While the GDPR poses new challenges for organizations working to support the privacy rights of individuals, it also encourages companies to become more accountable for developing and leveraging innovative technology to protect personal and sensitive information. Given the sheer volume of available resources across Microsoft’s many platforms and services, it can be challenging to find the right resources to support GDPR. To address these challenges, we’ve enhanced the Service Trust Portal (STP), to centralize resources to help you with your needs around data protection, compliance, and privacy, and of course, the GDPR.
The STP continues to include independent third-party audit reports, such as FedRAMP, ISO, and SOC reports, in-depth information such as whitepapers, security assessment reports, and data protection guides. In February this year, we released a new tool on the STP called Compliance Manager, which helps organizations to manage compliance activities and perform risk assessments on Microsoft Cloud services.
To help you navigate the collection of GDPR resources, we’re publicly previewing a new Privacy area on the STP which provides you with guidance on how Microsoft services will support you in the event of a personal data breach, and with tools and technical documents to help you respond to data subject requests. You can find more details about each scenario below:
Data subject requests resources
The GPDR provides data subjects with increased rights to control their personal data, including the ability to obtain a copy of their personal data and to have their personal data erased from data systems used by a data controller.
The new data subject requests (DSR) section in STP centralizes all the DSRs resources, and provides you with tools and guidance that you can leverage to locate, export, and erase data across Microsoft's Cloud services.
Breach notification resources
The GDPR imposes specific requirements around breach notification. After becoming aware of a breach of personal data that puts individuals at risk, data controllers must notify the supervisory authority and data subjects without undue delay. These requirements are similar to other regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
The data breach notification section of the new Privacy area describes how Microsoft services support your personal data breach obligations, and which tools to use to make sure Microsoft can reach to appropriate people in your organization without delay.
Data Protection Impact Assessments documents
A critical part of GDPR preparedness involves creating Data Protection Impact Assessments (DPIAs) of data processing activities that are likely to result in high risk to the rights and freedoms of individuals.
Coming soon, the data protection impact assessments (DPIAs) section will provide organizations with information you need to create your own DPIAs as a data controller. We will share DPIA-related information for specific Microsoft Cloud services in the next few weeks.
Compliance Manager updates
In addition to the new sections we introduced above, we highly recommend that organizations manage their GDPR compliance activities using Compliance Manager, which provides you with a holistic assessment and built-in tools for end-to-end GDPR compliance management, mapping the GDPR obligations to operational and technical controls used by Microsoft services to support GDPR compliance. You can use Compliance Manager and the information it provides to enhance your accountability and compliance programs.
In addition, we just released the updated version of the GDPR Detailed Assessment, a question-driven assessment tool for preparing for the GDPR. It now integrates with Compliance Manager, directing organizations to specific controls in Compliance Manager and providing guidance for every GDPR scenario in the assessment questionnaire. The updated GDPR Detailed Assessment toolkit can be downloaded here.
Check out the new GDPR and privacy-related resources we’ve introduced today on Service Trust Portal, which is available publicly but requires you to log in using your Microsoft subscription accounts (Azure, Dynamics 365, or Office 365 account, etc.) to access restricted documents like audit reports and tools like Compliance Manager.