This
framework is designed to help companies getting and staying GDPR compliant or
do other audits like ISO 27001:2013.
This
article is focusing on GDPR topics.
Services included in this
cloud service assessment
SharePoint
Online, Exchange Online, Microsoft Booking, Microsoft Graph API, Microsoft
Analytics, Microsoft Planner, Microsoft Stream, Office Delve, Office 365 Groups,
Office 365 Video, Sway, Microsoft StaffHub, Microsoft PowerApps, Microsoft
Teams, Skype for Business
Microsoft Managed Controls
Article 4
Number 8 of the GDPR defines that an entity that processes data on behalf of
another is considered to be a contract data processor. Therefore Microsoft,
with its services Office 365 & Azure is clearly a contract data processor
within the meaning of Article 4 Number 8 of the GDPR.
Because of
this there are also topics that Microsoft has to fulfill and the contracting
entity had to check. These topics are aggregated in the “Microsoft Managed
Controls” section of Compliance Manager.
The topics
in this section are passed and tested by a third party independent auditor. We
can get the details about every topic in the Compliance Manager as you can see
in this example:
Customer Managed Controls
Not every GDPR
article is about IT systems. Because of this not every article is covered by the
Compliance Manager framework. In the section “Customer
Managed Controls” Microsoft offers an audit tool that can be used to organize
you GDPR compliance journey for Office 365 & Azure.
Features to organize GDPR compliance
journey
- Assessment a topic to a responsible
person
- Upload and manage documents
- Track status
- Test date
- Track test result
- Detailed description for each topic
- Documentation about your
implementation details
- Documentation about your test plan
& management response
Example:
You can use
the Compliance Manager framework web UI to work with an auditor or you can also
export the results as an Excel files.
Mapping
The GDPR is
structured by the following topics:
- General provisions (Article 1 - 4)
- Principles (Article 5 - 11)
- Rights of the data subject (Article
12 - 23)
- Controller and processor (Article 24
-43)
- Transfers of personal data to third
countries or international organisations (Article 44 - 50)
- Independent
supervisory authorities (Article 51 - 59)
- Cooperation
and consistency (Article 60 - 76)
- Remedies,
liability and penalties (Article 77 - 84)
- Provisions
relating to specific processing situations (Article 85 - 91)
- Delegated
acts and implementing acts (Article 92 - 93)
- Final
provisions (Article 94 - 99)
(only the highlighted topics are covered by the
Compliance Manager framework)
Microsoft
as a Software company is using different topics:
- Discover
- Manage
- Protect
- Report
Even the Compliance
Manager framework is using a different structure. The framework is separated in:
- Office
365 in-Scope Cloud Services (List of covered services)
- Microsoft
Managed Controls (Topics Microsoft has to fulfill)
- Customer
Managed Controls (Topics the customer has to fulfill)
So we need
to do a mapping.
The
following matrix is showing the chapters, the articles and the subitems covered
by Compliance Manager framework. You can use this in you company-wider GDPR
audit to get a clear overview of what is relevant in the context of Office 365
& Azure and what is covered by the Microsoft Compliance Manager framework.
File can be
downloaded here -> LINK
Remarks:
Not every
article need to be fulfilled by every company. In detail it depends on your
company structure and what you do in detail with personal data. A general
evaluation of which of these articles apply in a specific individual case, must
be analyzed in a legally robust manner.
This article
and the Excel Matrix was created to the best of the author’s knowledge and
according to careful research. However it cannot and does not intend to replace
an in-depth legal, process, and technical assessment.