What are the GDPR requirements and what are my responsibilities as a controller?
As a controller, you are required under the GDPR to:
- They provide data subjects with a copy of their right to be forgotten process personal data and an explanation of the categories of their data being processed. They identify the purpose of this processing as well as the categories of third parties to whom the data may be disclosed.
- They assist each individual user in exercising their right to correct inaccurate personal data, erase data or restrict their processing, retrieve their own data in a readable form and, if necessary, make a request to transfer the data to another controller.
What are the GDPR requirements and what are Microsoft’s responsibilities as a processor?
Microsoft must provide you with the necessary technical and organizational means to enable you to adequately respond to requests from data subjects exercising their rights described above.
Where can I find information related to GDPR for on-premises servers?
A number of articles on the GDPR can be found here. Created by Microsoft, they provide recommended on-premises workload approaches for SharePoint Server, Exchange Server, Project Server, Office Web Apps Server, Office Online Server, and on-premises file shares.
What means does Microsoft give you to respond to requests from data subjects?
Online Services offers a wide range of functionalities that you as a controller can use to respond to requests from data subjects. Microsoft enterprise online services and admin controls help you respond to personal data as part of data subject requests to locate, correct, restrict, delete personal data residing in controller-managed data stored in Microsoft’s cloud , export and access it. Online Services also provides data in machine-readable form if required.
Under the GDPR, data controllers are required to prepare a Data Protection Impact Assessment (DPIA) for processes that are “likely to result in a high risk to right to be forgotten service and freedoms of individuals”. Microsoft products and services do not themselves require a privacy impact assessment. Rather, it depends on the details of your Microsoft configuration. See Contents of a privacy impact assessment for a list of details that need to be considered in Office .
When should you conduct a data protection impact assessment?
Controllers are required to carry out a data protection impact assessment regarding risks to the security of personal data or in response to a data breach. Specific examples of risk factors in Office are discussed in Is a privacy impact assessment necessary? treated.
What is required to conduct a data protection impact assessment?
The GDPR stipulates that a data protection impact assessment includes:
- An assessment of the necessity and proportionality of the data processing in relation to the purpose of the data protection impact assessment.
- An assessment of the risks to the rights and freedoms of data subjects.
- Measures envisaged to manage the risks, safeguards, security measures and mechanisms to ensure personal data protection and GDPR compliance.
What are my responsibilities as a controller?
The GDPR requires that you, as a data controller, carry out a data protection impact assessment before processing data that is likely to pose a high risk to the rights and freedoms of individuals. This applies in particular when new technologies are used in data processing. Below you will find a non-exhaustive list of cases in which a data protection impact assessment must be carried out, based on the GDPR:
- Automated processing for profiling and similar activities that produce legal effects or similarly significantly affect data subjects;
- Comprehensive processing of special categories of personal data, ie data revealing ethnic origin, political opinions or similar, or data on criminal convictions and offences;
- Systematic surveillance of a publicly accessible area.
The GDPR also states that the supervisory authority must be consulted if data processing operations entail a high risk for data subjects that you cannot contain through appropriate procedures gdpr case studies.