Microsoft 365 GDPR action plan — Top priorities for your first 30 days, 90 days, and beyond

This article includes a prioritized action plan you can follow as you work to meet the requirements of the General Data Protection Regulation (GDPR). This action plan was developed in partnership with Protiviti, a Microsoft partner specializing in regulatory compliance.

The GDPR introduces new rules for companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents. The GDPR applies no matter where you or your enterprise are located.

Action plan outcomes

These recommendations are provided across three phases in a logical order with the following outcomes:

Phase Outcomes
30 days Understand your GDPR requirements and consider engaging with a Microsoft GDPR Advisory Partner.
• Benchmark your readiness and get recommendations for next steps.
• Work with a Microsoft GDPR Advisory Partner to establish internal guidelines for responding to Data Subject Requests (DSRs), perform a GDPR compliance gap analysis for your organization and establish a roadmap to compliance.

Start discovering the types of personal data you are storing and where it resides to comply with DSRs.
• Use Content search and eDiscovery in the security and compliance centers to discover personal data across the organization.
• When working with vast quantities of content, use Office 365 Advanced eDiscovery, powered by machine learning technologies, to perform more efficient, and accurate content searches.
90 days Start implementing compliance requirements using Microsoft 365 data governance and compliance capabilities.
• Assess and manage your compliance risks by using the Microsoft Compliance Manager.
• Help users identify and classify personal data, as defined by the GDPR.

Use Microsoft 365 security capabilities to prevent data breaches and implement protections for personal data.
• Protect administrator and end-user accounts.
• Protect against malicious code and implement data breach prevention and response.
• Use audit logging to monitor for potentially malicious activity and to enable forensic analysis of data breaches.
• Use Data Loss Prevention (DLP) policies to identify and protect sensitive data.
• Prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.
Beyond 90 days Use Microsoft 365 advanced data governance tools and information protection to implement ongoing governance programs for personal data.
• Automatically identify personal information in documents and emails.
• Protect personal data stored on devices across the organization, and ensure that compliant corporate devices are used to access sensitive data.
• Ensure that sensitive personal information is stored and accessed according to corporate policies.
• Implement data retention policies to help ensure that you are only retaining personal data for as long as necessary.

Monitor ongoing compliance across Microsoft 365 and other Cloud applications. Consider addressing data residency requirements for EU personal data.
• Monitor usage of cloud applications and implement advanced alerting policies for your organization.
• Address data residency requirements as one global organization.

30 days — Powerful quick wins

These tasks are quick and powerful with low impact to users.

Area Tasks
Understand your GDPR requirements and consider engaging with a Microsoft GDPR Advisory Partner. • Use the Microsoft GDPR Assessment Tool to privately benchmark your readiness and get recommendations for next steps.
• Assess and manage your compliance risks by using the Microsoft Compliance Manager within the Microsoft Service Trust Portal (STP) to conduct a GDPR Assessment of your organization.
• Work with your Microsoft GDPR Advisory Partner to establish internal guidelines to respond to Data Subject Requests (DSRs) and exclusions from DSRs.
• Work with your Microsoft GDPR Advisory partner to perform a gap analysis in GDPR compliance for your organization, and develop a roadmap that charts your journey to GDPR compliance.
• Learn how to use the GDPR Dashboard and Data Subject Request capability in the Microsoft 365 compliance center.
Start discovering the types of personal data you are storing and where it resides to comply with DSRs. • Use Content Search and eDiscovery cases to easily search across mailboxes, public folders, Office 365 Groups, Microsoft Teams, SharePoint Online sites, One Drive for Business sites and Skype for Business conversations. Learn how to use sensitive information types to find personal data of EU citizens
• When working with vast quantities of content, identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches with Office 365 Advanced eDiscovery, powered by machine learning technologies.
• Preview search results, get keyword statistics for one or more searches, bulk-edit content searches, and export the results using the Office 365 security and compliance centers.

90 days — Enhanced protections

These tasks take a bit more time to plan and implement but greatly increase your security posture.

Area Tasks
Start implementing compliance requirements using Microsoft 365 data governance and compliance capabilities. • Manage your GDPR Compliance with Microsoft Compliance Manager within the Microsoft Service Trust Portal (STP).
• Help users identify and classify personal data, as defined by the GDPR, with a classification schema and associated Office 365 Labels for Exchange email, SharePoint sites, OneDrive for Business sites and Office 365 Groups. See Office 365 Information Protection for GDPR.
Use Microsoft 365 security capabilities to prevent data breaches and implement protections for personal data. • Improve authentication for administrators and end users in the Microsoft Cloud by enabling multi-factor authentication for all user accounts and modern authentication for all apps. For recommended policy configuration, see Identity and device access configurations.
• Deploy Windows Defender Advanced Threat Protection (ATP) to all desktops for protection against malicious code, data breach prevention, and responses.
• Enable Office 365 audit logging and mailbox auditing for all Exchange mailboxes to monitor for potentially malicious activity and to enable forensic analysis of data breaches.
• Configure, test, and deploy Office 365 Data Loss Prevention (DLP) policies to identify, monitor and automatically protect over 80 common sensitive data types within documents and emails, including financial, medical, and personally identifiable information.
• Implement Office 365 Advanced Threat Protection (ATP) to help prevent the most common attack vectors including phishing emails and Office documents containing malicious links and attachments.

Beyond 90 Days — Ongoing Security, Data Governance, and Reporting

Secure personal data at rest and in transit, detect and respond to data breaches, and facilitate regular testing of security measures. These configurations are important security measures that build on previous work.

Area Tasks
Use Microsoft 365 advanced data governance tools and information protection to implement ongoing governance programs for personal data. • Use Office 365 Advanced Data Governance to identify personal information in documents and emails by automatically applying Office 365 Labels.
• Protect personal data stored on devices across the organization by deploying Microsoft Intune.
• Implement AAD Conditional Access policies with Microsoft Intune to ensure that sensitive personal information is stored and accessed according to corporate policies. For recommended policy configuration, see Identity and device access configurations
• Implement data retention policies with Office 365 Labels, Advanced Data Governance, and Retention Policies to retain personal data for as long as necessary in your jurisdiction.
Monitor ongoing compliance across Microsoft 365 and other Cloud applications. Consider addressing data residency requirements for EU personal data. • Use Office 365 Alert Policies, data loss prevention reports and Microsoft Cloud App Security to monitor usage of cloud applications and implement advanced alerting policies based on heuristics and user activity.
• Address organizational, regional, and local data residency requirements while configured as one global organization using Microsoft’s multi-geo capabilities for Exchange Online mailboxes, OneDrive for Business sites and SharePoint Online sites.

Learn more