Data Protection Impact Assessment for the GDPR
The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. Additional details can be found in the GDPR Summary topic. This document guides you to information regarding Data Protection Impact Assessments (DPIAs) under the GDPR when using Microsoft products and services.
Helpful definitions for GDPR terms used in this document:
- Data Controller (Controller): A legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
- Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
- Customer Data: Data produced and stored in the day-to-day operations of running your business.
What is a DPIA?
The GDPR requires controllers to prepare a Data Protection Impact Assessment (DPIA) for operations that are 'likely to result in a high risk to the rights and freedoms of natural persons.' There is nothing inherent in Microsoft products and services that need the creation of a DPIA. However, because Microsoft products and services are highly customizable, a DPIA may be needed depending on the details of your Microsoft configuration. Microsoft has no control over, and little or no insight into such information. You, as a data controller must determine appropriate uses of their data.
DPIA in Action
The DPIA guidance applies to Office 365, Azure, Dynamics 365, and Microsoft Support and Professional Services. That guidance includes consideration of:
When is a DPIA needed?
The risk factors listed below should be addressed when considering whether to complete a DPIA. Other potential factors and further details are found in Part 1 of each of the guidelines.
- A systematic and extensive evaluation of data based on automated processing.
- Processing on a large scale of special categories of data (data revealing information uniquely identifying a natural person), or of personal data relating to criminal convictions and offenses.
- Systematic monitoring of a publicly accessible area on a large scale.
The GDPR clarifies 'The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer. In such cases, a data protection impact assessment should not be mandatory.'
What is required to complete a DPIA?
A DPIA should provide specific information about the intended processing, which is detailed in Part 2 of the guidance. That information includes:
- Assessment of the necessity, and proportionality of data processing in relation to the purpose of the DPIA.
- Assessment of the risks to the rights and freedoms of natural persons.
- Intended measures to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR.
- Purposes of processing
- Categories of personal data processed
- Data retention
- Location and transfers of personal data
- Data sharing with third-party subprocessors
- Data sharing with independent third-parties
- Data subject rights
Specific details that may be relevant to your Microsoft implementation are below.
- Office 365: This document applies to Office 365 applications and services, including but not limited to Exchange Online, SharePoint Online, Yammer, Skype for Business, and Power BI. Refer to Tables 1 and 2 for more details.
- Azure: Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIAs related to their use of Microsoft Azure.
- Dynamics 365: The contents of a DPIA may vary according to which Dynamics 365 tools you are employing. For specific details refer to Part 2 Contents of a DPIA.
- Microsoft Support and Professional Services: Professional Services does not conduct certain routine or automated data processing, nor is it intended to process special categories or perform tasks that facilitate or require monitoring of publicly accessible data. For details see Part 1 — Determining Whether a DPIA is needed. Controllers must consider the DPIA elements outlined above, along with any other relevant factors, in the context of the controller's specific implementations and uses of Professional Services. For Professional Services information, see Part 2 — Contents of a DPIA.