by Antoni Zolciak
Achieving GDPR Compliance with Microsoft Azure
(Plus 11 Things You Must Know About GDPR)
Yes, we work with Microsoft cloud technology. This article will be about GDPR compliance with Azure as a cloud solution, and while hosting is crucial to any modern company, it’s not the only thing that matters in the context of new EU regulations.
Before we proceed with Azure itself, let me remind you what should you take care of first when it comes to the General Data Protection Regulation (GDPR).
First of all, it’s a set of privacy laws focused on the proper handling of the personal data belonging to citizens of the European Union.
But you probably already knew that.
Among the many privacy rights provided by the GDPR, EU citizens will have the right to access, view, delete or move their personal data whenever it is gathered, stored, used or otherwise processed by an organization.
With enforcement of GDPR beginning on May 25, 2018, many organizations are wisely making plans and decisions now concerning how to prepare themselves for compliance. The most crucial things that will affect your entire company are:
GDPR: The 11 Things You Need to Know
- GDPR is a set of privacy laws focused on the proper handling of the personal data of EU citizens
- Its enforcement begins on May 25, 2018
- Your email contacts must double opt-in to your lists
- Your subscribers must know what they are signing up for and what will they receive
- You have to keep records of consent from your email contacts
- GDPR applies to existing data as well
- Your Privacy notice must be GDPR-compliant
- Pre-ticked boxes for email signups won’t be exactly “legal” anymore
- You should have a procedure in place to detect, report, and investigate breaches in personal data
- Fines can be up to 20 mln EUR
WIRED prepared a good introductory article regarding entire issue. If you have 10 minutes to spare, read it.
You can also watch this short summary below:
On the other hand, if you are exploring cloud hosting solutions that are GDPR-ready, you’ll find that Microsoft Azure provides an exceptionally strong pathway to GDPR-compliance in the cloud.
Azure has a rich set of services and tools to help organizations to properly identify, secure, store, transmit, manage, export, track and remove GDPR-related personal data.
Finding the Right Data with Microsoft Azure
Azure provides a wealth of documentation, services and tools to help you find out where your organization stands with respect to GDPR compliance, and the precise set of data that you need to address.
Locating personal data
Managing Personal Data
After discovering the personal data that you need to protect under GDPR, it’s time to ensure that the corresponding data subjects (the official term used in GDPR documentation) have control over how your organization is gathering and using their personal data.
Requesting, obtaining and documenting consent to data usage
The GDPR requires that organizations obtain consent from data subjects before gathering and using their personal data. The process must make it as simple for data subjects to withdraw consent as it is to provide it. Azure AD supports the capacity for organizations to request and users to grant consent to data usage, while Azure SQL Database can keep track of consenting data subjects.
Restricting personal-data processing
This can be accomplished through Azure AD Privileged Identity Management by limiting access to personal data.
Migrating personal data
Four Azure services have features that allow you to export data in a format that makes migrating it to another location practical and straightforward for data subjects:
Removing personal data
You can erase personal data with a number of Azure services including Azure AD and Azure SQL Database. If the personal data is stored in Azure Table Storage and Azure Files, you can delete it with File Service REST API.
Personal data accuracy and integrity
Azure has a number of services that can help address personal data that is incomplete or inaccurate. These include Azure AD, Azure Search and several Azure query tools.
GDPR-compliant privacy notices
The Azure infrastructure can host customized privacy notices to help your organization meet GDPR notification requirements. Note that GDPR-compliant privacy notices must be straightforward, easy to read, and free of unnecessarily complicated legal jargon.
Securing and Protecting Personal Data
The Secure Development Lifecycle
To provide foundational, built-in security to all Azure services from the outset, Microsoft adheres to the Secure Development Lifecycle when building their applications. This process includes two methodologies that are highly relevant to GDPR compliance: privacy-by-design and privacy-by-default.
Azure Security Center (ASC)
ASC is a robust suite of security tools that includes advanced, analytics-rich security health monitoring; security vulnerability discovery and prevention; security threat alerts; and in-depth security recommendations.
Microsoft cloud services offer and support a wide range of encryption services, standards, methodologies and best practices to help administrators protect personal data:
- Transparent Data Encryption (TDE)
- Storage REST API over HTTPS
- Always Encrypted (Database Engine)
- Azure Disk Encryption for Windows and Linux IaaS VMs
- Azure Storage Service Encryption for Data at Rest
Personal-data accuracy, confidentiality and availability
Azure has an impressive line of services that can help your organization comply with GDPR’s requirements concerning the confidentiality, accuracy and availability of personal data. These include Azure AD, as well as a long list of other powerful Microsoft and Azure-specific services:
- Microsoft Advanced Threat Analytics
- Azure Application Gateway
- Azure VPN Gateway
- Azure Traffic Manager
- Azure Multi-Factor Authentication
- Network security groups in Azure
- Azure Backup
- Azure Key Vault
- Azure Site Recovery
- Azure Log Analytics
- Azure ExpressRoute
Azure’s security standards and certifications
Azure has earned the following important security certifications:
Records and reporting
The GDPR requires that organizations maintain detailed records that document their handling of personal data. The following Azure services have auditing features to help organizations achieve compliance in this critical area:
- Azure Security Center: gather and view security logs across Azure’s suite of services.
- Azure Active Directory logs: track app-usage and logins.
- Azure Storage Analytics: track requests for data housed in Azure Storage.
- Azure Log Analytics: gain insight into Syslogs, IIS logs, and Windows Event logs.
- Azure Diagnostics: view Azure virtual machine event logs/
- Azure monitoring services: track customers’ API calls within their Azure resources.
International flows of personal data
Under the GDPR, the transmission of personal data into and out of the EU, as well as to and from third-parties, must meet certain requirements. Accordingly, Azure has adopted a regional datacenter approach.
Whenever a Microsoft service, or a partnering third-party, does not have the capacity to specify a region for personal data storage, Microsoft requires that they contractually agree to comply with applicable EU-U.S. Privacy Shield Framework and EU Model Clauses governing the transmission of personal data from the EU to countries outside the European Economic Area (EEA).
Microsoft also limits third-party access to customer data. For organizations, such as hospitals, that need to complete Data Protection Impact Assessments (DPIA) with respect to their Azure usage, the Microsoft Trust Center provides a wealth of information regarding how their services process and protect personal data.
A GDPR-compliance dashboard
In addition to the wealth of Azure services already in place to help organizations make a smooth transition to GDPR-compliance, Microsoft is currently putting the finishing touches on a unified solution to pull it all together.
On September 25th, Microsoft announced Compliance Manager, which is currently in preview. With the help of the new dashboard and the rich set of Azure services outlined above, your organization should soon have everything it needs to meet the demands of a new era of personal data protection.
Long Story Short? GDPR Reminds Us to Focus on the Customer, Not Ourselves
Becoming compliant with GDPR is surely a challenged. According to an analysis from Veritas, “86 percent of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business.”
Even more importantly, nearly 20 percent of companies said they fear that non-compliance could put them out of business.
We believe, though, that with proper preparation it is more than possible to become compliant.
In case you need any assistance and/or have cloud-related questions, don’t hesitate to ask them.