Donnerstag, 30. November 2017

Microsoft Compliance Manager framework

This framework is designed to help companies getting and staying GDPR compliant or do other audits like ISO 27001:2013.
This article is focusing on GDPR topics.

Services included in this cloud service assessment

SharePoint Online, Exchange Online, Microsoft Booking, Microsoft Graph API, Microsoft Analytics, Microsoft Planner, Microsoft Stream, Office Delve, Office 365 Groups, Office 365 Video, Sway, Microsoft StaffHub, Microsoft PowerApps, Microsoft Teams, Skype for Business

Microsoft Managed Controls

Article 4 Number 8 of the GDPR defines that an entity that processes data on behalf of another is considered to be a contract data processor. Therefore Microsoft, with its services Office 365 & Azure is clearly a contract data processor within the meaning of Article 4 Number 8 of the GDPR.

Because of this there are also topics that Microsoft has to fulfill and the contracting entity had to check. These topics are aggregated in the “Microsoft Managed Controls” section of Compliance Manager.
The topics in this section are passed and tested by a third party independent auditor. We can get the details about every topic in the Compliance Manager as you can see in this example:

Customer Managed Controls

Not every GDPR article is about IT systems. Because of this not every article is covered by the Compliance Manager framework. In the section “Customer Managed Controls” Microsoft offers an audit tool that can be used to organize you GDPR compliance journey for Office 365 & Azure.

Features to organize GDPR compliance journey

  1. Assessment a topic to a responsible person
  2. Upload and manage documents
  3. Track status
  4. Test date
  5. Track test result
  6. Detailed description for each topic
  7. Documentation about your implementation details
  8. Documentation about your test plan & management response

You can use the Compliance Manager framework web UI to work with an auditor or you can also export the results as an Excel files.


The GDPR is structured by the following topics:
  • General provisions (Article 1 - 4)
  • Principles (Article 5 - 11)
  • Rights of the data subject (Article 12 - 23)
  • Controller and processor (Article 24 -43)
  • Transfers of personal data to third countries or international organisations (Article 44 - 50)
  • Independent supervisory authorities (Article 51 - 59)
  • Cooperation and consistency (Article 60 - 76)
  • Remedies, liability and penalties (Article 77 - 84)
  • Provisions relating to specific processing situations (Article 85 - 91)
  • Delegated acts and implementing acts (Article 92 - 93)
  • Final provisions (Article 94 - 99)
(only the highlighted topics are covered by the Compliance Manager framework)

Microsoft as a Software company is using different topics:
  • Discover
  • Manage
  • Protect
  • Report
Even the Compliance Manager framework is using a different structure. The framework is separated in:
  •  Office 365 in-Scope Cloud Services (List of covered services)
  • Microsoft Managed Controls (Topics Microsoft has to fulfill)
  • Customer Managed Controls (Topics the customer has to fulfill)

So we need to do a mapping.

The following matrix is showing the chapters, the articles and the subitems covered by Compliance Manager framework. You can use this in you company-wider GDPR audit to get a clear overview of what is relevant in the context of Office 365 & Azure and what is covered by the Microsoft Compliance Manager framework.
File can be downloaded here -> LINK

Not every article need to be fulfilled by every company. In detail it depends on your company structure and what you do in detail with personal data. A general evaluation of which of these articles apply in a specific individual case, must be analyzed in a legally robust manner.
This article and the Excel Matrix was created to the best of the author’s knowledge and according to careful research. However it cannot and does not intend to replace an in-depth legal, process, and technical assessment.

Donnerstag, 2. November 2017

GDPR/DSGVO Field Guide for Office 365 & Azure

Starting May 25, 2018, the EU General Data Protection Regulation (abbreviated GDPR or DSGVO in German) will take effect, thereby becoming applicable law for all companies, regardless of size.

For the IT manager, this subject quickly becomes too theoretical and more than anything, contains too much legalese. The data protection officer and the compliance officer are usually a bit overwhelmed when it comes to the GDPR. The company management and the workers council put pressure on them and want to know if the relevant players are well-prepared or not.

This is the usual state of affairs when it comes to the GDPR within the company.

In this white paper, you will learn how to handle the subject with confidence and be well-prepared by the deadline of May 25, 2018.

Download the English version of the Whitetpaper for free: LINK

This document was created to the best of the author’s knowledge and according to careful research. However it cannot and does not intend to replace an in-depth legal, process, and technical assessment. Many thanks to Dr. Michael Rath and the team of Luther lawyers for the preparation and support.

Ab dem 25.05.2018 gilt die EU-Datenschutzgrundverordnung (DSGVO oder auch GDPR abgekürzt) und wird damit geltendes Recht für alle Unternehmen, egal wie groß sie sind.

Dem IT Verantwortlichen wird das Thema schnell zu theoretisch und vor allem viel zu juristisch. Der Datenschutzbeauftragte und der Compliance Officer sind meist etwas überfordert, wenn es um die DSGVO geht. Die Geschäftsleitung und der Betriebsrat machen Druck und wollen wissen, ob man bei dem Thema gut aufgestellt sei.

In aller Regel ist das die Situation, die sich zum Thema DSGVO in Unternehmen findet.
Erfahren Sie in diesem Whitepaper, wie Sie mit dem Thema hier und heute schon souverän umgehen und zum Stichtag 25. Mai 2018 bestens gerüstet sind.

Kostenloser Download der Deutschen Version des Whitetpapers: LINK

Das Dokument wurde nach bestem Wissen und nach sorgfältiger Recherche erstellt. Es kann und will jedoch keine fundierte rechtliche, prozessuale und technische Bewertung ersetzen.
Vielen Dank an Herrn Dr. Michael Rath und das Team von Luther Rechtsanwälte für die Zuarbeit und Unterstützung.

Interview zum Thema auf der Microsoft Partner Konferenz 2017 in Leipzig: