This chapter covers GDPR and data privacy on Azure, a critical topic for the DP-900 exam. Understanding how Azure services help organizations comply with the General Data Protection Regulation (GDPR) is essential because data privacy is a core responsibility of data professionals. Approximately 10-15% of exam questions touch on data privacy, compliance, and governance concepts, including GDPR, data residency, and data subject rights. This chapter will provide the foundational knowledge needed to answer those questions correctly.
Jump to a section
Imagine a multinational company with offices in the EU and globally. The company must comply with GDPR, which means every employee's personal data (name, salary, health info) is stored in a central filing room. However, not all filing cabinets are equal. The EU office has strict rules: any data about EU employees must stay in EU-labeled cabinets, and any access must be logged with the reason (e.g., 'payroll processing'). If the US office needs to process salaries of EU employees, they cannot simply walk over and open the EU cabinet. Instead, they must submit a formal request that specifies the purpose, the specific data fields needed, and the retention period. The EU data protection officer reviews the request, ensures it meets the 'legitimate interest' or 'consent' basis, and then creates a temporary copy of only the necessary data in a locked US cabinet that automatically shreds after 30 days. Every access to that temporary copy is logged, and the logs are sent back to the EU officer monthly. If a data subject requests deletion, the EU officer must ensure all copies, including the temporary US one, are erased. This system mirrors Azure's data residency, access controls, logging, and data subject request handling under GDPR.
What is GDPR and Why Does It Matter on Azure?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy regulation enacted by the European Union (EU) that came into effect on May 25, 2018. It governs the processing of personal data of individuals within the EU, regardless of where the data is processed. Personal data is any information relating to an identified or identifiable natural person, such as name, ID number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity. GDPR imposes obligations on data controllers (organizations that determine the purposes and means of processing) and data processors (organizations that process data on behalf of controllers). Microsoft Azure is often a data processor, and Microsoft provides contractual commitments and technical capabilities to help customers comply.
Key GDPR Principles
Lawfulness, fairness, and transparency: Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes.
Data minimization: Only data necessary for the purpose should be collected.
Accuracy: Data must be accurate and kept up to date.
Storage limitation: Data must be kept no longer than necessary.
Integrity and confidentiality: Data must be processed securely.
Accountability: The controller is responsible for demonstrating compliance.
Data Subject Rights
GDPR grants individuals several rights, including:
Right to be informed
Right of access
Right to rectification
Right to erasure ('right to be forgotten')
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making and profiling
Azure provides tools to help fulfill these rights, such as Azure Active Directory for identity management, Azure Purview for data discovery, and Azure Policy for governance.
Data Residency and Azure Regions
GDPR does not mandate data stay within EU borders, but it restricts transfers of personal data outside the EU unless adequate safeguards are in place. Azure offers data residency in specific regions (e.g., North Europe, West Europe, France Central) so that customers can choose to store data at rest within the EU. However, data may still be transferred for processing (e.g., support) under Microsoft's contractual commitments (Standard Contractual Clauses or SCCs). Azure provides tools like Azure Policy to enforce data residency by restricting resource creation to specific regions.
Azure Compliance Offerings
Microsoft provides a comprehensive set of compliance offerings for GDPR:
Microsoft Privacy Statement: Explains how Microsoft processes personal data.
Online Services Terms (OST): Contractual commitments for data processing.
Data Protection Addendum (DPA): Additional terms for GDPR compliance.
Trust Center: Central repository of compliance documentation.
Service Trust Portal (STP): Audit reports, compliance guides, and data protection resources.
Compliance Manager: Dashboard to assess compliance posture and track actions.
Azure Services for GDPR Compliance
#### Azure Policy
Azure Policy can enforce rules on resource creation and configuration. For example, you can create a policy that restricts virtual machine creation to only EU regions, ensuring data residency. You can also audit settings like encryption at rest or logging.
#### Azure Blueprints
Blueprints allow you to deploy a set of Azure resources that adhere to organizational standards. A GDPR blueprint could include policies, role assignments, and resource groups that enforce data residency, access controls, and auditing.
#### Azure Active Directory (Azure AD)
Azure AD provides identity and access management for users and applications. It supports multi-factor authentication, conditional access policies, and identity protection to secure access to personal data.
#### Azure Information Protection (AIP)
AIP helps classify and label documents and emails based on sensitivity. Labels can enforce encryption, visual markings, and access restrictions, helping to protect personal data.
#### Azure Purview
Azure Purview is a unified data governance service that helps discover, classify, and manage data across on-premises, multi-cloud, and SaaS environments. It can scan data sources and automatically classify personal data, enabling data subject requests (e.g., find all data about a specific individual).
#### Azure Monitor and Azure Log Analytics
These services collect and analyze logs from Azure resources. They can be used to audit access to personal data, detect anomalies, and generate reports for compliance.
#### Azure Key Vault
Key Vault stores encryption keys and secrets. It can be used to encrypt personal data at rest, ensuring that even if data is accessed, it remains unreadable.
How Azure Handles Data Subject Requests
Azure provides tools to help controllers respond to data subject requests (DSRs). The process typically involves:
Discovery: Use Azure Purview or Azure Resource Graph to find personal data across subscriptions.
Access: Use Azure AD to verify the identity of the data subject.
Extraction: Export data from services like Azure SQL Database, Cosmos DB, or Blob Storage.
Redaction: Remove or anonymize personal data if necessary.
Deletion: Delete personal data from all systems, including backups and logs, using Azure Policy and manual processes.
Reporting: Document the actions taken for compliance.
Encryption and GDPR
Encryption is a key technical control for GDPR compliance. Azure offers:
Encryption at rest: Azure Storage Service Encryption (SSE) encrypts data at rest using AES-256. You can use Microsoft-managed keys or customer-managed keys in Azure Key Vault.
Encryption in transit: Azure uses TLS for data in transit between Azure services and clients.
Azure Disk Encryption: Encrypts virtual machine disks using BitLocker for Windows and DM-Crypt for Linux.
Transparent Data Encryption (TDE): Encrypts SQL Server databases at rest.
Breach Notification
Under GDPR, controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Azure provides tools like Azure Security Center and Azure Sentinel to detect and respond to breaches. Microsoft also commits to notifying customers of any breach within 72 hours under the DPA.
Important Defaults and Values
72 hours: Breach notification deadline.
30 days: Default retention for Azure AD audit logs (can be extended with Azure Sentinel).
90 days: Default retention for Azure Activity Logs.
AES-256: Encryption algorithm used by Azure SSE.
TLS 1.2: Minimum version for Azure services (some services still support TLS 1.0/1.1, but Microsoft is deprecating them).
Common Misconfigurations
Storing data in a region outside the EU without proper safeguards (e.g., using a US region by default).
Not enabling encryption at rest or in transit.
Not implementing access controls, leading to unauthorized access.
Not configuring logging or monitoring, making it impossible to detect breaches.
Not having a process for data subject requests, leading to non-compliance.
Verification Commands
You can use Azure CLI or PowerShell to verify compliance settings:
# List all resources in a specific region
az resource list --location westeurope --query "[].id"
# Check encryption on a storage account
az storage account show --name mystorageaccount --query "encryption"
# List Azure Policy assignments
az policy assignment list
# Check diagnostic settings for a resource
az monitor diagnostic-settings list --resource /subscriptions/.../resourceGroups/.../providers/...# Get Azure AD audit logs
Get-AzureADAuditDirectoryLogs -Top 10
# Enable Azure Disk Encryption
Set-AzVMDiskEncryptionExtension -ResourceGroupName "myRG" -VMName "myVM" -DiskEncryptionKeyVaultUrl "..." -DiskEncryptionKeyVaultId "..."Interaction with Other Technologies
GDPR compliance touches many Azure services. For example, Azure Policy can enforce data residency, Azure AD controls access, Azure Monitor logs access, and Azure Key Vault stores encryption keys. Azure Purview provides a unified view of data across these services. Understanding how these interact is crucial for exam questions.
Identify Personal Data with Purview
Use Azure Purview to scan data sources across your Azure environment. Purview connects to Azure SQL Database, Azure Blob Storage, Azure Data Lake, and more. It uses built-in classifiers to detect personal data types like email addresses, phone numbers, and national IDs. The scan produces a data catalog showing where personal data resides. This step is critical for fulfilling the right of access and right to erasure. Purview also supports custom classifiers for organization-specific data. The scan frequency can be set to daily or weekly to keep the catalog up to date. After scanning, you can search for a specific data subject's data using the Purview search feature.
Control Access with Azure AD
Azure AD manages user identities and access to resources. Implement least privilege by assigning roles like 'Reader' or 'Contributor' only to those who need them. Use Conditional Access policies to require multi-factor authentication for sensitive data access. For example, a policy can block access from untrusted IP addresses or require compliant devices. Azure AD also supports Privileged Identity Management (PIM) to grant time-bound access. Audit logs track who accessed what and when. These logs are essential for demonstrating compliance with GDPR's accountability principle. Azure AD audit logs are retained for 30 days by default, but you can stream them to Azure Monitor or Azure Sentinel for longer retention.
Encrypt Data at Rest and in Transit
Enable encryption at rest using Azure Storage Service Encryption (SSE) on all storage accounts. SSE encrypts data automatically with AES-256 before writing to disk. You can use Microsoft-managed keys or customer-managed keys stored in Azure Key Vault. For databases, enable Transparent Data Encryption (TDE). For data in transit, enforce HTTPS and TLS 1.2 on all endpoints. You can configure Azure CDN and Application Gateway to enforce TLS. For virtual machines, enable Azure Disk Encryption using BitLocker or DM-Crypt. Encryption ensures that even if data is breached, it remains unreadable, mitigating the impact of a breach.
Implement Data Retention Policies
Set retention policies for data to comply with storage limitation principle. Use Azure Blob Storage lifecycle management to automatically delete blobs after a specified period (e.g., 90 days). For Azure SQL Database, use retention policies on backups. For logs, configure retention in Azure Monitor (default 30-730 days). Azure Policy can enforce retention by auditing settings. For example, a policy can require that all storage accounts have a lifecycle management rule. Data subject requests for erasure must ensure data is deleted from all copies, including backups. Therefore, you may need to implement 'soft delete' or 'immutable storage' carefully to allow deletion.
Monitor and Audit with Azure Monitor
Enable diagnostic settings on all resources to send logs to Azure Monitor Log Analytics workspace. Monitor for suspicious activities like unauthorized access attempts or data exports. Use Azure Sentinel to create alerts for potential breaches. For example, an alert can trigger if a user downloads a large volume of data from a storage account. Azure Monitor also provides activity logs for control plane operations (e.g., creating a resource). These logs are retained for 90 days. For longer retention, export to Azure Storage or Event Hubs. Audit logs are crucial for breach detection and notification within 72 hours.
Respond to Data Subject Requests
When a data subject requests access, rectification, or erasure, use Azure tools to locate and act on their data. Use Azure Purview to find all data related to the individual. Then, use Azure Resource Graph to query resources. For erasure, delete the data from the source, then run scripts to delete from backups and logs. For portability, export data in a structured format like CSV or JSON using Azure Data Factory or manual queries. Document every step for compliance. Azure provides sample scripts for DSRs. After completing the request, confirm to the data subject within the one-month deadline (GDPR Article 12).
Enterprise Scenario 1: EU Retailer Migrating to Azure
A large retailer with stores across Europe decides to migrate its customer database to Azure. The database contains names, addresses, purchase history, and payment information. The company must comply with GDPR. The solution architect chooses Azure SQL Database with TDE enabled and uses customer-managed keys in Azure Key Vault. They set up Azure Policy to restrict all resource creation to West Europe and North Europe regions. They configure Azure AD for employee access with MFA and conditional access policies. For monitoring, they enable diagnostic settings on the SQL database and send logs to Azure Monitor. They also set up Azure Purview to scan the database and classify personal data. The company creates a process for handling data subject requests: when a customer requests deletion, the support team uses Purview to locate the data, then runs a stored procedure to delete the record from the SQL database and its backups. They also delete any logs that contain the data (with a retention policy of 30 days). The company passes a GDPR audit by providing evidence of encryption, access controls, and data subject request handling.
Enterprise Scenario 2: Healthcare Provider Using Azure Health Data Services
A healthcare provider in Germany uses Azure Health Data Services to store patient records. The data includes sensitive health information (special category data under GDPR). They must ensure data residency in Germany. They deploy Azure services in Germany Central region. They use Azure Policy to enforce encryption at rest and in transit. They use Azure AD with role-based access control (RBAC) to restrict access to patient data to only authorized clinicians. They enable audit logging on all data operations. They also use Azure Information Protection to classify documents containing patient data. For breach detection, they use Azure Sentinel with a custom analytic rule that triggers when an abnormal number of records are accessed. The provider also uses Azure Key Vault to store encryption keys. They conduct regular penetration tests and review compliance reports from Microsoft's Service Trust Portal.
Common Pitfalls in Production
Data Residency Oversight: Many organizations inadvertently store data in non-EU regions because default region settings are not changed. Azure Policy can enforce region restrictions, but it must be configured early.
Incomplete Encryption: Some services like Azure Cache for Redis or Azure Cosmos DB may not have encryption enabled by default. Always verify encryption settings.
Log Retention Gaps: Default log retention is often too short for compliance needs. Extend retention or export logs to Azure Storage for long-term storage.
DSR Process Not Automated: Manual processes for data subject requests are error-prone and slow. Use Azure Purview and automation scripts to streamline.
What DP-900 Tests on GDPR and Data Privacy
The DP-900 exam objective 1.1 includes 'describe core data concepts' and specifically mentions 'data privacy and compliance' with GDPR. The exam expects you to know:
The purpose of GDPR and its key principles (especially data minimization, storage limitation, and accountability).
Data subject rights (right to be forgotten, right to access, right to portability).
The role of Azure services like Azure Policy, Azure Purview, and Azure AD in GDPR compliance.
The difference between data controller and data processor.
The concept of data residency and how Azure regions help comply.
Encryption at rest and in transit as technical controls.
Breach notification requirements (72 hours).
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: 'GDPR requires all data to be stored only in the EU.' - Why chosen: Candidates confuse data residency with data sovereignty. GDPR does not prohibit transfers; it restricts transfers without safeguards. Data can be stored outside EU if adequate protections (like SCCs) are in place.
2. Wrong: 'Azure Policy automatically encrypts all data.' - Why chosen: Candidates think Azure Policy is a security tool. Actually, Azure Policy is for governance (enforcing rules like 'must have encryption'), but it does not automatically encrypt data. Encryption must be configured separately.
3. Wrong: 'Microsoft is always the data controller for customer data.' - Why chosen: Candidates assume Microsoft controls data. In fact, Microsoft is the data processor; the customer is the data controller. Microsoft processes data according to customer instructions.
4. Wrong: 'Data subject requests must be fulfilled within 72 hours.' - Why chosen: The 72-hour deadline is for breach notification, not DSRs. DSRs must be fulfilled without undue delay and at most one month (Article 12).
Specific Numbers and Terms That Appear on the Exam
72 hours: Breach notification deadline.
One month: Deadline for responding to data subject requests (can be extended by two months for complex requests).
AES-256: Encryption algorithm used by Azure SSE.
TLS 1.2: Minimum recommended TLS version.
Data controller vs. data processor: Know the distinction.
Azure Purview: For data discovery and classification.
Azure Policy: For enforcing compliance rules.
Azure AD: For identity and access management.
Azure Information Protection: For classification and labeling.
Edge Cases and Exceptions
Backups: Data subject erasure requests must also cover backups. Azure offers soft delete for blobs, which may need to be purged.
Logs: Logs containing personal data may be subject to retention requirements. GDPR allows processing for archiving purposes in the public interest, but you must justify retention.
Third-party services: If you use third-party services that process personal data (e.g., sending emails), you need a DPA with them.
Cross-border transfers: Transfer of personal data outside EU requires adequacy decision or SCCs. Azure's Standard Contractual Clauses are often referenced.
How to Eliminate Wrong Answers
If an answer says 'must store all data in EU', it's likely wrong because GDPR allows transfers with safeguards.
If an answer says 'Microsoft automatically handles GDPR compliance for you', it's wrong because compliance is a shared responsibility.
If an answer mentions '72 hours for data subject requests', it's wrong; that's for breach notification.
Look for keywords like 'data controller' (customer) vs. 'data processor' (Microsoft).
GDPR applies to any organization processing personal data of EU residents, regardless of location.
Data controllers (customers) are responsible for compliance; Microsoft is a data processor.
Data subject rights include access, rectification, erasure, and portability, with a one-month response deadline.
Breach notification must be made within 72 hours to the supervisory authority.
Azure Policy can enforce data residency by restricting resource creation to specific regions.
Azure Purview helps discover and classify personal data for data subject requests.
Encryption at rest (AES-256) and in transit (TLS 1.2) are key technical controls for GDPR.
Data transfers outside the EU require adequate safeguards like Standard Contractual Clauses.
These come up on the exam all the time. Here's how to tell them apart.
Data Controller
Determines the purposes and means of processing personal data.
Responsible for compliance with GDPR principles.
Must have a legal basis for processing (e.g., consent, legitimate interest).
Must respond to data subject requests.
Example: A company using Azure to store customer data.
Data Processor
Processes personal data on behalf of the controller.
Must follow the controller's instructions.
Must implement appropriate technical and organizational measures.
Must notify the controller of any data breaches.
Example: Microsoft Azure providing the infrastructure.
Mistake
GDPR only applies to companies based in the EU.
Correct
GDPR applies to any organization that processes personal data of individuals in the EU, regardless of the organization's location. If you offer goods or services to EU residents or monitor their behavior, you must comply.
Mistake
Azure automatically encrypts all data at rest by default.
Correct
Azure Storage Service Encryption (SSE) encrypts data at rest for Azure Storage accounts by default. However, other services like Azure SQL Database require enabling TDE, and virtual machines require Azure Disk Encryption. Not all data is encrypted by default.
Mistake
Data subject erasure requests must be fulfilled within 72 hours.
Correct
The 72-hour deadline applies to breach notification to the supervisory authority. Data subject requests (e.g., erasure) must be responded to without undue delay and at most within one month (Article 12).
Mistake
Microsoft is the data controller for customer data stored in Azure.
Correct
Microsoft is the data processor. The customer (the organization using Azure) is the data controller. Microsoft processes data only according to the customer's instructions, as defined in the Data Protection Addendum.
Mistake
GDPR requires all personal data to be stored within the EU.
Correct
GDPR does not mandate data localization. It restricts transfers of personal data outside the EU unless adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision. Data can be stored globally with appropriate protections.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The data controller determines the purposes and means of processing personal data and is primarily responsible for GDPR compliance. The data processor processes data on behalf of the controller and must follow the controller's instructions. In Azure, the customer is the controller and Microsoft is the processor. The controller must have a legal basis for processing, while the processor must implement security measures and assist the controller in fulfilling data subject requests.
Use Azure Policy to restrict resource creation to specific regions, such as 'West Europe' or 'North Europe'. Create a policy definition that denies creation of resources if the location is not in the allowed list. Assign the policy at the subscription or management group level. Also, when deploying resources, explicitly choose the region. Azure Policy can also audit existing resources to ensure they are in compliant regions.
Azure Purview can scan and catalog personal data across data sources. Azure Resource Graph helps search for resources. For specific services, you can use queries or scripts to export or delete data. Azure AD helps verify the identity of the data subject. For erasure, you may need to delete data from the source, backups, and logs. Azure provides sample scripts for common DSR scenarios.
Encryption is not explicitly mandated by GDPR, but Article 32 requires 'appropriate technical and organizational measures' to ensure data security. Encryption is a widely accepted measure to protect personal data. Azure provides encryption at rest and in transit as default or optional features. Using encryption helps demonstrate compliance and reduces risk in case of a breach.
Under Article 33, the data controller must notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it. The notification must describe the nature of the breach, categories of data involved, approximate number of data subjects, and measures taken. Microsoft, as a processor, will notify the controller within 72 hours of a breach under the Data Protection Addendum.
Yes, but you must ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) or an adequacy decision. Microsoft offers SCCs in the Data Protection Addendum. You can also use Azure regions outside the EU, but you should assess the legal basis for transfer. Azure Policy can help enforce data residency if you choose to keep data within the EU.
Azure Purview is a unified data governance service that discovers, classifies, and manages data across on-premises, multi-cloud, and SaaS sources. It helps identify personal data using built-in classifiers (e.g., email, SSN). This is useful for data subject requests, data mapping, and compliance reporting. Purview also provides a data catalog and lineage tracking.
You've just covered GDPR and Data Privacy on Azure — now see how well it sticks with free DP-900 practice questions. Full explanations included, no account needed.
Done with this chapter?