Skip to main content
Industry

Discover: Identify all of your personal data and where it resides

The first step towards GDPR compliance is to assess whether the GDPR applies to your organisation, and, if so, to what extent. This analysis starts with understanding what data you have and where it resides.

Does the GDPR apply to my data?

The GDPR regulates the collection, storage, use and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.

If your organisation has such data—in customer databases, in feedback forms filled out by your customers, in email content, in photos, in CCTV footage, in loyalty program records, in HR databases, or anywhere else—or wishes to collect it, and if the data belongs or relates to EU residents, then you need to comply with the GDPR. Note that personal data doesn’t need to be stored in the EU to be subject to the GDPR—the GDPR applies to data collected, processed or stored outside the EU if the data is tied to EU residents.

Building your inventory

To understand whether the GDPR does apply to your organisation and, if it does, what obligations it imposes, it is important to inventory your organisation’s data. This will help you to understand what data is personal and help to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained.

Here are examples of specific ways that that our cloud and on-premises offerings can help you with the GDPR’s first step.

Azure

As Azure is an open and flexible cloud platform, it includes a service to help make data sources easily discoverable and identifiable. The Microsoft Azure Data Catalog is a fully managed cloud service that serves as a system of registration and a system of discovery for your organisation’s data sources. In other words, Azure Data Catalog is all about helping you discover, understand and use data sources to get more value from your existing data. Once a data source has been registered with Azure Data Catalog, its metadata is indexed by the service so that you can easily search to discover the data you need.

Read more: Download the white paper on how Microsoft Azure can help your organisation become compliant with the GDPR

Dynamics 365

Dynamics 365 provides several visibility and auditing capabilities that can be used through the Reporting & Analytics dashboards of Dynamics 365 to identify personal data:

  • Dynamics 365 includes a Report Wizard that you can use to easily create reports without using XML or SQL-based queries.
  • Dashboards in Dynamics 365 provide an overview of business data—actionable information that’s viewable across your organisation.
  • Microsoft Power BI is a self-service business intelligence (BI) platform you can use to discover, analyse and visualise data, and share or collaborate on these insights with colleagues.

Enterprise Mobility + Security (EMS) Suite

  • Enterprise Mobility + Security features identity-driven security technologies that help you discover, control and safeguard personal data held by your organisation, as well as reveal potential blind spots and detect when data breaches occur.
  • Microsoft Cloud App Security is a comprehensive service that provides deeper visibility, comprehensive controls and improved protection for your data in your cloud applications. You can have visibility to which cloud apps are in use in your network—identifying over 13,000 apps from all devices—and get risk assessments and ongoing analytics.
  • Microsoft Azure Information Protection helps you identify what your sensitive data is and where it resides. You can either query for data marked with a particular sensitivity or intelligently identify sensitive data when a file or email is created. Once identified, you can automatically classify and label the data—all based on the company’s desired policy.

Read more: Download the white paper on supporting your EU GDPR compliance journey with Microsoft EMS

Office 365

There are several specific Office 365 solutions that can help you identify or manage access to personal data:

  • Data Loss Prevention (DLP) in Office and Office 365 can identify over 80 common sensitive data types including financial, medical, and personally identifiable information.
  • Content search in the Office 365 Security & Compliance Center can search across mailboxes, public folders, Office 365 Groups, Microsoft Teams, SharePoint Online sites, One Drive for Business locations and Skype for Business conversations.
  • Office 365 eDiscovery search can be used to find text and metadata in content across your Office 365 assets—SharePoint Online, OneDrive for Business, Skype for Business Online and Exchange Online.
  • Office 365 Advanced eDiscovery, powered by machine learning technologies, can help you identify documents that are relevant to a particular subject (for example, a compliance investigation) quickly and with better precision than traditional keyword searches or manual reviews of vast quantities of documents. Advanced eDiscovery can significantly reduce cost and effort to identify relevant documents and data relationships by using machine learning to train the system to intelligently explore large datasets and quickly zero in on what’s relevant—reducing the data prior to review.
  • Advanced Data Governance uses intelligence and machine-assisted insights to help you find, classify, set policies on, and take action to manage the lifecycle of the data that is most important to your organisation.

SharePoint

You can utilise the SharePoint Search Service, and search functionality within the application, to trace personal data. To identify and search for sensitive content, SharePoint Server 2016 provides the same data loss prevention capabilities as Office 365.

SQL Server and Azure SQL Database

The SQL language can be used to query databases and to customise tools or services that may help enable this requirement. Search is fully supported through queries, although full trace logging should be done at the application level. The Script task provides code to perform custom functions, such as complex data queries that are not available in the built-in tasks and transformations that SQL Server Integration Services provides. The Script task can also combine functions in one script instead of using multiple tasks and transformations. This product suite also includes powerful business intelligence functionality providing end-user access to data insights.

Read more: Download the white paper on enhancing privacy and addressing GDPR requirements with the Microsoft SQL platform

Windows and Windows Server

To find data within Windows, you can utilise Windows Search to trace and locate personal data on your local machine and any connected devices that you have adequate permissions to access. To enhance the capabilities of Windows Search to locate the target data, you can configure Indexing Options in the Control Panel to customise the capabilities of Windows Search (for example, indexing file contents).

Next step: Manage
Find out more at a GDPR cloud workshop

Microsoft logo. Square made up of four coloured segments in red, green, blue and yellow
Microsoft

Related posts