DPIA for Microsoft Services

There is a part of Microsoft you must be familiar with if you are working in the privacy field.


The General Data Protection Regulation (GDPR) introduced new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. This area of the Microsoft site helps you understand the different obligations you need to be aware of.

One of the things I find most lacking in organisations I cosult for is a total lack of Data Protection Impact Assessments. There is nothing inherent in Microsoft Office 365 that would necessarily require the creation of a DPIA by a data controller using it. Rather, whether a DPIA is required will be dependent on the details and context of how you, as the data controller, deploy, configure, and use Office 365. This is a very misunderstood area of privacy it would seem.

Article 35 of the GDPR requires a data controller to create a Data Protection Impact Assessment ‘where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.’

So, requiring a DPIA is mostly a consideration of risk. Taking a systematic and extensive evaluation of personal aspects relating to natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person is required.

Theres lots of information around on what a DPIA needs to contain, but Microsoft is a technology and services behemoth and its difficult to know where to start to even begin to understand the scope of Microsoft tech when considering Microsoft services. Start here: