Microsoft GDPR Cloud Privacy

The Microsoft company recently announced that it was altering the terms of its commercial cloud contracts after European Union data protection authorities aired privacy concerns. The changes will be put in place globally and will apply to all Microsoft customers regardless of the size of the firm or whether it operates in the public or private sector. The new provisions will be implemented at the start of 2020.

Change for the Good of the Consumer

The EU began reviewing Microsoft’s cloud contracts in the fall. They found many items of concern that led them to believe the software giant might be breaking EU policies. After this discovery, it was decided that Microsoft might be unsuitable as the data processor for EU institutions.

Microsoft announced the changes to its online service terms on its Nov. 18 EU policy blog post. Julie Brill, Microsoft’s VP for Global Privacy and Regulatory Affairs and Chief Privacy Officer, said, “At Microsoft, we listen to our customers and strive to address their questions and feedback, because one of our foundational principles is to help our customers succeed. Today Microsoft is announcing an update to the privacy provisions in the Microsoft Online Services Terms (OST) in our commercial cloud contracts that stems from additional feedback we’ve heard from our customers.”

Brill added that the changes would afford customers greater transparency over data processing in the cloud. She mentioned that the new policies would also reflect changes Microsoft agreed to in consultation with the Dutch government, which involved both contractual and technical changes, after the Dutch authorities voiced concerns earlier this year.

Accepting More Responsibility

The most specific area of change that Microsoft agreed to was to accept more responsibility in handling data for specific administrative purposes. As Brill put it, “In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework…” The specific activities that will be covered include account management, financial reporting, and security against cyberattacks.

In the past, Microsoft has always billed itself as a data processor rather than a data controller, thereby skirting the heaviest regulatory obligations under the EU law. By accepting its new designation as a data controller, Microsoft will now assume full responsibility for the lawfulness, fairness, and security of the data being processed.

In addition to data processing, Microsoft will also be responsible for service security, software updates, and bug fixes. Other changes will include the deployment of new privacy tools, changes to Microsoft’s Office 365 ProPlus program, and increased transparency regarding use of diagnostic data. The new changes follow a general conference of cloud customers convened by the EU and the Dutch authorities earlier in the year on the topic of regulatory risks related to cloud software. The EU’s new General Data Protection Regulation establishes firm rules for data governance along with provisions for audit to maintain compliance.

Adhering to GDPR with Secure Storage

Secure Data offers a way for any business to be GDPR compliant in how they store sensitive data. Our line of hardware encrypted SecureDrives eliminate data leaks and are GDPR compliant. With authorization methods through complex PIN or fingerprints and facial recognition via mobile app, the drives protect against unauthorized access. Call us at 1-800-875-3230 to learn more about how these storage devices can keep your business secure and compliant.