Microsoft Azure prepares data subject request capabilities for GDPR

Dive Brief:

As part of its compliance roadmap, the Azure portal will soon include data subject request (DSR) processing so customers can access a copy of data subjects' personal information; modify or delete the data from the cloud platform; and export an electronic copy to the subject or a data controller. DSR requests will locate data profiles across the Azure Active Directory, and the Azure portal will allow enterprise customers to access data in system-generated logs for the first time.
In the Office 365 space, Microsoft announced a centralized DSR resources page, documentation of breach notification practices the company will carry out and audit-ready privileged admin access controls. Multi-Geo Capabilities will allow individual tenants to work across datacenter geographies, and a Data Privacy tab in Office 365 has tools to carry out a DSR.
In another sign of its commitment to compliance, the company brought on Steve May as European Data Protection Officer in late March. May, a longtime Microsoft insider, is now working on companywide efforts for GDPR readiness and reports directly to Brendon Lynch, chief privacy officer of Microsoft.

Dive Insight:

Microsoft has remained in the shadows and relatively unscathed by the techlash relating to data privacy practices of internet giants like Facebook and Google. But as one of the powerhouses of Silicon Valley, the company still has a lot of regulators to answer to, and the EU is emerging as a leading global enforcement body in the digital space.

Many data processors and controllers have made commitments to be GDPR ready by May 25, but without definite processes in place it can be hard for partners and customers to assess compliance. Both cloud providers and cloud tenants need to be GDPR compliant, and Microsoft is making sure it's covered.

The company is solidifying its data protection plans, rolling many out to consumers before the deadline hits. And as the second largest cloud platform, Microsoft has a large customer base depending on its GDPR tools. This latest rollout seems to indicate that Microsoft is in the final stretch of its compliance journey. Other companies, however, are not so lucky.

More than 30% of businesses are not expected to be fully compliant by the deadline. While realization of the existential and reputational threats of the EU's regulation are setting in, a lack of understanding of where data is stored and where data centers are located still persists in many organizations.

For some CIOs, regulatory compliance and GDPR is another responsibility being put on their busy plates. But more businesses are onboarding compliance officers and data protection officers to handle the compliance journey, spreading out the load.

Compliance and data protection roles touch all departments, from IT to legal to HR, and fitting these leaders into existing hierarchies can be difficult for some companies. But with GDPR about five weeks away, making the commitment and carving out a position of authority to oversee the companywide compliance efforts could make all the difference.