Microsoft steps up to gdpr and releases compliance tools — database journal

The GDPR is a privacy regulation that applies to EU-country residents, but the law extends to any entity handling data about those residents, even if the entities are located outside EU countries. It imposes stiff fines for data privacy violators, up to €20 million or 4% of an organization’s annual global revenue turnover, whichever is greater.

Microsoft observed the May 25 GDPR commencement date with a speech in Brussels by Brad Smith, Microsoft’s president (available on demand with signup here). He said that Microsoft has been a strong supporter of the GDPR ever since it was proposed in 2012. Microsoft views privacy as a fundamental human right, he said, adding that trust is more important than ever as people exchange data. The company put more than 1,600 of its engineers onto the task of getting ready for the GDPR.

These ideas were earlier described by Julie Brill, corporate vice president and deputy general counsel at Microsoft, in a May 21 announcement. Brill noted that Microsoft was "one a small number of companies participating in the official events in Brussels on Friday." She also announced Microsoft’s plans to "extend the rights that are at the heart of GDPR to all of our consumer customers worldwide."

Brill specifically mentioned supporting "Data Subject Rights." In GDPR legal language, a data subject is a person, and they have the right to make certain requests on "Data Controllers," which are the people or organizations that store data about the subject. There are also "Data Processors" regulated under the GDPR. A Data Processor handles the data controlled by the Data Controllers.

This GDPR language seems simple enough, but it can get confusing. For instance, for Windows 10 users, Microsoft usually can be considered to be the Data Controller because it pulls data from Windows 10 devices, according to a "Windows 10 and the GDPR" document. On the other hand, for Microsoft’s Windows Analytics service and its Windows Defender Advanced Threat Protection service, the subscribing organization is considered to be the Data Controller, while Microsoft just serves as the Data Processor, the document explained.

The potential confusion between Data Controller and Data Processor is already being exploited by ad search giant Google with regard to content publishers, according Susan Bidel, a senior analyst at research firm Forrester, in a blog post. Google has "positioned itself as a data controller," she said, and it’s now requiring content publishers to obtain consent from users on Google’s behalf, shifting the legal liabilities onto content providers while permitting Google to use the data as it wants, to summarize her argument.

Analyst and research firm Gartner recently published a study on assessing GDPR readiness when using the Google Cloud Platform, Amazon Web Services and Microsoft Azure. It also includes a discussion on the distinctions between Data Controllers and Data Processor roles, according a blog post by Richard Watson, a research vice president at Garner Inc.

On the Dynamics 365 side, IT pros who are global administrators have the ability to export system-generated logs for a Data Subject Request, but it can take from one to 30 days to complete, according to this Dynamics 365 Data Subject Request document. The information gets exported as "structured machine-readable files such as XML, CSV, or JSON," according to the document.

Also on Friday, Microsoft announced more progress on its various tools designed to help organizations stay in compliance with GDPR rules. Its last progress report was back in April, when it described the overall tooling, with some products being at the preview stage. Now, it seems, the bulk of its GDPR support tools has reached "general availability" (GA) status, meaning that they are deemed ready for use by organizations.

Quite a lot of the tools that can be used for GDPR compliance are services offered from Microsoft’s Azure datacenters. Microsoft also has a Service Trust Portal, an online site that serves as a compliance resource center, as well as a means for organizations to take actions on their stored data. For instance, the Service Trust Portal can be used to carry out Data Subject Requests, communicating data breaches and reviewing Data Protection Impact Assessments, according to a Microsoft Tech Community post.

• Compliance Manager GDPR improvements in the Service Trust Portal, adding facilities for assigning, tracking and recording "GDPR compliance activities," which is generally available for Azure customers. Compliance Manager originally hit GA status back in February with support for Azure, Dynamics 365 and Office 365