Integrating the Outsourced-DPO and Office 365 for GDPR Compliance: Why GDPR does NOT have to be the New 4-Letter Word

Back to Blog

With just over 6 months remaining before the EU’s General Data Protection Regulation (GDPR) goes into effect, it seems that many organizations are still disastrously behind the curve in their compliance efforts. A study by the technology advisory firm Gartner in mid-2017 predicted that more than 50% of companies affected by the GDPR will not be in full compliance with its requirements by the implementation date. More recently, a survey of almost 900 members of the Britain-based Institute of Directors found that 30%  had not even heard of the regulation.

In early 2017, however, it seemed that GDPR compliance would be a top corporate priority, with a number of companies earmarking $1 million or more for GDPR readiness plans.  Failure to comply with the GDPR will bring significant fines, potential suspension of business operations, and liability for damages to individual data subjects, and executive boards at many companies seemed to have a fairly good grasp of what was at stake.

As the year has progressed, though, market research suggests that compliance efforts have struggled due to the complexity and breadth of the Regulation. An extensive recent poll by Varonis Systems, a cyber-solutions software provider, showed that 52% of organizations face significant challenges in identifying the extent and locations of personal data and Personally Identifiable Information (PII) in their systems. Further, the accountability and reporting requirements of the GDPR have been met with trepidation by many organizations, with much uncertainty as to how to approach data subject access requests, the right to be forgotten, and records of processing activities, among other GDPR requirements. As one might expect, small and medium size businesses face the most significant hurdles toward compliance.

But GDPR does not have to be the new 4-letter word. What many organizations migrating to O365 may not realize is that Microsoft, who invest over a $1B/yr in GDPR, security and compliance, have included functionality in O365 that can go a long way toward assisting organizations in organizing themselves for GDPR compliance.

As data is created, stored and shared, Microsoft’s 365 Security and Compliance Center can help to identify, classify, protect and monitor personal and sensitive data, in line with the GDPR. The functionality for managing both data retention and deletion is also built into this single platform and foundation. Multi-Geo, a particularly well-developed piece of O365 ingenuity, can assist in managing organizational, regional, and local data residency requirements, a must for organizations with a foothold in Europe and (justifiable) concerns regarding cross-border transfer of data and GDPR compliance. Finally, Azure Data Protection can provide a further means for data classification and organization of files in the cloud.  All of these tools are an immense step in the right direction for those wrestling with GDPR requirements.

However, it should be noted that a critical piece of GDPR compliance, even with O365, will be the input, expertise, and support of the Data Protection Officer (DPO), whether brought in-house or out-sourced to service provider.

The DPO can propose, implement and oversee the implementation of applications like O365 for compliance, as well as provide solutions for other GDPR requirements like the Data Protection Impact Assessments of Article 35 through templates, processes, and targeted support.

Moreover, an outsourced DPO, in particular one with expertise in national and European data protection laws and practices, provides an important element for GDPR oversight and a potential cost-saving solution, particularly for US-based organizations that may not have the resources to hire a DPO in-house.

In short, with the right expertise and a smooth transition to O365, most organizations don’t need to consider GDPR the new 4-letter word.

But the new 3-letter word? That should definitely be DPO.

Written by Ryan Costello, Esq., CIPP/EOperations Manager, eTERA Consulting in Europe.  Ryan can be reached at

Share This:

Back to Blog

Leave a Reply

Your email address will not be published. Required fields are marked *