPR requirements and consider engaging with a Microsoft GDPR Advisory Partner.
* Benchmark your readiness and get recommendations for next steps.
* Work with a Microsoft GDPR Advisory Partner to establish internal guidelines for responding to Data Subject Requests (DSRs), perform a GDPR compliance gap analysis for your organization and establish a roadmap to compliance.

Start discovering the types of personal data you are storing and where it resides to comply with DSRs.
* Use Content search and eDiscovery in the security and compliance centers to discover personal data across the organization.
* When working with vast quantities of content, use Microsoft Purview eDiscovery (Premium), powered by machine learning technologies, to perform more efficient, and accurate content searches.
90 days Start implementing compliance requirements using Microsoft 365 data governance and compliance capabilities.
* Assess and manage your compliance risks by using Microsoft Purview Compliance Manager.
* Help users identify and classify personal data, as defined by the GDPR.

Use Microsoft 365 security capabilities to prevent data breaches and implement protections for personal data.
* Protect administrator and end-user accounts.
* Protect against malicious code and implement data breach prevention and response.
* Use audit logging to monitor for potentially malicious activity and to enable forensic analysis of data breaches.
* Use Data Loss Prevention (DLP) policies to identify and protect sensitive data.
* Prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.
Beyond 90 days Use Microsoft 365 advanced data governance tools and information protection to implement ongoing governance programs for personal data.
* Automatically identify personal information in documents and emails.
* Protect personal data stored on devices across the organization, and ensure that compliant corporate devices are used to access sensitive data.
* Ensure that sensitive personal information is stored and accessed according to corporate policies.
* Implement data retention policies to help ensure that you're only retaining personal data for as long as necessary.

Monitor ongoing compliance across Microsoft 365 and other Cloud applications. Consider addressing data residency requirements for EU personal data.
* Monitor usage of cloud applications and implement advanced alerting policies for your organization.
* Address data residency requirements as one global organization.

30 days—Powerful quick wins

These tasks are quick and powerful with low impact to users.

Area Tasks
Understand your GDPR requirements and consider engaging with a Microsoft GDPR Advisory Partner. * Assess and manage your compliance risks by using Microsoft Purview Compliance Manager in the Microsoft Purview compliance portal to conduct a GDPR Assessment of your organization.
* Work with your Microsoft GDPR Advisory Partner to establish internal guidelines to respond to Data Subject Requests (DSRs) and exclusions from DSRs.
* Work with your Microsoft GDPR Advisory partner to perform a gap analysis in GDPR compliance for your organization, and develop a roadmap that charts your journey to GDPR compliance.
* Learn how to use the GDPR Dashboard and Data Subject Request capability in the Microsoft Purview compliance portal.
Start discovering the types of personal data you are storing and where it resides to comply with DSRs. * Use Content Search and eDiscovery (Standard) cases to easily search across mailboxes, public folders, Microsoft 365 Groups, Microsoft Teams, SharePoint sites, One Drive for Business sites and Skype for Business conversations. Learn how to use sensitive information types to find personal data of EU citizens
* When working with vast quantities of content, identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches with Microsoft Purview eDiscovery (Premium), powered by machine learning technologies.
* Preview search results, get keyword statistics for one or more searches, bulk-edit content searches, and export the results using the Security & Compliance Center.

90 days — Enhanced compliance

These tasks take a bit more time to plan and implement but can increase your overall GDPR compliance efforts.

Area Tasks
Start implementing compliance requirements using Microsoft 365 data governance and compliance capabilities. * Manage your GDPR Compliance with Microsoft Purview Compliance Manager within the Microsoft Purview compliance portal.
* Help users identify and classify personal data, as defined by the GDPR, with a classification schema and associated Office 365 Labels for Exchange email, SharePoint sites, OneDrive for work and school sites and Microsoft 365 Groups. See Deploy information protection for data privacy regulations with Microsoft 365.
Use Microsoft 365 security capabilities to prevent data breaches and implement protections for personal data. * Improve authentication for administrators and end users in the Microsoft Cloud by enabling multi-factor authentication for all user accounts and modern authentication for all apps. For recommended policy configuration, see Identity and device access configurations.
* Deploy Microsoft Defender for Endpoint to all desktops for protection against malicious code, data breach prevention, and responses.
* Enable audit logging and mailbox auditing for all Exchange mailboxes to monitor for potentially malicious activity and to enable forensic analysis of data breaches.
* Configure, test, and deploy Data Loss Prevention (DLP) policies to identify, monitor and automatically protect over 80 common sensitive data types within documents and emails, including financial, medical, and personally identifiable information.
* Implement Office 365 Security solutions to help prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.

Beyond 90 Days — Ongoing privacy, data governance, and reporting

These configurations are important privacy measures that build on previous work.

Area Tasks
Use Microsoft 365 advanced data governance tools and information protection to implement ongoing governance programs for personal data. * Use sensitivity labels to identify personal information in documents and emails.
* Protect personal data stored on devices across the organization by deploying Microsoft Intune.
* Implement AAD Conditional Access policies with Microsoft Intune to ensure that sensitive personal information is stored and accessed according to corporate policies. For recommended policy configuration, see Identity and device access configurations.
* Implement data retention policies with sensitivity labels, Microsoft Purview Data Lifecycle Management, and retention policies to retain personal data for as long as necessary in your jurisdiction.
Monitor ongoing compliance across Microsoft 365 and other Cloud applications. Consider addressing data residency requirements for EU personal data.
  • Use data loss prevention reports and Microsoft Defender for Cloud Apps to monitor usage of cloud applications and implement advanced alerting policies based on heuristics and user activity.
  • Address organizational, regional, and local data residency requirements while configured as one global organization using Microsoft's multi-geo capabilities for Exchange Online mailboxes, OneDrive for work and school sites and SharePoint sites.
  • Learn more