Is Microsoft Office 365 GDPR compliant? It’s a question that has been debated for nearly two years by German data protection regulators and Microsoft. As it turns out, the answer may be surprising.
In a report published last week, the Datenschutzkonferenz (DSK), Germany’s data protection supervisory agency, essentially stated that public organisations in Germany cannot currently use Microsoft Office 365 in a lawfully compliant way under the GDPR. Shortly following this announcement, Germany banned the use of Microsoft 365 in schools.
DSK’s Finding: Microsoft Office 365 Isn’t Compliant with GDPR
There are three main reasons why the DSK has reported that Microsoft Office 365 “remains in breach” of GDPR:
- Uncertainties exist where Microsoft acts as a data processor and data controller.
- The report found that “many of the services included in Microsoft 365 require Microsoft to access the unencrypted, non-pseudonymized data.”
- The report brings into question the sovereignty of EU data flowing through Microsoft 365, and whether unencrypted personal information truly remains in the EU at all times. The DSK claims it is “not possible to use Microsoft 365 without transferring personal data to the USA.”
The ambiguity of Microsoft’s practices underscores the DSK’s assessment that Microsoft Office 365 cannot meet GDPR controller obligations.
So, what should EU-based Microsoft users do now?
GDPR Compliance Options for Microsoft Users in the EU
While not stated in law, this ruling will create ripples through the supply chain—from consumers to business partners and suppliers seeking assurance that their data is not being passed to Microsoft, or being stored or transmitted through the United States in such a way that breaches GDPR compliance.
Thus, there are two things organisations must now do as result of the ruling:
- Consider moving off of Microsoft Office 365 to Google Workspace or other cloud collaboration services compliant with GDPR
- Stay on Microsoft Office 365 and investigate end-to-end encryption solutions where sensitive or personally identifiable data is protected from the moment it is created —adding a layer of security to make GDPR compliance possible in Office 365
Affordable, Easy Encryption to Support GDPR Compliance in Microsoft 365
Virtru is a remarkably simple way for Microsoft users to protect access to sensitive data for compliance with GDPR.
Our end-to-end Microsoft encryption and access controls are embedded where users already work (in this case, directly within the Outlook interface), allowing sensitive data to be protected quickly and easily at the point of collection and throughout its lifecycle.
With a seamless web-based recipient experience and many deployments up and running in less than a day, organisations can act fast to protect their data, without disrupting their normal business workflows.
For the strongest data sovereignty and security, you also have the option to host your own encryption keys, which helps ensure that no third party can access your private data.
At a time when there is increasing confusion on what access Microsoft might have to your data, Virtru cuts through the noise to provide clarity and ensures that you, and only you, can always control who can access your organisation’s sensitive information.
Ready to take the next step to strengthen data sovereignty and security? Contact our team to start the conversation.
