The General Data Protection Regulation (GDPR), which began as a regulatory requirement, is increasingly seen as a long-term opportunity to establish greater trust with customers and further unlock employee collaboration and productivity in many businesses. The intelligent compliance solutions in Microsoft 365 help you assess and manage your compliance risks and leverage the cloud to identify, classify, protect, and monitor sensitive data residing in hybrid and heterogeneous environments to support GDPR compliance.

Updates in Microsoft 365—currently rolling out—help protect sensitive data and include:

Compliance Manager general availability for Azure, Dynamics 365, and Office 365 Business and Enterprise customers in public clouds.

Compliance Score availability for Office 365.

Azure Information Protection scanner general availability.

In addition to the updates announced today, capabilities in Microsoft 365 help to:

Protect sensitive data in apps and across cloud services.

Support data protection across platforms.

Provide a consistent labeling schema experience (in preview).

We’re also going to expand sensitive data types to include a GDPR template to consolidate sensitive data types into a single template.

These Microsoft 365 updates and capabilities are designed to provide you with an information protection strategy to help with GDPR compliance.

“GDPR is coming. But with Microsoft’s information protection solutions, we will have a more efficient way to handle compliance.”

—Erlend Skuterud, chief information security officer for Yara

Assess and manage compliance risk with Compliance Manager

Because achieving organizational compliance can be very challenging, we suggest organizations periodically perform risk assessments to understand their compliance posture. Compliance Manager is a cross–Microsoft Cloud services solution designed to help organizations meet complex compliance obligations like the GDPR. The Compliance Manager is now generally available for Azure, Dynamics 365, and Office 365 Business and Enterprise customers in public clouds.

“Compliance Manager really adds great additional value for Microsoft Cloud services by providing insights on the relationships between regulation, processes, and technology,” stated IT manager Nick Postma from Abrona, a Dutch healthcare organization that helps clients on their journey to becoming strong and confident members of society through social partnerships.

Perform risk assessments with Compliance Score

Compliance Score—a Compliance Manager feature—enables you to perform ongoing risk assessments on Microsoft Cloud services with a risk-based score reference, giving you visibility into your compliance performance. Each control is assigned a risk weight based on the level of risk involved due to control failure, and as you implement and assess controls, you’ll see your score change. Compliance Score is currently available for Office 365 and will be rolling out to other Microsoft Cloud services soon.

Learn more about the key capabilities and updates for Compliance Manager and Compliance Score at our Tech Community blog.

Protect sensitive data on-premises

Azure Information Protection scanner addresses hybrid and on-premises scenarios by allowing you to configure policies to automatically discover, classify, label, and protect documents in your on-premises repositories such as File servers and on-premises SharePoint servers. The scanner can be configured to periodically scan on-premises repositories based on company policies. Azure Information Protection scanner is now generally available.

Read “Azure Information Protection scanner” to learn more. To deploy the scanner in your own environment, follow instructions in this technical guide.

Protect sensitive data in apps and across cloud services

Since data travels through many locations—across devices, apps, cloud services, and on-premises—it is important to build the protection into the file so this protection persistently stays with the data itself. Azure Information Protection provides persistent data protection by classifying, labeling, and protecting sensitive files and emails.

Microsoft Cloud App Security (MCAS) can read files labeled by Azure Information Protection and set policies based on the file labels. For example, a file labeled as Confidential, with an associated policy of “do not forward or copy,” cannot leave your network via file sharing apps like Box.net or Dropbox. In addition, the service scans and classifies sensitive files in cloud apps and automatically applies AIP labels for protection—including encryption. To learn more about this feature, read “Automatically apply labels to sensitive files in cloud apps” and the related technical documentation.

Support for data protection across platforms

As part of our information protection vision, our goal is to cover all major device platforms. Building on our efforts to support non-Windows platforms, we are now previewing the ability to label and protect sensitive data natively, with no plugins required, in Office applications running on Mac devices. This enables Mac users to easily classify, label, and protect Word, PowerPoint, and Excel documents in a similar manner that you are used to with the Azure Information Protection client on Windows. Considering that a significant amount of sensitive information is in PDF format, as part of our ongoing partnership, we are in the process of working with Adobe to have the same consistent labeling and protection of PDFs available in Adobe Reader.

To learn more about these new information protection capabilities, visit the Enterprise Mobility + Security blog.

Consistent labeling schema experience now in preview

We are previewing a consistent labeling schema that will be used across information protection solutions in Microsoft 365. To start, this means that the same default labels will be used across both Office 365 and Azure Information Protection—eliminating the need to create labels in two different places.

The consistent labeling model also helps ensure that sensitive labels—regardless of where they were created—are recognized and understood across Microsoft 365, including Azure Information Protection, Office 365 Advanced Data Governance, Office 365 Data Loss Prevention, and Microsoft Cloud App Security. Learn more about the preview of the consistent labeling experience.

“Microsoft’s information protection capabilities help you protect and manage your sensitive data throughout its lifecycle—inside and outside the organization,” stated an analyst from KuppingerCole, an international and independent analyst organization headquartered in Europe.

Detect and classify personal data relevant to GDPR

The ability to automatically classify personal data is a critical part of helping you achieve your GDPR goals. Today, we have over 80 out-of-the-box sensitive information types that can be used to detect and classify your data. Soon we will provide a GDPR sensitive information type template to help detect and classify personal data relevant to GDPR. The upcoming GDPR sensitive information type template will help consolidate our sensitive data types into a single template—as well as add several new personal data types to detect (such as addresses, telephone numbers, and medical information).

To learn more about the current sensitive information types, read “What the sensitive information types look for.” To learn more about how to create and customize your own sensitive information types, read “Create a custom sensitive information type.”

For sensitive emails, Microsoft 365 enables users to collaborate on protected messages with anyone inside or outside the organization via Office 365 Message Encryption. To provide more flexibility over controlling and protecting personal information shared in sensitive emails, we are rolling out the new encrypt-only policy in Office 365 Message Encryption starting today. Read further about this and other updates in our Tech Community blog.

Get started on your GDPR journey with Microsoft 365

The Microsoft Cloud is uniquely positioned to help you meet your GDPR compliance obligations. Our cloud solution is built for power, scale, and flexibility. Microsoft 365 brings together Office 365, Windows 10, and Enterprise Mobility + Security—offering a rich set of integrated solutions that help you assess and manage your compliance risk by leveraging Artificial Intelligence (AI) to protect your most important data and streamline your processes with a sophisticated and holistic solution set.

No matter where you are in your GDPR efforts, the Microsoft Cloud and our intelligent compliance solutions in Microsoft 365 can help you on your journey to GDPR compliance. Learn more about how Microsoft can help you prepare for the GDPR and take our free online GDPR assessment. Get started with your organization’s information protection planning by downloading our free white paper and eBook.

—Alym Rayani, director of the Microsoft 365 team