insanelab.com insanelab.com

December 14, 2017 - Cloud

Achieving GDPR Compliance with Microsoft Azure (Plus 11 Things You Must Know About GDPR)

by Antoni Żółciak
More by this author

Yes, we work with Microsoft cloud technology. This article will be about GDPR compliance with Azure as a cloud solution, and while hosting is crucial to any modern company, it’s not the only thing that matters in the context of new EU regulations.

Before we proceed with Azure itself, let me remind you what should you take care of first when it comes to the General Data Protection Regulation (GDPR).

First of all, it’s a set of privacy laws focused on the proper handling of the personal data belonging to citizens of the European Union.

But you probably already knew that.

Among the many privacy rights provided by the GDPR, EU citizens will have the right to access, view, delete or move their personal data whenever it is gathered, stored, used or otherwise processed by an organization.

With enforcement of GDPR beginning on May 25, 2018, many organizations are wisely making plans and decisions now concerning how to prepare themselves for compliance. The most crucial things that will affect your entire company are:

GDPR: The 11 Things You Need to Know

  • GDPR is a set of privacy laws focused on the proper handling of the personal data of EU citizens
  • Its enforcement begins on May 25, 2018
  • Your email contacts must double opt-in to your lists
  • Your subscribers must know what they are signing up for and what will they receive
  • You have to keep records of consent from your email contacts
  • GDPR applies to existing data as well
  • Your Privacy notice must be GDPR-compliant
  • Pre-ticked boxes for email signups won’t be exactly “legal” anymore
  • You should have a procedure in place to detect, report, and investigate breaches in personal data
  • No more hiding data collection and privacy policy in main terms and conditions
  • Fines can be up to 20 mln EUR

WIRED prepared a good introductory article regarding entire issue. If you have 10 minutes to spare, read it.

You can also watch this short summary below:

On the other hand, if you are exploring cloud hosting solutions that are GDPR-ready, you’ll find that Microsoft Azure provides an exceptionally strong pathway to GDPR-compliance in the cloud.

Azure has a rich set of services and tools to help organizations to properly identify, secure, store, transmit, manage, export, track and remove GDPR-related personal data.

Here’s how.

Finding the Right Data with Microsoft Azure

Azure provides a wealth of documentation, services and tools to help you find out where your organization stands with respect to GDPR compliance, and the precise set of data that you need to address.

Data classification

The discovery process begins with data classification through Azure Data Catalog, which provides both data-source annotation and Azure Information Protection embedded labeling.

Locating personal data

Two Azure services stand out for tracking down personal data for GDPR-compliance purposes: Azure Data Factory and Azure HDInsight.

Managing Personal Data

After discovering the personal data that you need to protect under GDPR, it’s time to ensure that the corresponding data subjects (the official term used in GDPR documentation) have control over how your organization is gathering and using their personal data.

At the center of Azure’s data governance strategy is Azure Active Directory (Azure AD), which works with Azure Role-Based Access Control to manage access to personal data.

Requesting, obtaining and documenting consent to data usage

The GDPR requires that organizations obtain consent from data subjects before gathering and using their personal data. The process must make it as simple for data subjects to withdraw consent as it is to provide it. Azure AD supports the capacity for organizations to request and users to grant consent to data usage, while Azure SQL Database can keep track of consenting data subjects.

Restricting personal-data processing

This can be accomplished through Azure AD Privileged Identity Management by limiting access to personal data.

Migrating personal data

Four Azure services have features that allow you to export data in a format that makes migrating it to another location practical and straightforward for data subjects:

Removing personal data

You can erase personal data with a number of Azure services including Azure AD and Azure SQL Database. If the personal data is stored in Azure Table Storage and Azure Files, you can delete it with File Service REST API.

Personal data accuracy and integrity

Azure has a number of services that can help address personal data that is incomplete or inaccurate. These include Azure AD, Azure Search and several Azure query tools.

GDPR-compliant privacy notices

The Azure infrastructure can host customized privacy notices to help your organization meet GDPR notification requirements. Note that GDPR-compliant privacy notices must be straightforward, easy to read, and free of unnecessarily complicated legal jargon.

Securing and Protecting Personal Data

The Secure Development Lifecycle

To provide foundational, built-in security to all Azure services from the outset, Microsoft adheres to the Secure Development Lifecycle when building their applications. This process includes two methodologies that are highly relevant to GDPR compliance: privacy-by-design and privacy-by-default.

Azure Security Center (ASC)

ASC is a robust suite of security tools that includes advanced, analytics-rich security health monitoring; security vulnerability discovery and prevention; security threat alerts; and in-depth security recommendations.

Encryption

Microsoft cloud services offer and support a wide range of encryption services, standards, methodologies and best practices to help administrators protect personal data:

Personal-data accuracy, confidentiality and availability

Azure has an impressive line of services that can help your organization comply with GDPR’s requirements concerning the confidentiality, accuracy and availability of personal data. These include Azure AD, as well as a long list of other powerful Microsoft and Azure-specific services:

Azure’s security standards and certifications

Azure has earned the following important security certifications:

Records and reporting

The GDPR requires that organizations maintain detailed records that document their handling of personal data. The following Azure services have auditing features to help organizations achieve compliance in this critical area:

  • Azure Security Center: gather and view security logs across Azure’s suite of services.
  • Azure Active Directory logs: track app-usage and logins.
  • Azure Storage Analytics: track requests for data housed in Azure Storage.
  • Azure Log Analytics: gain insight into Syslogs, IIS logs, and Windows Event logs.
  • Azure Diagnostics: view Azure virtual machine event logs/
  • Azure monitoring services: track customers’ API calls within their Azure resources.

International flows of personal data

Under the GDPR, the transmission of personal data into and out of the EU, as well as to and from third-parties, must meet certain requirements. Accordingly, Azure has adopted a regional datacenter approach.

Whenever a Microsoft service, or a partnering third-party, does not have the capacity to specify a region for personal data storage, Microsoft requires that they contractually agree to comply with applicable EU-U.S. Privacy Shield Frameworkand EU Model Clauses governing the transmission of personal data from the EU to countries outside the European Economic Area (EEA).

Microsoft also limits third-party access to customer data. For organizations, such as hospitals, that need to complete Data Protection Impact Assessments (DPIA) with respect to their Azure usage, the Microsoft Trust Center provides a wealth of information regarding how their services process and protect personal data.

A GDPR-compliance dashboard

In addition to the wealth of Azure services already in place to help organizations make a smooth transition to GDPR-compliance, Microsoft is currently putting the finishing touches on a unified solution to pull it all together.

On September 25th, Microsoft announced Compliance Manager, which is currently in preview. With the help of the new dashboard and the rich set of Azure services outlined above, your organization should soon have everything it needs to meet the demands of a new era of personal data protection.

Long Story Short? GDPR Reminds Us to Focus on the Customer, Not Ourselves

“What concerns you the most about the potential fallout from your organization not being in compliance with the GDPR?”. A question asked to all 900 respondents by Veritas.

Becoming compliant with GDPR is surely a challenged. According to an analysis from Veritas, “86 percent of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business.”

Even more importantly, nearly 20 percent of companies said they fear that non-compliance could put them out of business.

That’s bad.

We believe, though, that with proper preparation it is more than possible to become compliant.

In case you need any assistance and/or have cloud-related questions, don’t hesitate to ask them.

What is your challenge?

Tell us with any means provided. We'd love to hear from you!