Preparing for GDPR with Compliance Manager

Microsoft's powerful new tool shows your GDPR status at a glance and helps demonstrate compliance.

With GDPR due to come into force on 25 May 2018, there's a pressing need for many companies to hit the compliance deadline and get their data into shape. But with data spread over many systems, and often in many different areas, achieving this goal isn't always straightforward.

Microsoft is aiming to help with its new Compliance Manager software, a free tool available to anyone with a Microsoft cloud services subscription. This includes Office 365, Azure or Dynamics 365; although the preview currently only supports Office 365. It’s also worth noting that charges may be forthcoming in the future, with Microsoft stating: "as of now Compliance Manager preview version itself will be free for Microsoft 365, Azure, and Dynamics 365 users. We are still assessing the nature of the final licensing and will provide more information when closer to general availability in 2018."

Not a click and forget tool

Before we look at what Compliance Manager can do, it's important to note that GDPR isn't something you can just implement with a tool. Nor is it something that you need to do once and then forget all about it. GDPR expects companies to fundamentally change the way they deal with personal information, from the way it's collected and stored, to how it's processed and even deleted.

Becoming GDPR compliant, then, means having a full compliance plan, such as we've covered in our previous blog posts. Once you know what you want to achieve, that's when tools such as Compliance Manager can come into play, helping you enforce and configure the rules that you've set for your business. In short, GDPR compliance is about how you use the tools. The tools themselves can't make you compliant.

Managing compliance

Compliance Manager is waiting for a full release, but you can sign up for the preview program ( today to start using it. The tool is designed to be used with various compliance programmes, but in its current form, it supports ISO 27001 (an information risk standard) and, most importantly, GDPR.

As a central tool, the main Compliance Manager dashboard is designed to show you your company's current compliance position, including an overall score. It's a clear and simple way to check the position of your Microsoft services. Importantly, when your targets have been hit, the console gives you an evidence-based way of demonstrating your GDPR compliance, which is a key part of the new regulation.

Compliance is split into a set of controls, divided into those that Microsoft is responsible for and those that your business is responsible for. For each Control, you have access to in-depth insight and analysis of what's needed for compliance. We'll look at how the split works below.

Microsoft Managed Controls

Microsoft Managed Controls are an aspect of the cloud services where it's Microsoft's responsibility to demonstrate GDPR compliance. In turn, this area lets you prove that you're working with GDPR-compliant third-parties.

For each control that Microsoft is responsible for, you can see the details of how it was implemented, how the testing was performed and validated by a third-party tester, and when the testing was performed.

This dashboard not only demonstrates compliance, but it gives your company the tools it needs to show compliance at all levels. However, this part of Compliance Manager is really a small part of a much bigger picture, as it's your own level of compliance and data control that ultimately demonstrates whether you've taken GDPR seriously.

Customer Managed Controls

The second part of Compliance Manager revolves around Customer Managed Controls, which are the ones that you and your organisation are responsible for.

Microsoft has recommended actions for each standard or regulation, with built-in workflow letting you track and manage your company's compliance level. Each control can be delegated to a different person, making assigning and managing the process simpler.

As part of the process, once the necessary actions have been taken to implement a control, proof can be uploaded to the system. This could include a text overview of the changes made, for example, and a screenshot demonstrating the settings used. These items of proof can be verified before the control is signed off.

By following the process through, you can ensure that your company is not only compliant but generate the documentation you'll require to prove it.

Having a central dashboard to manage and control the steps you take towards GDPR compliance is a smart way to get your Microsoft cloud services in shape for the new regulation.

Read more of our GDPR blog series here: