Microsoft 365 Certification control spotlight: General Data Protection Regulation (GDPR)

Microsoft 365 Certification control spotlight: General Data Protection Regulation (GDPR)

• Overview: GDPR imposes obligations on data controllers and processors, including implementing security measures, conducting impact assessments, and reporting breaches. It is relevant for organizations both within and outside the EU that target or monitor EU residents, necessitating compliance to avoid penalties and meet enterprise customer requirements.

• Data subjects can submit subject access requests (SARs):

  • ISVs should identify all locations of information related to a data subject when responding to SARs.
  • Ensure backup retention periods allow data removal via SARs as old backups are deleted or overwritten.

• Data processors assisting data controllers with SAR obligations:

  • ISVs must have a process in place to identify all locations where data subjects' information is stored accurately.
  • ISVs must have a formal retention period for backups accommodating data removal due to SARs.

• Article 13 of the GDPR:

  • Data controllers must provide information to data subjects when collecting their personal data.
  • Information includes the identity and contact details of the data controller, purposes of processing, legal basis, recipients of data, and storage period.
  • Data subjects must be informed of their rights, including access, rectification, erasure, data portability, and the right to lodge complaints.

• Automation with ACAT:

  • ACAT, the App Compliance Automation Tool, within the Azure portal eases compliance for applications using Microsoft 365 customer data.
  • Offers continuous compliance monitoring with customized daily reports.

To start certification, visit the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and choose App Compliance.