Achieve GDPR compliance in the cloud with Microsoft Azure

  • On June 14, 2018

Brief description

The GDPR (General Data Protection Regulation) is a regulation that requires organisations to protect data and privacy in EU law that sets guidelines for collecting and processing personal information of individuals within the European Union. It also addresses imposing fines on non–compliant organisations and the export of personal data outside the EU.

Microsoft Azure-it is a cloud service created by Microsoft for testing, deploying and managing services and applications through Microsoft –managed data centres. Microsoft created Azure with industry-leading privacy policies and security measures to safeguard your personal data in the cloud identified by the GDPR. 

Tags; GDPR, Microsoft Azure

Overview

There is a prediction that GDPR may eventually replace Data Protection Directive for all government organisations and agencies that conduct business with European Union citizens as the new global standard on data privacy. All the organisations controlling, processing and maintaining information that involves EU citizens should comply with the strict new rules concerning the protection of customer data. Companies that manage and store data should not ignore the new regulatory requirements but rather implement comprehensive cloud security strategy as they may incur significant penalties.

Based on a Veritas survey on GDPR, 86% of organisations all over the world are worried that non-compliance to GDPR could have a significant adverse impact on their businesses as it is a challenge. Almost 20% predict that non-compliance may put them out of business.

Compliance is not a one day but an on-going process which is a shared responsibility between Microsoft and its customers. Microsoft Azure provides powerful tools that aid in the transition to GDPR compliance. Microsoft continues to invest in more features that will help organisations achieve GDPR goals.

How to achieve GDPR compliance in Azure

Microsoft has adopted a four-stage strategy to help its customers achieve GDPR compliance. They include;

  • Discover
  • Manage
  • Protect
  • Report

Discover

Identifying the type of data you have and controlling whom to grant access is a significant requirement of GDPR. Azure enables you to control access to your data and manage user identities in the several ways;

Identifying personal data by searching and querying any personal information with Azure search, Azure AD or specialised tools such as Query explorer.

Classify data with Azure Information Protection which has a rich logging and reporting capabilities and monitor the distribution of data. It helps in ensuring that your data is secure and identifiable which is a crucial requirement of the GDPR. You can protect new or existing data, classify, label and share it securely with people outside or within the organisation, revoke access remotely or even track usage.

Locating personal data

Microsoft Azure is offering services for tracking down personal data for GDPR-compliance purposes such as Azure data factory service for processing, composing data storage and movement services into scalable, streamlined and reliable data production. Additionally, Azure HDInsight is an open-source analytics service for enterprises and also makes it easy, cost-effective and fast to process massive amounts of data.

Managing Personal Data

Once you are done locating the data that you need to protect under GDPR, you have to ensure that the corresponding data subjects have control over how your organisation is using and collecting their data.

Requesting, obtaining and documenting consent to data usage.

The GDPR compliance states that organisations should obtain consent before using and gathering the personal data from data subjects. However, the process should be simple for data subjects to provide consent as it is to withdraw. Azure SQL Database keeps track of consenting data subjects.

Restricting and personal-data processing

You can accomplish the above through Azure AD privileged identity management that helps in managing, controlling and monitoring access to resources within your organisation. The Azure AD also helps in getting reports about administrator access history and changes.

Migrating and erasing personal data

Azure has four services (Azure Ad, Azure SQL Database, Azure Cosmos, and Azure Storage Rest API) that aid in GDPR compliance through exporting data in a format that makes migrating data to another location straightforward and practical for data subjects. You can also erase personal data with Azure services such as Azure files and Azure table storage, and if you store it in Azure Table storage, you can delete it with File service Rest API.

GDPR-compliant privacy notices

The Azure infrastructure helps your organisation meet the GDPR notification requirements through hosting customised privacy notes which must be easy to read, straightforward and free of unnecessary complicated legal jargon.

Securing and Protecting Personal Data

Protection of personal data in your systems, reviewing and reporting on compliance are essential requirements of GDPR. Some of the services and tools are discussed below;

The Secure Development Lifecycle

The process includes two ways that are relevant to GDPR compliance that is,privacy-by-defaults and privacy-by-design. Microsoft adheres to Security Development Lifecycle to provide built-in security to all Azure services from the start when building their applications.

Azure Security Center – It helps in monitoring resources, providing in-depth security recommendations and also provide control and visibility over your Azure resources.its is also a security tool that includes analytics –rich security monitoring security vulnerability discovery and prevention.

Data Encryption in Azure Storage -GDPR compliance suggests that an organisation should consider encrypting their data sets as appropriate safeguards to mitigate risks of unauthorised access to personal data. Azure cloud offers and supports a wide range of standard, encryption services, best practices and methodologies to assist administrators in protecting their data. Services such as Transparent Data Encryption, Azure Disk Encryption for Windows and Linux secure

Azure Key Vault –it is designed to maintain control of your keys and data and also to ensure that Microsoft cannot extract or see your keys using hardware security modules(HSMs). Key vault enables you to safeguard your certificates, passwords and cryptographic keys that help protect your data.

Log Analytics-It assists in analysing and collecting data generated by resources in either your cloud or on-premises environments through the provision of configurable logging options and auditing.

Records and reporting

It is a requirement by the GDPR that organisations should maintain detailed records that show documentation of them handling the data. Few Azure services enable organisations to achieve compliance due to their auditing features such as Azure Log Analytics, Azure Diagnostics, Azure Monitoring Services and Azure Directory Logs.

Any organisation processing personal data may be required to conduct Data Protection Impact Assessment(DPIA) to help customers seeking DPIA on their use of Azure.

International flows of personal data

Transmission of personal data from third parties as well as into and out of the organisation must meet specific requirements as per the GDPR. When a third party or a Microsoft service cannot specify a region to store the personal data, they require a contractual agreement to comply with EU Model Clauses and EU-US Privacy Shield Framework pertaining transmission of personal data to countries outside European Economic Area from the EU.

 

Conclusion

Based on the recent survey by Deloitte’, only 45% have completed Microsoft GDPR assessment needed while 89% of the organisations have to plan for the assessment or have only a formal GDPR-readiness program in place. Microsoft Azure services are already in place to help organisation transition easily to GDPR compliance.

Take the Microsoft Azure GDPR assessment and start your journey to GDPR compliance.