This chapter covers three major global privacy frameworks—GDPR, HIPAA, and other key laws—and their impact on Microsoft compliance solutions. For the SC-900 exam, approximately 10-15% of questions in Domain 1 (Describe the concepts of security, compliance, and identity) touch on privacy law fundamentals, especially their core principles and enforcement. Understanding these regulations is critical because Microsoft 365 compliance tools (Compliance Manager, Information Protection, Data Lifecycle Management) are designed to help organizations meet these legal obligations. This chapter focuses on what SC-900 specifically tests: the purpose, scope, and key requirements of each regulation, not their full legal text.
Jump to a section
Think of global privacy laws like a system of international data passports. Each country (or region) issues its own passport rules: the EU requires a 'GDPR passport' for any personal data crossing its borders, while the US healthcare sector demands a 'HIPAA passport' for protected health information. When a company wants to move data from one jurisdiction to another, it must check the destination's passport requirements. For example, transferring EU citizen data to a US company necessitates a 'Privacy Shield' visa or Standard Contractual Clauses (SCCs) as an approved travel document. If the company fails to present the correct passport, the data is denied entry or faces penalties at customs (regulatory fines up to 4% of global annual turnover for GDPR). Just as a traveler must carry the right visa for each country, a data processor must implement appropriate safeguards—encryption, access controls, breach notification plans—before data leaves its home jurisdiction. The analogy extends to enforcement: border agents (data protection authorities) can audit shipments, demand proof of compliance, and levy fines for violations. This mechanistic view helps understand why a US healthcare provider handling EU patient data must comply with both HIPAA (for health data) and GDPR (for EU residents), requiring dual compliance frameworks.
Overview of Global Privacy Laws
Privacy laws regulate how organizations collect, store, process, and transfer personal data. The SC-900 exam expects you to understand the *purpose* and *key provisions* of three major frameworks: GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and other notable laws like CCPA (California Consumer Privacy Act) and LGPD (Lei Geral de Proteção de Dados). The exam does not test deep legal knowledge but rather the compliance landscape that Microsoft tools address.
GDPR: The EU Regulation
What it is: The GDPR is a comprehensive data protection law enacted by the European Union, effective May 25, 2018. It applies to any organization that processes personal data of EU residents, regardless of where the organization is located. Its primary goal is to give individuals control over their personal data and harmonize data protection laws across EU member states.
Key Principles (Article 5): - Lawfulness, fairness, and transparency - Purpose limitation (data collected for specified, explicit, legitimate purposes) - Data minimization (adequate, relevant, and limited to what is necessary) - Accuracy (data must be accurate and kept up to date) - Storage limitation (kept no longer than necessary) - Integrity and confidentiality (security appropriate to the risk) - Accountability (controller must demonstrate compliance)
Rights of Data Subjects: - Right to be informed (privacy notices) - Right of access (subject access request, SAR) - Right to rectification - Right to erasure (right to be forgotten) - Right to restrict processing - Right to data portability - Right to object - Rights related to automated decision-making and profiling
Key Roles: - Data Controller: Entity that determines the purposes and means of processing personal data. - Data Processor: Entity that processes data on behalf of the controller. - Data Protection Officer (DPO): Required for public authorities or organizations that process large-scale sensitive data. The DPO must be independent and report to the highest management level.
Penalties: Up to €20 million or 4% of global annual turnover, whichever is higher. Fines are tiered: lower tier (up to €10M or 2% of turnover) for violations like not having a DPO or not conducting a DPIA; upper tier for violations of data subject rights or cross-border transfers.
Cross-border Data Transfers: Personal data can only be transferred to countries that the European Commission has deemed to have adequate data protection (adequacy decisions). For other countries, appropriate safeguards must be in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). The EU-US Data Privacy Framework (DPF) replaced the invalidated Privacy Shield.
Data Breach Notification: Controllers must notify the supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to rights and freedoms. Data subjects must be notified if the breach poses a high risk.
HIPAA: US Healthcare Privacy
What it is: The Health Insurance Portability and Accountability Act of 1996 is a US federal law that sets national standards for protecting sensitive patient health information (PHI). The SC-900 exam focuses on the Privacy Rule, Security Rule, and Breach Notification Rule.
Protected Health Information (PHI): Any individually identifiable health information held or transmitted by a covered entity or business associate, in any form (electronic, paper, oral). De-identified health information (removing 18 specific identifiers) is not PHI.
Covered Entities: Health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically.
Business Associates: Persons or entities that perform functions on behalf of a covered entity involving PHI (e.g., billing companies, cloud storage providers). Business associates must have a written contract (Business Associate Agreement, BAA) with the covered entity.
Privacy Rule: Governs use and disclosure of PHI. Generally, covered entities can use or disclose PHI for treatment, payment, or healthcare operations without authorization. Other uses require written authorization from the individual. Patients have rights to access, amend, and request an accounting of disclosures.
Security Rule: Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Key standards include:
Administrative: Risk analysis, workforce training, contingency planning
Physical: Facility access controls, workstation security, device and media controls
Technical: Access controls, audit controls, integrity controls, transmission security
Breach Notification Rule: Requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases, the media following a breach of unsecured PHI. Notification must occur without unreasonable delay and no later than 60 days after discovery. Business associates must notify covered entities.
Penalties: Civil monetary penalties range from $100 to $50,000 per violation, up to $1.5 million per calendar year for identical violations. There are four tiers based on culpability: did not know, reasonable cause, willful neglect (corrected), willful neglect (not corrected). Criminal penalties can apply for knowingly obtaining or disclosing PHI.
Other Notable Privacy Laws
CCPA (California Consumer Privacy Act): Effective January 1, 2020, it gives California residents rights to know what personal information is collected, to delete it, to opt out of its sale, and to non-discrimination for exercising rights. Applies to for-profit entities that collect personal information of California residents and meet thresholds (e.g., annual gross revenue >$25 million, or buys/sells personal info of 50,000+ consumers). Enforcement by California Privacy Protection Agency (CPPA).
LGPD (Brazil's Lei Geral de Proteção de Dados): Modeled after GDPR, effective August 2020. Applies to any organization processing personal data of individuals in Brazil, regardless of location. Creates the National Data Protection Authority (ANPD). Penalties up to 2% of revenue in Brazil, capped at R$50 million per violation.
PIPEDA (Canada's Personal Information Protection and Electronic Documents Act): Applies to private-sector organizations collecting personal information in the course of commercial activities. Based on 10 fair information principles (e.g., accountability, consent, limiting collection).
Microsoft Compliance Tools for Privacy Laws
Microsoft 365 provides several tools to help organizations meet privacy law requirements: - Compliance Manager: Pre-built assessments for GDPR, HIPAA, CCPA, etc. It maps controls to specific regulatory requirements and provides implementation guidance. - Information Protection: Sensitivity labels, data classification, and encryption to protect data at rest and in transit. - Data Lifecycle Management: Retention policies and labels to meet storage limitation requirements (GDPR) and record retention (HIPAA). - Audit (Premium): Logging and monitoring for access to personal data, supporting accountability. - Subject Rights Requests: Built-in workflows for managing SARs under GDPR and CCPA. - Data Loss Prevention (DLP): Policies to detect and prevent unauthorized sharing of PHI or personal data.
Exam Focus: What SC-900 Tests
The SC-900 exam does not ask you to recite legal statutes. Instead, it tests:
The *purpose* of each law (e.g., GDPR gives individuals control over personal data; HIPAA protects PHI).
*Key terms*: Data controller vs. processor (GDPR), covered entity vs. business associate (HIPAA), PHI vs. ePHI.
*Rights and obligations*: Right to be forgotten, breach notification timelines (72 hours for GDPR, 60 days for HIPAA).
*Penalties*: Maximum fines (4% of turnover for GDPR, $1.5M per year for HIPAA).
*Which Microsoft tool addresses which requirement*: e.g., Compliance Manager for assessments, Subject Rights Requests for SARs.
Common exam traps: - Confusing GDPR's 72-hour breach notification with HIPAA's 60-day notification. - Thinking HIPAA applies to all health data (it only applies to covered entities and business associates; an app developer not a business associate is not covered). - Assuming CCPA is a federal law (it's California state law). - Believing that GDPR requires consent for all processing (it also allows legitimate interest, contract necessity, etc.).
Identify Applicable Laws
Determine which privacy laws apply to your organization based on geographic location of data subjects, type of data processed, and industry. For SC-900, know that GDPR applies if you process personal data of EU residents; HIPAA applies if you are a covered entity or business associate handling PHI; CCPA applies if you meet California's thresholds. Use Compliance Manager to run assessments that map your controls to specific regulations.
Classify Data and Map Flows
Identify what personal data you collect, where it is stored, and how it flows in and out of your organization. For GDPR, document processing activities (Article 30). For HIPAA, identify ePHI repositories. Use Microsoft Purview Information Protection to classify and label sensitive data automatically. Data mapping helps determine if cross-border transfers require additional safeguards.
Implement Technical Safeguards
Deploy controls to protect data at rest and in transit. For GDPR, implement pseudonymization and encryption (Article 32). For HIPAA Security Rule, enforce access controls (unique user IDs, automatic logoff), audit controls, and transmission security. Use Microsoft Defender for Cloud Apps to monitor data movement. Configure DLP policies to prevent unauthorized sharing of PHI or personal data.
Establish Breach Response Procedures
Create an incident response plan that meets notification timelines. For GDPR, ensure you can notify supervisory authority within 72 hours. For HIPAA, notify affected individuals within 60 days. Use Microsoft 365 Audit to detect suspicious access. Test your plan with tabletop exercises. Document the breach and your response for regulatory review.
Enable Subject Rights Requests
Set up a process to handle data subject requests (access, deletion, portability). In Microsoft 365, use the Subject Rights Requests solution to automate workflows for GDPR and CCPA requests. Train staff to recognize and route requests promptly. Ensure you can export or delete data from all repositories, including backups and archives.
Scenario 1: Global Healthcare Provider Handling EU Patient Data
A US-based hospital network (covered entity under HIPAA) begins offering telemedicine services to EU citizens. This triggers GDPR compliance because the hospital processes personal data (including health data, a special category) of EU residents. The hospital must now comply with both HIPAA and GDPR simultaneously. In production, the compliance team uses Compliance Manager to run a GDPR assessment that overlaps with HIPAA controls. They discover that HIPAA's breach notification timeline (60 days) conflicts with GDPR's 72-hour requirement; they adopt the stricter GDPR timeline globally. They implement Microsoft Purview Data Lifecycle Management to enforce retention limits: health records kept for 6 years (HIPAA requirement) but patient consent records kept only as long as necessary (GDPR storage limitation). The hospital also signs Standard Contractual Clauses with their cloud provider (Azure) to legitimize cross-border data transfers. A common misconfiguration: the hospital initially applied the same access controls to all patient data, but GDPR requires that EU patients have the right to restrict processing—so they had to create a separate process to flag and restrict certain records. Performance-wise, compliance scanning can increase latency on data access, but using Azure Policy and sensitivity labels minimizes overhead.
Scenario 2: SaaS Company Responding to CCPA
A marketing analytics company based in Texas collects personal information from California residents for targeted advertising. They meet CCPA's threshold (buying/selling data of 50,000+ consumers). They deploy Microsoft 365 Compliance Manager to assess CCPA readiness. The main challenge is the 'right to opt out of sale of personal information'—the company must provide a clear 'Do Not Sell My Personal Information' link on their website and honor opt-outs within 15 business days. They use Microsoft Purview Data Loss Prevention (DLP) to detect when personal data is shared with third-party ad networks and block it for opted-out consumers. A common mistake: the company initially thought CCPA only applied if they had over $25 million revenue, but they actually triggered it via the 50,000 consumer threshold. They also learned that 'sale' includes sharing data for monetary or other valuable consideration—even if no money changes hands. Their DLP policies had to be tuned to catch data shared via APIs, not just email.
Scenario 3: Financial Services Firm Under GDPR and LGPD
A fintech startup in London processes data of both EU and Brazilian customers. They must comply with both GDPR and LGPD. While both laws are similar, LGPD has its own nuances: the data subject can request review of automated decisions, and the penalty is up to 2% of revenue in Brazil. The firm uses Azure Policy to enforce data residency: EU data stays in West Europe, Brazilian data stays in Brazil South. They configure Compliance Manager with both GDPR and LGPD assessments. The biggest operational issue is managing consent withdrawal: under both laws, withdrawing consent does not affect prior lawful processing, but the firm must stop further processing. They created a custom Power Automate flow to sync consent status across systems. They also discovered that LGPD requires a DPO for large-scale processing, which they already had for GDPR. A common pitfall: they initially used the same data retention schedule for all customers, but LGPD requires data to be deleted after the purpose ends, so they had to implement a purge workflow for Brazilian customers after account closure.
SC-900 Exam Focus on GDPR, HIPAA, and Global Privacy Laws
Objective Code: 1.3 Describe the concepts of security, compliance, and identity. Specifically, the exam tests your ability to 'describe the purpose of major compliance requirements and the Microsoft solutions that help address them.'
What is tested verbatim: - GDPR: 'Gives individuals control over their personal data' (not 'protects health data'). Know the 72-hour breach notification, max fine 4% of global annual turnover, right to be forgotten, data portability. - HIPAA: 'Protects protected health information (PHI)'. Know the difference between covered entity and business associate. Breach notification: 60 days. Penalties: up to $1.5M per year. - CCPA: 'Gives California residents rights over their personal information'. Know the right to opt out of sale, right to delete, non-discrimination. - Microsoft tools: Compliance Manager (assessments), Subject Rights Requests (manage data subject requests), Information Protection (classify and protect data), DLP (prevent data leaks).
Common wrong answers and why candidates choose them: 1. 'HIPAA applies to all companies that handle health data.' Wrong. It only applies to covered entities and business associates. A fitness app that collects heart rate data is not a covered entity unless it is a healthcare provider or health plan. 2. 'GDPR requires explicit consent for all data processing.' Wrong. Consent is one of six lawful bases; legitimate interest, contract performance, legal obligation, etc., are also valid. Candidates often over-emphasize consent. 3. 'CCPA is a federal US law.' Wrong. It is California state law. Other states (Virginia, Colorado) have their own laws. 4. 'HIPAA breach notification is 72 hours.' Wrong. That's GDPR. HIPAA is 60 days. Candidates mix these up. 5. 'Compliance Manager automatically makes you compliant.' Wrong. It is an assessment tool that maps controls, but you must implement the controls.
Numbers and values to memorize: - GDPR fine: 4% of global annual turnover or €20M, whichever is higher. - HIPAA fine: up to $1.5M per year per violation category. - GDPR breach notification: 72 hours to supervisory authority. - HIPAA breach notification: 60 days to individuals. - GDPR DPO required for public authorities or large-scale sensitive data processing. - HIPAA Security Rule: administrative, physical, technical safeguards.
Edge cases the exam loves: - A US company with no EU presence but processes EU citizens' data: still subject to GDPR (Article 3). - Health data used for research: HIPAA allows use for research with authorization or IRB waiver. - De-identified data: not PHI under HIPAA; not personal data under GDPR if truly anonymous. - Subject rights requests: must be fulfilled within one month (GDPR), can be extended by two months for complex requests.
How to eliminate wrong answers: Focus on the *purpose* of each law. If a question asks which law protects health information, the answer is HIPAA. If it asks about EU data subject rights, it's GDPR. For Microsoft tools, match the tool to the task: Compliance Manager for assessments, Subject Rights Requests for SARs, Information Protection for data classification, DLP for preventing data loss.
GDPR gives EU residents control over their personal data; breach notification to authority within 72 hours; fines up to 4% of global annual turnover.
HIPAA protects PHI for covered entities and business associates; breach notification to individuals within 60 days; penalties up to $1.5M per year.
CCPA gives California residents rights to know, delete, and opt out of sale of personal information; applies to businesses meeting revenue or data volume thresholds.
Microsoft Compliance Manager provides pre-built assessments for GDPR, HIPAA, CCPA, etc.; it maps controls but does not implement them.
Subject Rights Requests in Microsoft 365 helps automate workflows for data subject access, deletion, and export requests under GDPR and CCPA.
Data Loss Prevention (DLP) policies can detect and block sharing of PHI or personal data, supporting both HIPAA and GDPR compliance.
Cross-border data transfers from EU require adequacy decision, SCCs, or BCRs; the EU-US Data Privacy Framework is the latest mechanism.
The SC-900 exam tests the purpose, key rights, breach notification timelines, and penalty amounts of each law, not full legal text.
These come up on the exam all the time. Here's how to tell them apart.
GDPR
Applies to any organization processing personal data of EU residents, regardless of location.
Gives individuals rights: access, erasure, portability, object, etc.
Breach notification to supervisory authority within 72 hours.
Maximum fine: 4% of global annual turnover or €20M.
Requires Data Protection Officer (DPO) for large-scale processing of sensitive data.
HIPAA
Applies only to covered entities and business associates in the US.
Gives patients rights: access, amendment, accounting of disclosures.
Breach notification to individuals within 60 days.
Maximum penalty: $1.5 million per calendar year for identical violations.
Requires a Privacy Officer (not specifically named DPO) and workforce training.
Mistake
HIPAA applies to any company that handles health data.
Correct
HIPAA only applies to covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates. A company that simply collects health data (e.g., a fitness app) is not covered unless it is a business associate of a covered entity.
Mistake
GDPR requires explicit consent for all data processing.
Correct
Consent is only one of six lawful bases for processing. Others include contract necessity, legal obligation, vital interests, public task, and legitimate interests. Explicit consent is specifically needed only for processing special categories of data (e.g., health, biometrics).
Mistake
CCPA is a federal law that applies across the United States.
Correct
CCPA is a California state law. It applies only to businesses that collect personal information of California residents and meet certain thresholds. Other states have their own privacy laws (e.g., Virginia CDPA, Colorado CPA).
Mistake
HIPAA breach notification must occur within 72 hours.
Correct
HIPAA requires notification to affected individuals 'without unreasonable delay and in no case later than 60 days' after discovery of a breach. The 72-hour timeline is from GDPR, which applies to notifications to supervisory authorities.
Mistake
Microsoft Compliance Manager automatically makes you compliant.
Correct
Compliance Manager is an assessment tool that maps your controls to regulatory requirements and provides implementation guidance. It does not implement controls for you; you must configure the actual policies (e.g., DLP, retention labels) to meet the requirements.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The data controller determines the purposes and means of processing personal data. The data processor processes data on behalf of the controller. For example, a hospital (controller) uses a cloud storage provider (processor) to store patient records. The controller is primarily responsible for compliance and must have a written contract with the processor. On the SC-900 exam, remember that the controller decides 'why' and 'how', while the processor acts on instructions.
No. HIPAA applies only to protected health information (PHI) held by covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates. Data that is de-identified (removing 18 specific identifiers) is not PHI and not subject to HIPAA. Also, data held by entities not covered (e.g., a fitness app not a business associate) is not regulated by HIPAA, though other laws may apply.
Under GDPR, a data controller must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Under HIPAA, a covered entity must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach. The 72-hour and 60-day timelines are frequently tested on the exam, so memorize them.
Compliance Manager provides a pre-built GDPR assessment that maps Microsoft 365 controls to specific GDPR articles. It scores your compliance posture, gives implementation guidance, and allows you to track evidence. However, it does not automatically enforce controls; you must configure policies (e.g., data retention, encryption) based on its recommendations.
The right to erasure (right to be forgotten) allows data subjects to request deletion of their personal data when there is no compelling reason for its continued processing. Controllers must comply without undue delay. Exceptions include when processing is necessary for exercising freedom of expression, legal obligations, public health, or archiving in the public interest. On the exam, know that this right is part of GDPR, not HIPAA.
A Business Associate Agreement (BAA) is a written contract between a covered entity and a business associate that ensures the business associate will appropriately safeguard PHI. It must specify permitted uses, require safeguards, and include breach notification obligations. Microsoft offers a BAA for Azure and Microsoft 365 services to customers who are covered entities. The exam may test that a BAA is required for business associates.
Yes, CCPA applies to for-profit entities that collect personal information of California residents and meet at least one of three thresholds: annual gross revenue over $25 million; buys, sells, or shares personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of annual revenue from selling consumers' personal information. Nonprofits and government entities are generally exempt.
You've just covered GDPR, HIPAA, and Global Privacy Laws — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?