General Data Protection Regulation (yep: another one)

Posted by

Yep, here is another blog on the General Data Protection Regulation (GDPR). You’ll probably be wondering:

aren’t there enough of these blogs to go around?


isn’t that subject to complex for a simple blog?

And the simple answer to this is yes. 🙂 Just try to find some information on GDPR by using a simple search and you will end up with more than 4 million results.

gdpr google

So, instead, this blog will guide you to some of the Microsoft resources related to the GDPR. But before I do,  here’s a small GDPR for Dummies. And as I’m no information manager, compliance officer or data protection officer, I’m the dummy as well 🙂

General Data Protection Regulation facts

The GDPR (Regulation (EU) 2016/679) replaces the previous data protection directive (Directive 95/46/EC) from 1996. It will come into effect om May 25th of 2018 and is of that moment binding.

GDPR aims at strengthening data protection for individuals within the European Union. Which does not mean that non-EU companies are exempt from this regulation.


One of the important facts regarding GDPR are the roles. First you have the EU individual. Then there are the data processors and data controllers. Let’s say you work at a company that uses Microsoft Office 365 as (the basis for) their digital workspace. The content stored in that digital workspace is owned by the organization (data controller). Microsoft enables you to work with that content using their technology (data processor). Oh, and there’s you: the person 🙂 This is the so-called data subject.

As an EU individual, the GDPR allows you to have access to your personal data and have incorrect personal data be deleted or corrected. You even have the right to be “forgotten”, when certain conditions are met. When you want to, you should be able to receive a copy of your personal data. And, you must be ensured that your personal data is secure and protected at all times.


Working together, the data controller and processor must ensure that GDPR compliance is met. Some of the parts of GDPR will amount to having written agreements with the required GDPR terms, between data processor and data controller. If you want to look at some of these types of agreements, visit the Security & Compliance center of your tenant. There, in the Service assurance section you’ll find all relevant documents.


The penalties for not being compliant can be severe: non-compliant data processors risk fines of up to 4% of global annual turnover.

Microsoft solutions for GDPR

Here is an overview of some of the solutions by Microsoft to help you being GDPR ready.  In the links below, you will find information of all solutions in detail.

Useful links


Microsoft has a lot of options to offer us. Many of these are related to security and access. But in order to be truly compliant, you will need to know which options are relevant and how to employ these.

I think to most complex subject on this is the ability to provide the data subject (the person) with the information required. Let’s remember that an organization only has 30 days to comply to a data request. And this requires fool-proof processes and excellent content search.

And Microsoft does offer some solutions for this (80 new GDPR sensitive types will become available, for example), but it’s not the only one. You might also want to look at Nintex, Metalogix or Brightcloud, for example.

It’s going to be an interesting 2018 🙂


One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s