Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. Additional details can be found in the GDPR Summary article. This document guides you to information regarding Data Protection Impact Assessments (DPIAs) under the GDPR when using Microsoft products and services.
For GDPR terminology definitions, see General Data Protection Regulation.
Note
Microsoft isn't providing any legal advice in this document. This document is for informational purposes only. Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIAs related to their use of Microsoft products and services.
What is a DPIA?
The GDPR requires controllers to prepare a Data Protection Impact Assessment (DPIA) for operations that are 'likely to result in a high risk to the rights and freedoms of natural persons.' There's nothing inherent in Microsoft products and services that need the creation of a DPIA. However, because Microsoft products and services are highly customizable, a DPIA may be needed depending on the details of your Microsoft configuration. Microsoft has no control over, and little or no insight into such information. You, as a data controller must determine appropriate uses of their data.
DPIA in Action
The DPIA guidance applies to Office 365, Microsoft Azure, Microsoft Dynamics 365, and Microsoft Support and Professional Services. That guidance includes consideration of:
When is a DPIA needed?
Article 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment "[w]here a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons." The article further sets out particular factors that indicate such a high risk. The risk factors listed below should be addressed when considering whether to complete a DPIA. Other potential factors and further details are found in Part 1 of each of the product-specific guidelines.
- A systematic and extensive evaluation of data based on automated processing.
- Processing on a large scale of special categories of data (data revealing information uniquely identifying a natural person), or of personal data relating to criminal convictions and offenses.
- Systematic monitoring of a publicly accessible area on a large scale.
The GDPR clarifies 'The processing of personal data shouldn't be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional, or lawyer. In such cases, a data protection impact assessment shouldn't be mandatory.'
What is required to complete a DPIA?
Article 35(7) of the GDPR mandates that a Data Protection Impact Assessment specifies the purposes of processing and a systematic description of the envisioned processing. A systematic description of a comprehensive DPIA might include factors such as the types of data processed, how long data is retained, where the data is located and transferred, and what third parties may have access to the data. In addition, the DPIA must include:
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes.
- An assessment of the risks to the rights and freedoms of natural persons.
- The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.
The product-specific guidance in Part 2 also addresses the following elements of processing:
- Purposes of processing
- Categories of personal data processed
- Data retention
- Location and transfers of personal data
- Data sharing with third-party subprocessors
- Data sharing with independent third-parties
- Data subject rights
Additional Considerations
Specific details that may be relevant to your Microsoft implementation are below.
- Office 365: This document applies to Office 365 applications and services, including but not limited to Exchange Online, SharePoint, Viva Engage, Skype for Business, and Power BI. Refer to Tables 1 and 2 for more details.
- Azure: Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIAs related to their use of Microsoft Azure.
- Dynamics 365: The contents of a DPIA may vary according to which Dynamics 365 tools you're employing. For specific details refer to Part 2 Contents of a DPIA.
- Windows: This document applies to the Windows diagnostic data processor configuration. Customers are encouraged to work with their privacy officers and legal counsel to determine the necessity and content of any DPIA related to their use of the Windows diagnostic data processor configuration.
- Microsoft Support and Professional Services: Professional Services doesn't conduct certain routine or automated data processing, nor is it intended to process special categories or perform tasks that facilitate or require monitoring of publicly accessible data. For details see Part 1 — Determining Whether a DPIA is needed. Controllers must consider the DPIA elements outlined above, along with any other relevant factors, in the context of the controller's specific implementations and uses of Professional Services. For Professional Services information, see Part 2 — Contents of a DPIA.