General Data Protection Regulation Summary

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located.

This document guides you to information to help you honor rights and fulfill obligations under the GDPR when using Microsoft products and services. A Recommended action plan for GDPR and Accountability Readiness Checklists provide additional resources for assessing and implementing GDPR compliance.


Helpful definitions for GDPR terms used in this document:

  • Data Controller (Controller): A legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
  • Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller.
  • Customer Data: Data produced and stored in the day-to-day operations of running your business.

What is the GDPR?

The GDPR gives rights to people to manage personal data collected by an organization. These rights can be exercised through a Data Subject Request (DSR). The organization is required to provide timely information regarding DSRs and data breaches, and perform Data Protection Impact Assessments (DPIAs).

Several points should be considered when implementing or assessing GDPR requirements.

  • Developing or evaluating your GDPR-compliance data privacy policy.
  • Assessing the data security of your organization.
  • Who is your data controller?
  • What data security processes may you have to perform?

The Recommended action plan for GDPR and Accountability Readiness Checklists may prompt additional thinking points.

The following tasks are involved to meet GDPR standards. Follow the links in the list for details regarding your implementation.

  • Data subject requests (DSR). A formal request by a data subject to a controller to take an action (change, restrict, access) regarding their personal data.
  • Breach notification. Under GDPR, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”
  • Data protection impact assessment (DPIA). Data controllers are required under GDPR to prepare a DPIA for data operations that are “likely to result in a high risk to the rights and freedoms of natural persons.”

As mentioned above, the Recommended action plan for GDPR and Accountability Readiness Checklists provide a guide to implementing or assessing GDPR conformance using Microsoft products and services.

The GDPR in action

This section provides an outline and thinking points on completing the GDPR tasks mentioned above. Completing these tasks may vary depending on your Microsoft configuration.

Data Subject Request (DSR)

Data Subject Requests provide a means for data subjects to exercise their rights under GDPR. The controller is responsible for providing a timely, GDPR consistent reply. Questions you should consider are addressed below. For technical details, refer to Data subject requests.

  • What actions will be required to complete a DSR?: DSRs involve six activities: Discovery, Access, Rectification, Restriction, Export, and Deletion.
  • What are your data sources?: A large fraction of an organization’s data is generated in Office applications such as Excel and Outlook. You may also find data relevant to a DSR in Insights generated by Microsoft products and services, and system-generated logs.
  • What kinds of data need to be searched?: Personal data may be found in customer data, insights generated by Microsoft products and services, and system-generated logs.
  • How will personal data be searched?: Searching for personal data may vary across Microsoft products and services. Search tools include Content Search, or in-app search capacity. Administrators may access system-generated logs associated with a user’s activity.
  • In what formats should personal data be made available?: The GDPR “right of data portability” allows a data subject to request a copy of personal data in a “structured, commonly used, machine-readable format”, and to request that your organization transmit these files to another data controller.

Data Protection Impact Assessment

Under GDPR, data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processing operations that are “likely to result in a high risk to the rights and freedoms of natural persons.” There is nothing inherent in Microsoft products and services that need the creation of a DPIA. Rather, it depends on the details of your Microsoft configuration.

Some considerations regarding DPIA are given below. A list of details that must be considered in Office can be found in Contents of DPIA.

  • What data activities in your organization may compromise your personal data security?

  • Could your configuration of Microsoft products and services be vulnerable to data breach?

  • When should you conduct a DPIA?

    • Controllers are required to perform a DPIA addressing risks to personal data security or as a result of a data breach. Specific examples of risk factors in Office are addressed in Determining Whether a DPIA is Needed.
  • What is required to complete a DPIA?

    The GDPR mandates that a DPIA includes:

    • Assessment of the necessity, and proportionality of data processing in relation to the DPIA’s purpose.
    • An assessment of the risks to the rights and freedoms of data subjects.
    • Intended measures to address the risks, safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR.

Breach Notification

As a data processor, Microsoft ensures that customers are able to meet the GDPR’s breach notification requirements. Data controllers are responsible for assessing risks to data privacy and determining whether a breach requires notification of a customer’s DPA. Microsoft provides the information needed to make that assessment. More information about how Microsoft detects and responds to a breach of personal data in Data Breach Notification Under the GDPR. Some breach notification questions are:

  • What information about a breach should be communicated to data subjects
  • How will you communicate to your data subjects (email, written notification, etc.)?

Accountability Readiness Checklists for the GDPR

These checklists provide a convenient way to access information you may need to support the GDPR using Microsoft products. You can manage checklist items with the Compliance Manager by referencing the Control ID and Control Title under Customer Managed Controls in the GDPR tile.

Learn more