GDPR and Microsoft - Part I

Published on 23 May 2017

I went to a seminar presented by Microsoft on GDPR, and learned some interesting things. Obviously when you are talking about GDPR, you are talking about security, and Microsoft are actually the biggest security vendor on the planet in terms of R&D? I haven't found a link to back that claim up specifically, but they do appear to be big R&D spenders generally.

GDPR is primarily about the following:

  • Enhanced personal privacy rights
  • Increased duty for protecting data
  • Mandatory breach reporting
  • Significant penalties for non-compliance

And of course it applies not just to companies within the EU, but companies who store data about EU citizens. Basically, companies doing business in the EU. The recent WannaCry cyber-attack should illustrate the monumental task that some organisations are going to face in meeting the requirements around keeping data safe. When the data is about children or "sensitive individuals", the requirements are even stricter.

So, what does this mean for my data?

  • Stricter controls on where personal data is stored and how it is used
  • You need better data governance tools for better transparency, recordkeeping and reporting
  • Improved data policies to provide control to data subjects and ensure lawful processing
  • There will be training requirements to get these policies ingrained.

There is no silver bullet for GDPR, no one piece of technology, or one vendor, who can come in and wave a wand. It needs business change, technology change, and change in the way that data is handled by the company.

"If we are not already preparing, we are already too late". Well, that is the view of a lot of GDPR experts in the field, but then doing nothing is no option at all, so if you haven't started, start now.


  • Simplify your privacy journey
  • Uncover risk and take action
  • Leverage guidance from experts


There is a ICO 12 steps for GDPR which is a good place to start, but Microsoft simplify that down to four.

Discover - Identity your personal data

Manage - Govern how it is used

Protect - Establish security controls

Report - Execute data requests, report data breaches.


A key part of GDPR is Article 32 which says that:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate"

The key point there is "state of the art". You can't simply rely on old technology and old ways to securing environments of data, but there is an implication that you need to keep up to date. Microsoft believe that this would extend out to the use of biometric data and other features, to provide additional levels of protection.

The next part will look at what Microsoft can do to help!

comments powered by Disqus