Share via


Accountability Readiness Checklist for Microsoft 365

1. Introduction

This accountability readiness checklist provides a convenient way to access information you may need to support the GDPR when using Microsoft Office 365.

You can manage the items in this checklist with Compliance Manager by referencing the Control ID and Control Title under Customer Managed Controls in the GDPR tile.

In addition, items in this checklist under 5. Data Protection & Security provide references to controls listed under Microsoft Managed Controls in the GDPR tile in Compliance Manager. Reviewing the Microsoft Implementation Details for these controls provide additional explanation of Microsoft's approach to fulfilling the customer considerations in the checklist item.

The checklist and Compliance Manager are organized using the titles and reference number (in parentheses for each checklist topic) of a set of privacy and security controls for personal data processors drawn from:

This control structure is also used to organize the presentation of the internal controls that Microsoft Office 365 implements to support GDPR, which you can download from the Service Trust Center.

2. Conditions for collection and processing

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Determine when consent is to be obtained (7.2.3) The customer should understand legal or regulatory requirements for obtaining consent from individuals prior to processing personal data (when it is required, if the type of processing is excluded from the requirement, etc.), including how consent is collected. Office 365 does not provide direct support for gaining user consent. (6)(1)(a), (8)(1), (8)(2)
Identify and document purpose (7.2.1) The customer should document the purpose for which personal data is processed. A description of the processing Microsoft performs for you, and the purposes of that processing, that can be included in your accountability documentation.
- Microsoft Online Services Terms, Data Protection Terms, see Processing of Personal Data; GDPR [1]
(5)(1)(b), (32)(4)
Identify lawful basis (7.2.2) The customer should understand any requirements related to the lawful basis of processing, such as whether consent must first be given. A description of processing personal data by Microsoft services for inclusion in your accountability documentation.
- Key Information from Office 365 for Customer Data Protection Impact Assessments[10]
(5)(1)(a), (6)(1)(a), (6)(1)(b), (6)(1)(c), (6)(1)(d), (6)(1)(e), (6)(1)(f), (6)(3), (6)(4)(a), (6)(4)(b), (6)(4)(c), (6)(4)(d), (6)(4)(e), (8)(3), (9)(1), (9)(2)(b), (9)(2)(c), (9)(2)(d), (9)(2)(e), (9)(2)(f), (9)(2)(g), (9)(2)(h), (9)(2)(i), (9)(2)(j), (9)(3), (9)(4), (10), (17)(3)(a), (17)(3)(b), (17)(3)(c), (17)(3)(d), (17)(3)(e), (18)(2), (22)(2)(a), (22)(2)(b), (22)(2)(c), (22)(4)
Determine when consent is to be obtained (7.2.3) The customer should understand legal or regulatory requirements for obtaining consent from individuals prior to processing personal data (when it is required, if the type of processing is excluded from the requirement, etc.), including how consent is collected. Office 365 does not provide direct support for gaining user consent. (6)(1)(a), (8)(1), (8)(2)
Obtain and record consent (7.2.4) When it is determined to be required, the customer should appropriately obtain consent. The customer should also be aware of any requirements for how a request for consent is presented and collected. Office 365 does not provide direct support for gaining user consent. (7)(1), (7)(2), (9)(2)(a)
Privacy impact assessment (7.2.5) The customer should be aware of requirements for completing privacy impact assessments (when they should be performed, categories of data that might necessitate one, timing of completing the assessment). How Microsoft services determine when to perform a DPIA, and an overview of the DPIA program at Microsoft including the involvement of the DPO, is provided on the Service Trust Portal Data Protection Impact Assessments (DPIAs) page. For support for your DPIAs see:
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(35)
Contracts with PII Processors (7.2.6) The customer should ensure that their contracts with processors include requirements for aiding with any relevant legal or regulatory obligations related to processing and protecting personal data. The Microsoft contracts that require us to aid with your obligations under the GDPR, including support for the data subject's rights.
- Microsoft Online Services Terms, Data Protection Terms, see Processing of Personal Data; GDPR [1]
(5)(2), (28)(3)(e), (28)(9)
Records related to processing PII (7.2.7) The customer should maintain all necessary and required records related to processing personal data (that is, purpose, security measures, etc.). Where some of these records must be provided by a sub-processor, the customer should ensure that they can obtain such records. The tools provided by Microsoft services to help you maintain the records necessary demonstrate compliance and support for accountability under the GDPR.
- Search the audit log in Office 365 Security and Compliance Center [16]
(5)(2), (24)(1), (30)(1)(a), (30)(1)(b), (30)(1)(c), (30)(1)(d), (30)(1)(g), (30)(1)(f), (30)(3), (30)(4), (30)(5)

3. Rights of data subjects

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Determining PII principals' rights and enabling exercise (7.3.1) The customer should understand requirements around the rights of individuals related to the processing of their personal data. These rights may include things such as access, correction, and erasure. Where the customer uses a third-party system, they should determine which (if any) parts of the system provide tools related to enabling individuals to exercise their rights (for example, to access their data). Where the system provides such capabilities, the customer should utilize them as necessary. The capabilities Microsoft provides to help you support data subject rights.
- Office 365 Data Subject Requests for the GDPR [8]
- Microsoft Office 365 ISO/IEC 27001:2013 ISMS Statement of Applicability
[12] see ISO, IEC 27018, 2014 control A.1.1
(12)(2)
Determining information for PII principals (data subjects) (7.3.2) The customer should understand requirements for the types of information about processing of personal data that is to be available to be provided to the individual. This may include things such as:
- Contact details about the controller or its representative;
- information about the processing (purposes, international transfer, and related safeguards, retention period, etc.);
- information on how the principal may access and/or amend their personal data; requesting erasure or restriction of processing; receiving a copy of their personal data, and portability of their personal data
- How and from where the personal data were obtained (if not obtained from the principal directly)
- information about the right to lodge a complaint and to whom;
- information regarding corrections to personal data;
- Notification that the organization is no longer in position to identify the data subject (PII principal), in cases where the processing no longer requires the identification of the data subject;
- Transfers and/or disclosures of personal data;
- existence of automated decision making based solely on automated processing of personal data;
- information regarding the frequency with which information to the data subject is updated and provided (that is, "just in time" notification, organization defined frequency, etc.)

Where the customer uses third-party systems or processors, they should determine which (if any) of this information may need to be provided by them and ensure that they can obtain the required information from the third party.

Information about Microsoft services that you can include in the data you provide to data subjects.
- Office 365 Data Subject Requests for the GDPR [8]
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(11)(2), (13)(1)(a), (13)(1)(b), (13)(1)(c), (13)(1)(d), (13)(1)(e), (13)(1)(f), (13)(2)(c), (13)(2)(d), (13)(2)(e), (13)(3), (13)(4), (14)(1)(a), (14)(1)(b), (14)(1)(c), (14)(1)(d), (14)(1)(e), (14)(1)(f), (14)(2)(b), (14)(2)(e), (14)(2)(f), (14)(3)(a), (14)(3)(b), (14)(3)(c), (14)(4), (14)(5)(a), (14)(5)(b), (14)(5)(c), (14)(5)(d), (15)(1)(a), (15)(1)(b), (15)(1)(c), (15)(1)(d), (15)(1)(e), (15)(1)(f), (15)(1)(g), (15)(1)(h), (15)(2), (18)(3), (21)(4)
Providing information to PII principals (7.3.3) The customer should comply with any requirements around how/when/in what form the required information is to be given to an individual related to the processing of their personal data. In cases where a third party may provide required information, the customer should ensure that it is within the parameters required by the GDPR. Templated information about Microsoft services that you can include in the data you provide to data subjects.
- Office 365 Data Subject Requests for the GDPR [8]
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(11)(2), (12)(1), (12)(7), (13)(3), (21)(4)
Provide mechanism to modify or withdraw consent (7.3.4) The customer should understand requirements for informing users about their right to access, correct, and/or erase their personal data and for providing a mechanism for which them to do so. If a third-party system is used and provides this mechanism as part of its functionality, the customer should utilize that functionality as necessary. Information about capabilities in Microsoft services that you can use when defining the information you provide to data subjects when requesting consent.
- Office 365 Data Subject Requests for the GDPR [8]
(7)(3), (13)(2)(c), (14)(2)(d), (18)(1)(a), (18)(1)(b), (18)(1)(c), (18)(1)(d)
Provide mechanism to object to processing (7.3.5) The customer should understand requirements around rights of data subjects. Where an individual has a right to object to processing, the customer should inform them, and have a way for the individual to register their objection. Information about Microsoft services relating to object to processing that you can include in the data you provide to data subjects.
- Office 365 Data Subject Requests for the GDPR [8] see Step 4: Restrict
(13)(2)(b), (14)(2)(c), (21)(1), (21)(2), (21)(3), (21)(5), (21)(6)
Sharing the exercising of PII principals' rights (7.3.6) The customer should understand requirements for notifying third-parties with whom personal data has been shared of instances of data modification based on the exercise of individual rights (for example, an individual requesting erasure or modification, etc.) Information about capabilities in Microsoft services that allow you to discover personal data that you have shared with third parties.
- Office 365 Data Subject Requests for the GDPR [8]
(19)
Correction or erasure (7.3.7) The customer should understand requirements for informing users about their right to access, correct, and/or erase their personal data and for providing a mechanism for which them to do so. If a third-party system is used and provides this mechanism as part of its functionality, the customer should utilize that functionality as necessary. Templated information about Microsoft services relating to their ability to access, correct, or erase personal data that you can include in the data you provide to data subjects.
- Office 365 Data Subject Requests for the GDPR [8] see Step 5: Delete
(5)(1)(d), (13)(2)(b), (14)(2)(c), (16), (17)(1)(a), (17)(1)(b), (17)(1)(c), (17)(1)(d), (17)(1)(e), (17)(1)(f), (17)(2)
Providing copy of PII processed (7.3.8) The customer should understand requirements around providing a copy of the personal data being processed to the individual. These may include requirements around the format of the copy (that is, that it is machine readable), transferring the copy, etc. Where the customer uses a third-party system that provides the functionality to provide copies, they should utilize this functionality as necessary. Information about capabilities in Microsoft services to allow you to obtain a copy of their personal data that you can include in the data you provide to data subjects.
- Office 365 Data Subject Requests for the GDPR [8] see Step 6: Export
(15)(3), (15)(4), (20)(1), (20)(2), (20)(3), (20)(4)
Request management (7.3.9) The customer should understand requirements for accepting and responding to legitimate requests from individuals related to the processing of their personal data. Where the customer uses a third-party system, they should understand whether that system provides the capabilities for such handling of requests. If so, the customer should utilize such mechanisms to handle requests as necessary. Information about capabilities in Microsoft services that you can use when defining the information you provide to data subjects as you manage data subject requests.
- Office 365 Data Subject Requests for the GDPR [8] customer should understand requirements around automated personal data processing and where decisions are made by such automation. These may include providing information about the processing to an individual, objecting to such processing, or to obtain human intervention. Where such features are provided by a third-party system, the customer should ensure that the third party provides any required information or support.

Information about any capabilities in Microsoft services that might support automated decision making that you can use in your accountability documentation, and templated information for data subjects about those capabilities.
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]

(13)(2)(f), (14)(2)(g), (22)(1), (22)(3)

4. Privacy by design and default

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Limit collection (7.4.1) The customer should understand requirements around limits on collection of personal data (for example, that the collection should be limited to what is needed for the specified purpose). A description of the data collected by Microsoft services.
- Microsoft Online Services Terms, Data Protection Terms, see Processing of Personal Data; GDPR [1]
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(5)(1)(b), (5)(1)(c)
Limit processing (7.4.2) The customer is responsible for limiting the processing of personal data so that it is limited to what is adequate for the identified purpose. A description of the data collected by Microsoft services.
- Microsoft Online Services Terms, Data Protection Terms, see Processing of Personal Data; GDPR [1]
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(25)(2)
Define and document PII minimization and de-identification objectives (7.4.3) The customer should understand requirements around de-identification of personal data that may include, when it should be used, the extent to which it should de-identify, and instances when it cannot be used. Microsoft applies de-identification and pseudonymization internally, where appropriate, to provide additional privacy safeguards for personal data. (5)(1)(c)
Comply with identification levels (7.4.4) The customer should use and comply with de-identification objectives and methods set by their organization. Microsoft applies de-identification and pseudonymization internally, where appropriate, to provide additional privacy safeguards for personal data. (5)(1)(c)
PII de-identification and deletion (7.4.5) The customer should understand requirements around the retention of personal data past its use for the identified purposes. Where provided tooling by the system, the customer should utilize those tools to erase or delete as necessary. Capabilities provided by Microsoft cloud services to support your data retention policies.
- Office 365 Data Subject Requests for the GDPR [8] see Step 5: Delete
(5)(1)(c), (5)(1)(e), (6)(4)(e), (11)(1), (32)(1)(a)
Temporary files (7.4.6) The customer should be aware of temporary files that may be created by the system that could lead to non-compliance with policies around processing of personal data (for example, personal data might be retained in a temporary file longer than required or allowed). Where the system provides such tools for temporary file deletion or checking, the customer should utilize such tools to comply with requirements. A description of capabilities provided by the service to identify personal data to support your temporary file policies.
- Office 365 Data Subject Requests for the GDPR [8] see Step1: Discover
(5)(1)(c)
Retention (7.4.7) The customer should determine how long personal data should be retained, taking into consideration the identified purposes. Information about the retention of personal data by Microsoft services that you can include in documentation provided to data subjects.
- Microsoft Online Services Terms, Data Protection Terms, see Data Security, Retention [1]
(13)(2)(a), (14)(2)(a)
Disposal (7.4.8) The customer should utilize any deletion or disposal mechanisms provided by the system to delete personal data. Capabilities provided by Microsoft cloud services to support your data deletion policies.
-* Office 365 Data Subject Requests for the GDPR* [8] see Step 5: Delete
(5)(1)(f)
Collection procedures (7.4.9) The customer should be aware of requirements around the accuracy of personal data (for example, accuracy upon collection, keeping data up-to-date, etc.) and utilize any mechanisms provided by the system for such. How Microsoft services support the accuracy of personal data, and any capabilities they provide to support your data accuracy policy.
- Office 365 Data Subject Requests for the GDPR [8] see Step 3: Rectify
(5)(1)(d)
Transmission controls (7.4.10) The customer should understand requirements around safeguarding the transmission of personal data, including who has access to transmission mechanisms, records of transmission, etc. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(15)(2), (30)(1)(e), (5)(1)(f)
Identify basis for PII transfer (7.5.1) The customer should be aware of requirements for transferring personal data (PII) to a different geographic location and document what measures are in place to meet such requirements. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
Articles (44), (45), (46), (47), (48), and (49)
Countries and organizations to which PII might be transferred (7.5.2) The customer should understand, and be able to provide to the individual, the countries to which personal data is or may be transferred. Where a third-party/processor may perform this transfer, the customer should obtain this information from the processor. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(30)(1)(e)
Records of transfers of PII (personal data) (7.5.3) The customer should maintain all necessary and required records related to transfers of personal data. Where a third-party/processor performs the transfer, the customer should ensure that they maintain the appropriate records and obtain them as necessary. A description of the types of personal data that are transferred by Microsoft services and the locations they are transferred between, and the legal safeguards for the transfer.
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
(30)(1)(e)
Records of PII disclosure to third parties (7.5.4) The customer should understand requirements around recording to whom personal data has been disclosed. This may include disclosures to law enforcement, etc. Where a third-party/processor discloses the data, the customer should ensure that they maintain the appropriate records and obtain them as necessary. Documentation provided about the categories of recipients of disclosures of personal data including available records of disclosure.
- Who can access your data and on what terms [6]
(30)(1)(d)
Joint controller (7.5.5) The customer should determine whether they are a joint controller with any other organization, and appropriately document and allocate responsibilities. Documentation of Microsoft services that are a controller of personal information, including templated information that can be included in documentation to data subjects.
- Microsoft Online Services Terms, Data Protection Terms, see Processing of Personal Data; GDPR [1]

5. Data protection & security

Category Customer Consideration Supporting Microsoft documentation Addresses GDPR Article(s)
Understanding the organization and its context (5.2.1) Customers should determine their role in processing personal data (for example, controller, processor, co-controller) to identify the appropriate requirements (regulatory, etc.) for processing personal data. How Microsoft considers each service as either a processor or controller when processing personal data.
- Microsoft Online Services Terms, Data Protection Terms, see Processing of Personal Data; GDPR, Processor, and Controller Roles and Responsibilities [1]
(24)(3), (28)(10), (28)(5), (28)(6), (32)(3), (40)(1), (40)(2)(a), (40)(2)(b), (40)(2)(c), (40)(2)(d), (40)(2)(e), (40)(2)(f), (40)(2)(g), (40)(2)(h), (40)(2)(i), (40)(2)(j), (40)(2)(k), (40)(3), (40)(4), (40)(5), (40)(6), (40)(7), (40)(8), (40)(9), (40)(10), (40)(11), (41)(1), (41)(2)(a), (41)(2)(b), (41)(2)(c), (41)(2)(d), (41)(3), (41)(4), (41)(5), (41)(6), (42)(1), (42)(2), (42)(3), (42)(4), (42)(5), (42)(6), (42)(7), (42)(8)
Understanding the needs and expectations of interested parties (5.2.2) Customers should identify parties that may have a role or interest in their processing of personal data (for example, regulators, auditors, data subjects, contracted personal data processors), and be aware of requirements to engage such parties where required. How Microsoft incorporates the views of all stakeholders in consideration of the risks involved in the processing of personal data.
- Key Information from Office 365 for Customer Data Protection Impact Assessments [10]
- Office 365 ISMS Manual [14] see 4.2 UNDERSTANDING THE NEEDS AND EXPECTATIONS OF INTERESTED PARTIES
- Understanding the needs and expectations of interested parties 5.2.2 in Compliance Manager
(35)(9), (36)(1), (36)(3)(a), (36)(3)(b), (36)(3)(c), (36)(3)(d), (36)(3)(e), (36)(3)(f), (36)(5)
Determining the scope of the information security management system (5.2.3, 5.2.4) As part of any overall security or privacy program that a customer may have, they should include the processing of personal data and requirements relating to it. How Microsoft services include the processing of personal data in information security management and privacy programs.
- Microsoft Office 365 ISO/IEC 27001:2013 ISMS Statement of Applicability [12] see A.19
- SOC 2 Type 2 Audit Report [11]
- Office 365 ISMS Manual [14] see 4. Context of the Organization
- 5.2.3 Determining the scope of the information security management system in Compliance Manager
- 5.2.4 Information security management system in Compliance Manager
(32)(2)
Planning (5.3) Customers should consider the handling of personal data as part of any risk assessment they complete and apply controls as they deem necessary to mitigate risk related to personal data they control. How Microsoft services consider the risks specific to the processing of personal data as part of their overall security and privacy program.
- Office 365 ISMS Manual [14] see 5.2 Policy
- 5.3 Planning in Compliance Manager
(32)(1)(b), (32)(2)
Information Security Policies (6.2) The customer should augment any existing information security policies to include protection of personal data, including policies necessary for compliance with any applicable legislation. Microsoft policies for information security and any specific measures for the protection of personal information.
- Microsoft Office 365 (All-Up) ISO/IEC 27001:2013 ISMS Statement of Applicability [12] see A.19
- SOC 2 Type 2 Audit Report [11]
- 6.2 Information security policies in Compliance Manager
24(2)
Organization of Information Security Customer consideration (6.3) The customer should, within their organization, define responsibilities for security and protection of personal data. This may include establishing specific roles to oversee privacy-related matters, including a DPO. Appropriate training and management support should be provided to support these roles. An overview of the role of Microsoft's Data Protection Officer, the nature of his duties, reporting structure and contact information.
- Microsoft's Data Protection Officer [18]
- Office 365 ISMS Manual [14] see 5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES, AND AUTHORITIES
- 6.3 Organization of information security in Compliance Manager
(37)(1)(a), (37)(1)(b), (37)(1)(c), (37)(2), (37)(3), (37)(4), (37)(5), (37)(6), (37)(7), (38)(1), (38)(2), (38)(3), (38)(4), (38)(5), (38)(6), (39)(1)(a), (39)(1)(b), (39)(1)(c), (39)(1)(d), (39)(1)(e), (39)(2)
Human Resource Security (6.4) The customer should determine and assign responsibility for providing relevant training related to protecting personal data. An overview of the role of Microsoft's Data Protection Officer, the nature of his duties, reporting structure and contact information.
- Microsoft's Data Protection Officer [18]
- Office 365 ISMS Manual [14] see 5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES, AND AUTHORITIES
- 6.4 Human resources security in Compliance Manager
(39)(1)(b)
Classification of Information (6.5.1) The customer should explicitly consider personal data as part of a data classification scheme. Capabilities in Office 365 to support personal data classification.
- Office 365 Information Protection for GDPR [5] see Architect a classification schema for personal data
- 6.5.1 Classification of Information in Compliance Manager
(39)(1)(b)
Management of removable media (6.5.2) The customer should determine internal policies for the use of removable media as it relates to the protection of personal data (for example, encrypting devices). How Microsoft services protect the security of personal information on any removable media.
- FedRAMP Moderate FedRAMP System Security Plan [3] see 13.10 Media Protection (MP)
- Management of removable media in Compliance Manager
(32)(1)(a), (5)(1)(f)
Physical media transfer (6.5.3) The customer should determine internal policies for protecting personal data when transferring physical media (for example, encryption). How Microsoft services protect personal data during any transfer of physical media.
- FedRAMP Moderate FedRAMP System Security Plan [3] see 13.10 Media Protection (MP)
- 6.5.3 Physical media transfer in Compliance Manager
(32)(1)(a), (5)(1)(f)
User access management (6.6.1) The customer should be aware of which responsibilities they have for access control within the service they are using, and manage those responsibilities appropriately, using the tools available. The tools provided by Microsoft services to help you enforce access control.
- Office 365 Security Documentation [2] see Protect access to data and services in Office 365
- 6.6.1 in Compliance Manager
(5)(1)(f)
User registration and de-registration (6.6.2) The customer should manage user registration and de-registration within the service they utilize, using the tools available to them. The tools provided by Microsoft services to help you enforce access control.
- Office 365 Security Documentation [2] see Protect access to data and services in Office 365
- 6.6.2 User registration and de-registration in Compliance Manager
(5)(1)(f)
User access provisioning (6.6.3) The customer should manage user profiles, especially for authorized access to personal data, within the service they utilize, using the tools available to them. How Microsoft services support formal access control to personal data, including user IDs, roles, access to applications and the registration and de-registration of users.
- Office 365 Security Documentation [2] see Protect access to data and services in Office 365
- Use Tenant Restrictions to manage access to SaaS cloud applications [15]
- User access provisioning in Compliance Manager
(5)(1)(f)
Management of privileged access (6.6.4) The customer should manage user IDs to facilitate tracking of access (especially to personal data), within the service they utilize, using the tools available to them. How Microsoft services support formal access control to personal data, including user IDs, roles, and the registration and de-registration of users.
- Office 365 Security Documentations 2 see Protect access to data and services in Office 365
- Use Tenant Restrictions to manage access to SaaS cloud applications [15]
- 6.6.4 Management of privileged access in Compliance Manager
(5)(1)(f)
Secure log on procedures (6.6.5) The customer should utilize provided mechanisms in the service to ensure secure log on capabilities for their users where necessary. How Microsoft services support internal access control policies related to personal data.
- Who can access your data and on what terms [6]
- 6.6.5 Secure log-on procedures in Compliance Manager
(5)(1)(f)
Cryptography (6.7) The customer should determine which data may need to be encrypted, and whether the service they are utilizing offers this capability. The customer should utilize encryption as needed, using the tools available to them. How Microsoft services support encryption and pseudonymization to reduce the risk of processing personal data.
- FedRAMP Moderate FedRAMP System Security Plans (SSP) see Cosmos pp29
- 6.7 Cryptography in Compliance Manager
(32)(1)(a)
Secure disposal or reuse of equipment (6.8.1) Where the customer uses cloud computing services (PaaS, SaaS, IaaS) they should understand how the cloud provider ensures that personal data is erased from storage space prior to that space being assigned to another customer. How Microsoft services ensure that personal data is erased from storage equipment before that equipment is transferred or reused.
- FedRAMP Moderate FedRAMP System Security Plan [3] see 13.10 Media Protection (MP)
- 6.8.1 Secure disposal or reuse of equipment in Compliance Manager
(5)(1)(f)
Clear desk and clear screen policy (6.8.2) The customer should consider risks around hardcopy material that displays personal data, and potentially restrict the creation of such material. Where the system in use provides the capability to restrict this (for example, settings to prevent printing or copying/pasting of sensitive data), the customer should consider the need to utilize those capabilities. What Microsoft implements to manage hardcopy.
- Microsoft maintains these controls internally, see Microsoft Office 365 ISO/IEC 27001:2013 ISMS Statement of Applicability [12] A.10.2, A.10.7, and A.4.1
- 6.8.2 Clear desk and clear screen policy in Compliance Manager
(5)(1)(f)
Separation of development, testing, and operational environments (6.9.1) The customer should consider the implications of using personal data in development and testing environments within their organization. How Microsoft ensures that personal data is protected in development and test environments.
- Microsoft Office 365 ISO/IEC 27001:2013 ISMS Statement of Applicability [12] see A.12.1.4
- 6.9.1 Separation of development, testing, and operational environments in Compliance Manager
5(1)(f)
Information backup (6.9.2) The customer should ensure that they use system provided capabilities to create redundancies in their data and test as necessary. How Microsoft ensures the availability of data that may include personal data, how accuracy of restored data is ensured, and the tools and procedures Microsoft services provide to allow you to back up and restore data.
- FedRAMP Moderate FedRAMP System Security Plan [3] see 10.9 Availability
- 6.9.2 Information Backup in Compliance Manager
(32)(1)(c), (5)(1)(f)
Event logging (6.9.3) The customer should understand the capabilities for logging provided by the system and utilize such capabilities to ensure that they can log actions related to personal data that they deem necessary. The data Microsoft service records for you, including user activities, exceptions, faults and information security events, and how you can access those logs for use as part of your record keeping.
- Search the audit log in Office 365 Security and Compliance Center [16]
- 6.9.3 Event logging in Compliance Manager
(5)(1)(f)
Protection of log information (6.9.4) The customer should consider requirements for protecting log information that may contain personal data or that may contain records related to personal data processing. Where the system in use provides capabilities to protect logs, the customer should utilize these capabilities where necessary. How Microsoft protects logs that may contain personal data.
- Search the audit log in Office 365 Security and Compliance Center [16]
- 6.9.4 Protection of log information in Compliance Manager
(5)(1)(f)
Information transfer policies and procedures (6.10.1) The customer should have procedures for cases where personal data may be transferred on physical media (such as a hard drive being moved between servers or facilities). These may include logs, authorizations, and tracking. Where a third-party or other processor may be transferring physical media, the customer should ensure that that organization has procedures in place to ensure security of the personal data. How Microsoft services transfer physical media that may contain personal data, including the circumstances when transfer might occur, and the protective measures taken to protect the data.
- FedRAMP Moderate FedRAMP System Security Plan [3] see 13.10 Media Protection (MP)
- 6.10.1 Information transfer policies and procedures in Compliance Manager
(5)(1)(f)
Confidentiality or non-disclosure agreements (6.10.2) The customer should determine the need for confidentiality agreements or the equivalent for individuals with access to or responsibilities related to personal data. How Microsoft services ensure that individuals with authorized access to personal data have committed themselves to confidentiality.
- SOC 2 Type 2 Audit Report [11] see CC1.4 pp33
- Confidentiality or non-disclosure agreements 6.10.2 in Compliance Manager
(5)(1)(f), (28)(3)(b), (38)(5)
Securing application services on public networks (6.11.1) The customer should understand requirements for encryption of personal data, especially when sent over public networks. Where the system provides mechanisms to encrypt data, the customer should utilize those mechanisms where necessary. Descriptions of the measures Microsoft services take to protect data in transit, including encryption of the data, and how Microsoft services protect data that may contain personal data as it passes through public data networks, including any encryption measures.
- Encryption in the Microsoft Cloud [17] see Encryption of customer data in transit
- 6.11.1 Securing application services on public networks in Compliance Manager
(5)(1)(f), (32)(1)(a)
Secure system engineering principles (6.11.2) The customer should understand how systems are designed and engineered to consider protection of personal data. Where a customer uses a system engineered by a third party, it is their responsibility to ensure that such protections have been considered. How Microsoft services include personal data protection principles as a mandatory part of our secure design/engineering principles.
- SOC 2 Type 2 Audit Report [11] see Security Development Lifecycle pp23, CC7.1 pp45
- Secure system engineering principles in Compliance Manager
(25)(1)
Supplier Relationships (6.12) The customer should ensure that any information security and personal data protection requirements and that are the responsibility of a third party are addressed in contractual information or other agreements. The agreements should also address the instructions for processing. How Microsoft services address security and data protection in our agreements with our suppliers and how we ensure those agreements are effectively implemented.
- Who can access your data and on what terms [6]
- Contracts for sub-processors: Contracting with Microsoft [7]
- 6.12 Supplier Relationships in Compliance Manager
(5)(1)(f), (28)(1), (28)(3)(a), (28)(3)(b), (28)(3)(c), (28)(3)(d), (28)(3)(e), (28)(3)(f), (28)(3)(g), (28)(3)(h),(30)(2)(d), (32)(1)(b)
Management of information security incidents and improvements (6.13.1) The customer should have processes for determining when a personal data breach has occurred. How Microsoft services determine if a security incident is a breach of personal data, and how we communicate the breach to you.
- Office 365 and Breach Notification Under the GDPR [9]
- Management of information security incidents and improvements 6.13.1 in Compliance Manager
(33)(2)
Responsibilities and procedures (during information security incidents) (6.13.2) The customer should understand and document their responsibilities during a data breach or security incident involving personal data. Responsibilities may include notifying required parties, communications with processors or other third-parties, and responsibilities within the customer's organization. How to notify Microsoft services if you detect a security incident or breach of personal data
- Office 365 and Breach Notification Under the GDPR [9]
- 6.13.2 Responsibilities and procedures in Compliance Manager
(5)(1)(f), (33)(1), (33)(3)(a), (33)(3)(b), (33)(3)(c), (33)(3)(d), (33)(4), (33)(5), (34)(1), (34)(2), (34)(3)(a), (34)(3)(b), (34)(3)(c), (34)(4)
Response to information security incidents (6.13.3) The customer should have processes for determining when a personal data breach has occurred. Descriptions of the information Microsoft services provide to help you decide if a breach of personal data has occurred.
- Office 365 and Breach Notification Under the GDPR [9]
- 6.13.3 Response to information security incidents in Compliance Manager
(33)(1), (33)(2), (33)(3)(a), (33)(3)(b), (33)(3)(c), (33)(3)(d), (33)(4), (33)(5), (34)(1), (34)(2)
Protection of records (6.15.1) The customer should understand the requirements for records related to personal data processing that need to be maintained. How Microsoft services store records relating to the processing of personal data
- Search the audit log in Office 365 Security and Compliance Center [16]
- Microsoft Office 365 ISO/IEC 27001:2013 ISMS Statement of Applicability [12] see A.18.1.3
- Office 365 ISMS Manual [14], see 9 Performance evaluation
(5)(2), (24)(2)
Independent review of information security (6.15.2) The customer should be aware of requirements for assessments of the security of personal data processing. This may include internal or external audits, or other measures for assessing the security of processing. Where the customer is dependent on another organization of third party for all or part of the processing, they should collect information about such assessments performed by them. How Microsoft services test and assesses the effectiveness of technical and organizational measures to ensure the security of processing, including any audits by third parties.
- Microsoft Online Services Terms, Data Protection Terms, see Data Security, Auditing Compliance [1]
- Office 365 ISMS Manual [14]see 9 Performance evaluation
- 6.15.2 Independent review of information security in Compliance Manager
(32)(1)(d), (32)(2)
Technical compliance review (6.15.3) The customer should understand requirements for testing and evaluating the security of processing personal data. This may include technical tests such as penetration testing. Where the customer uses a third-party system or processor, they should understand what responsibilities they have for securing and testing the security (for example, managing configurations to secure data and then testing those configuration settings). Where the third party is responsible for all or part of the security of processing, the customer should understand what testing or evaluation the third party performs to ensure the security of the processing. How Microsoft services are tested security based on identified risks, including tests by third parties, and the types of technical tests and any available reports from the tests.
- Microsoft Online Services Terms, Data Protection Terms, see Data Security, Auditing Compliance [1]
- For a listing of external certifications, see Microsoft Trust Center Compliance offerings [13]
- For more information about penetration testing your applications, see FedRAMP Moderate FedRAMP System Security Plan (SSP) [3], CA-8 Penetration Testing (M) (H) pp204
- 6.15.3 Technical compliance review in Manager
(32)(1)(d), (32)(2)
ID Description/Link
1 Online Service Terms
2 Office 365 Security Documentation
3 FedRAMP Moderate FedRAMP System Security Plan (SSP)
4 Microsoft Cloud Security Policy
5 Office 365 Information Protection for GDPR
6 Who can access your data and on what terms?
7 Contracts for sub-processors: Contracting with Microsoft
8 365 Data Subject Requests for GDPR
9 Office 365 and Breach Notification Under the GDPR
10 Key Information from Office 365 for Customer Data Protection Impact Assessments
11 SOC 2 Type 2 Audit Report
12 Microsoft Office 365 ISO/IEC 27001:2013 ISMS Statement of Applicability
13 Microsoft Trust Center Compliance offerings
14 Office 365 ISMS Manual
15 Use Tenant Restrictions to manage access to SaaS cloud applications
16 Search the audit log in Office 365 Security and Compliance Center
17 Encryption in the Microsoft Cloud
18 Microsoft's Data Protection Officer

Learn more