peshkova - Fotolia
Microsoft commits to GDPR compliance in the cloud by 2018 deadline
Microsoft vows GDPR compliance in all cloud services when enforcement of the new EU data privacy regulation begins in May 2018, but companies still must take action to avoid fines.
With less than 15 months left before companies around the world must comply with the EU's strict new General Data Protection Regulation, Microsoft has promised it will be compliant with GDPR across all cloud services by the deadline in 2018.
Once GDPR enforcement begins in the EU, companies that collect, store or process data related to any EU resident will be required to comply with the new regulation, or they'll face significant penalties. GDPR compliance will be mandatory for companies located anywhere in the world, and the global nature of the cloud means many companies may be unaware of their need to comply.
Brendon Lynch, Microsoft's chief privacy officer, called GDPR "the most significant change to European Union (EU) privacy law in two decades," in a blog post. "Complying with the GDPR will not be easy. To simplify your path to compliance, Microsoft is committing to be GDPR-compliant across our cloud services when enforcement begins on May 25, 2018."
Lynch wrote that Microsoft is committed to principles of cloud trust, including "security, privacy, transparency and compliance."
However, moving operations to Microsoft cloud services will be only part of the solution for companies wishing to attain EU GDPR compliance. "While Microsoft is committed to helping you successfully comply with the GDPR, it is important to recognize that compliance is a shared responsibility," Lynch wrote. GDPR compliance will require companies to take steps to meet the regulation's new requirements, including "greater data access and deletion rules, risk assessment procedures, a data protection officer role for many organizations and data breach notification processes."
"Microsoft is to be commended, not only for its recent announcement on GDPR compliance, but also for providing a pretty good slate of GDPR education and compliance resources for its customers and the U.S. business community at large," Stephen Cobb, senior security researcher at ESET, based in San Diego, told SearchSecurity by email. "Several recent surveys suggest that current awareness of GDPR among U.S.-based organizations is lower than it needs to be at this stage, particularly given the very large increase in fines that GDPR introduces."
"Failure to comply once the deadline is here could result in fines of 20 million euros, or 4% of annual global turnover -- potentially billions of pounds," said Deema Freij, global data privacy officer at enterprise collaboration software maker Intralinks, based in New York. "Microsoft is smart to be proactive on this, and hopefully, they are setting an example for smaller businesses."
Julia White, corporate vice president at Microsoft, spoke at the Cloud Security Alliance Summit last week at RSA Conference 2017 about a number of cloud security issues, including GDPR compliance, which she said was No. 1 on her list of most important issues for this year.
"It is clearly the top conversation I'm having," she said.
White said no matter where she travels -- Europe, Asia, Australia and the U.S. -- GDPR and its effect on security and privacy are top of mind with businesses. But while many see cloud services as a complicating factor for GDPR compliance, White argued the opposite, saying, "The cloud plays such a pivotal role in helping all of us and our customers get to GDPR compliance."
White said cloud services bring privacy handling, data protection and security capabilities together in one place for customers to manage.
"I quickly turn GDPR conversations into cloud conversations," she said, "and it starts to make more and more sense to people on that front."
Microsoft's announcement came the same day it received a second warning letter from the Article 29 Working Party, EU's top data privacy watchdog regulators, over concerns related to Windows 10. The letter noted that Microsoft should simplify the way users choose data-sharing options and clarify what is done with collected data.