This chapter covers the General Data Protection Regulation (GDPR) and other major global privacy regulations, including the California Consumer Privacy Act (CCPA) and Brazil's Lei Geral de Proteção de Dados (LGPD). For the SC-900 exam, this topic falls under Domain 4: Compliance Solutions, specifically objective 4.4. Expect approximately 5-10% of exam questions to address privacy regulations, focusing on key definitions, rights, enforcement mechanisms, and how Microsoft compliance tools help organizations meet these obligations.
Jump to a section
Imagine you are traveling the world with a backpack that contains all your personal items—passport, credit cards, medical records, and photos. Each country you visit has its own set of rules about what you can carry and how your belongings must be protected. The GDPR is like the European Union's strictest set of rules. It says you must have a lock on your backpack, you must keep a log of everyone who opens it, and you can only share items with explicit permission. If you lose your backpack, you must report it within 72 hours and possibly pay a fine up to 4% of your annual income. Now, other countries like Brazil (LGPD) and California (CCPA) have created their own versions of these rules. They may have different lock requirements, different response times, or different penalties. As a global traveler, you must comply with the strictest rule at every stop. If you're in the EU, you follow GDPR; if you're handling data of a Brazilian citizen, you follow LGPD. The challenge is that your backpack (data) moves with you, so you need a system that can adapt to each jurisdiction's rules automatically. Microsoft's Compliance Manager is like a travel assistant that checks your backpack against the rules of every country you enter, telling you exactly what needs to change before you cross the border.
Overview of GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data privacy regulation enacted by the European Union (EU) that came into effect on May 25, 2018. It replaces the 1995 Data Protection Directive and harmonizes data protection laws across all EU member states. The GDPR applies to any organization, regardless of location, that processes personal data of individuals residing in the EU. This extraterritorial scope is a critical exam point: even a US-based company that sells products to EU citizens must comply.
Key Definitions
Personal Data: Any information relating to an identified or identifiable natural person (data subject). This includes names, identification numbers, location data, online identifiers (e.g., IP addresses), and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity. The definition is intentionally broad.
Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Controller: The entity that determines the purposes and means of processing personal data. Example: A bank deciding to collect customer data for account management.
Data Processor: The entity that processes personal data on behalf of the controller. Example: A cloud service provider hosting the bank's customer database.
Data Protection Officer (DPO): A designated individual responsible for overseeing data protection strategy and compliance. DPO appointment is mandatory for public authorities, organizations that engage in large-scale systematic monitoring, or those that process special categories of data.
Supervisory Authority (SA): An independent public authority established by each EU member state to monitor GDPR enforcement. For example, the ICO in the UK, CNIL in France.
Data Subject: The identified or identifiable natural person whose personal data is processed.
Data Subject Rights
The GDPR grants individuals eight specific rights. The exam tests your ability to identify these rights and their descriptions.
Right to be Informed: Data subjects must be provided with transparent information about how their data is processed, including the purposes, legal basis, retention periods, and who it is shared with. This is typically done via a privacy notice.
Right of Access: Individuals can request confirmation that their data is being processed and access to that data, along with additional details about processing.
Right to Rectification: Inaccurate or incomplete personal data can be corrected without undue delay.
Right to Erasure (Right to be Forgotten): Individuals can request deletion of their personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful. Controllers must inform other controllers processing the data to erase links or copies.
Right to Restrict Processing: Individuals can block processing of their data in certain circumstances, such as when accuracy is contested or processing is unlawful but the subject opposes erasure.
Right to Data Portability: Individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. This right applies only to data processed by automated means based on consent or contract.
Right to Object: Individuals can object to processing based on legitimate interests, direct marketing, or processing for scientific/historical research or statistics. The controller must cease processing unless they demonstrate compelling legitimate grounds.
Rights Related to Automated Decision Making and Profiling: Individuals have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects, unless necessary for a contract, authorized by law, or based on explicit consent.
Lawful Basis for Processing
Processing personal data is prohibited unless at least one of six lawful bases applies. The exam expects you to distinguish these bases.
Consent: The data subject has given clear, affirmative consent for a specific purpose. Consent must be freely given, specific, informed, and unambiguous. It can be withdrawn at any time.
Contract: Processing is necessary for the performance of a contract with the data subject or to take steps at their request before entering a contract.
Legal Obligation: Processing is necessary to comply with a legal obligation (e.g., tax reporting).
Vital Interests: Processing is necessary to protect someone's life.
Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
Legitimate Interests: Processing is necessary for the legitimate interests of the controller or a third party, except where such interests are overridden by the data subject's interests or fundamental rights. This basis cannot be used by public authorities in the performance of their tasks.
Penalties and Enforcement
Non-compliance can result in administrative fines up to €20 million or 4% of the organization's annual global turnover, whichever is higher. Fines are tiered:
Lower tier: up to €10 million or 2% of annual global turnover for violations like failing to maintain records of processing activities or not notifying a data breach.
Upper tier: up to €20 million or 4% of annual global turnover for violations of data subject rights, unlawful transfers, or non-compliance with a supervisory authority order.
Supervisory authorities can also impose corrective measures, such as issuing warnings, reprimands, ordering data to be erased, or imposing a temporary or permanent ban on processing.
Data Breach Notification
Organizations must notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If notification is delayed, a justification must be provided. Additionally, if the breach poses a high risk to individuals, the organization must also communicate the breach to the affected data subjects without undue delay.
International Data Transfers
The GDPR restricts transfers of personal data to countries outside the European Economic Area (EEA) unless specific safeguards are in place. Adequacy decisions by the European Commission recognize countries with equivalent data protection (e.g., Japan, South Korea). Other transfer mechanisms include Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and approved codes of conduct or certification mechanisms.
Other Global Privacy Regulations
You must be familiar with three other major regulations for the exam: CCPA, LGPD, and the UK GDPR (post-Brexit).
#### California Consumer Privacy Act (CCPA)
Effective January 1, 2020, the CCPA grants California residents rights similar to GDPR but with key differences: - Right to Know: What personal information is collected, used, shared, or sold. - Right to Delete: Request deletion of personal information held by a business. - Right to Opt-Out: Opt out of the sale of personal information to third parties. - Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights. - Definition of Personal Information: Broader than GDPR, includes inferences drawn from data to create a profile. - Penalties: Up to $7,500 per intentional violation and $2,500 per unintentional violation. - Applicability: For-profit businesses that collect personal information of California residents and meet one or more thresholds: annual gross revenue over $25 million; buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of annual revenue from selling personal information.
#### Lei Geral de Proteção de Dados (LGPD) - Brazil
Effective August 2020, LGPD is heavily modeled on GDPR. Key points: - Rights: Similar to GDPR, including confirmation of processing, access, correction, anonymization, erasure, portability, and information about sharing. - Legal Bases: 10 legal bases (GDPR has 6), including consent, contract, legal obligation, public administration, and credit protection. - Penalties: Up to 2% of revenue in Brazil, capped at 50 million reais per violation. - National Data Protection Authority (ANPD): The enforcement body. - DPO: Appointment is mandatory for certain organizations.
#### UK GDPR
Post-Brexit, the UK has its own version of GDPR (UK GDPR) alongside the Data Protection Act 2018. It is essentially identical to EU GDPR but with UK-specific references. The UK has an adequacy decision from the EU, allowing data flows to continue.
Microsoft Compliance Tools for Privacy Regulations
Microsoft provides several tools to help organizations comply with global privacy regulations:
Microsoft Priva: A set of solutions for privacy risk management, subject rights requests, and consent management. Priva helps automate responses to data subject requests (DSRs) across Microsoft 365 and Azure.
Compliance Manager: A dashboard that provides a compliance score based on assessments for various regulations, including GDPR, CCPA, and LGPD. It suggests improvement actions and tracks implementation.
Data Lifecycle Management: Tools to classify, label, and retain data according to regulatory requirements.
Information Protection: Sensitivity labels and data loss prevention (DLP) policies to protect personal data.
Audit and eDiscovery: Logging and search capabilities to demonstrate compliance and respond to requests.
Exam-Relevant Details
GDPR fines: up to €20 million or 4% of global annual turnover.
Breach notification: within 72 hours to supervisory authority; to data subjects without undue delay if high risk.
DPO mandatory for: public authorities, large-scale monitoring, or processing special categories of data on a large scale.
Data portability: applies only to data processed by automated means based on consent or contract.
LGPD penalties: up to 2% of revenue in Brazil, capped at 50 million reais.
CCPA penalties: $7,500 intentional, $2,500 unintentional per violation.
CCPA applicability: $25M revenue, 50K+ consumers, or 50% revenue from selling data.
GDPR applies to any organization processing personal data of EU residents, regardless of location.
Lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests.
Rights: informed, access, rectification, erasure, restrict, portability, object, automated decisions.
Identify Data Processing Activities
Organizations must map all personal data flows, documenting what data is collected, why, how it is processed, where it is stored, and who has access. This step involves creating a Record of Processing Activities (ROPA), which is mandatory under GDPR for organizations with 250+ employees or those processing sensitive data. The ROPA must include the name and contact details of the controller, purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries, retention schedules, and security measures. This documentation is the foundation for all compliance efforts.
Determine Lawful Basis for Processing
For each processing activity, the organization must identify at least one lawful basis from the six GDPR bases (or equivalent under other regulations). The choice of basis affects data subject rights; for example, if processing is based on legitimate interests, the data subject has a stronger right to object. The basis must be documented and communicated to data subjects via a privacy notice. If the basis is consent, the organization must ensure consent is freely given, specific, informed, and unambiguous, and that withdrawal is as easy as giving consent.
Implement Data Subject Rights Processes
Organizations must establish procedures to handle data subject requests (DSRs) within the required timelines. GDPR requires responses within one month, extendable by two months for complex requests. The process must verify the identity of the requester, log the request, locate the relevant data, and fulfill the request (e.g., provide a copy, delete data, port data). Automated tools like Microsoft Priva can streamline this by integrating with Microsoft 365 and Azure to search and act on data across the environment.
Conduct Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is mandatory when processing is likely to result in high risk to individuals' rights and freedoms, such as systematic profiling, large-scale processing of special categories of data, or monitoring of publicly accessible areas. The DPIA must describe the processing, assess necessity and proportionality, identify and mitigate risks, and document the outcome. DPIAs are reviewed and updated as processing changes. Failure to conduct a DPIA when required can result in fines.
Establish Breach Response Plan
Organizations must have a plan to detect, report, and investigate personal data breaches. The plan should designate a breach response team, define escalation procedures, and include templates for notifying supervisory authorities and data subjects. Under GDPR, the authority must be notified within 72 hours of awareness. The notification must describe the nature of the breach, categories and approximate number of data subjects and records, contact details of the DPO, likely consequences, and measures taken to address the breach. A breach log must be maintained.
Monitor and Update Compliance
Compliance is not a one-time event. Organizations must continuously monitor changes in processing activities, legal requirements, and enforcement guidance. Regular audits, employee training, and updates to privacy notices are essential. Tools like Microsoft Compliance Manager provide a dynamic compliance score that reflects current posture against regulations. The score updates as improvement actions are implemented. Annual reviews of DPIAs, ROPAs, and contracts with processors ensure ongoing compliance.
Enterprise Scenario 1: Multinational E-Commerce Company
A US-based e-commerce company sells products to customers worldwide, including EU residents. To comply with GDPR, the company must map all personal data flows from EU customers. They discover that customer names, addresses, and payment details are stored in a SQL Server database in a US data center, and analytics data is processed by a third-party marketing platform. The company must ensure that transfers to the US have a valid mechanism (e.g., SCCs with the marketing platform). They implement Microsoft Priva to automate DSR handling, allowing customers to request data access or deletion via a web portal. The DPO is appointed, and a DPIA is conducted for the analytics processing. The company achieves a 90% Compliance Manager score for GDPR but must address gaps in vendor management. A common issue is that the marketing platform's data retention policy exceeds GDPR's 'storage limitation' principle, requiring renegotiation of the contract. Performance-wise, the DSR automation reduces manual effort by 80%, but the initial data mapping took three months due to siloed systems.
Enterprise Scenario 2: Healthcare Provider in Brazil
A Brazilian hospital processes patient health data, which is a special category under LGPD. The hospital must appoint a DPO and conduct DPIAs for all processing activities. They use Microsoft 365 for email and document storage, and Azure for patient record databases. The hospital configures sensitivity labels to classify patient data as 'Highly Confidential' and applies DLP policies to prevent sharing outside the organization. They use Compliance Manager to assess against LGPD and achieve a score of 85%. A challenge is that LGPD requires explicit consent for processing health data, so the hospital updates its patient intake forms to include granular consent options. The ANPD (Brazilian authority) has not yet issued heavy fines, but the hospital prepares for potential audits by maintaining detailed ROPAs. A misconfiguration in Azure SQL firewall rules once exposed a test database to the internet, but it was detected by Microsoft Defender for Cloud and remediated within hours, avoiding a breach notification.
Enterprise Scenario 3: Financial Services Firm in the UK
A London-based bank must comply with UK GDPR and the Data Protection Act 2018. The bank processes customer financial data for account management, credit scoring, and fraud detection. For credit scoring, automated decision-making is used, so the bank must inform customers of the logic and provide a right to human intervention. They use Microsoft 365's eDiscovery and Audit to log all access to customer data. A senior manager's credentials are compromised, leading to unauthorized access to 10,000 customer records. The bank detects the breach via Azure Sentinel alerts and notifies the ICO within 72 hours. The breach is assessed as high risk because financial data was exposed, so affected customers are also notified. The ICO investigates but imposes no fine due to prompt reporting and robust security measures already in place. The bank's Compliance Manager score for UK GDPR drops from 92% to 70% after the incident, triggering a remediation plan that includes multi-factor authentication for all privileged accounts.
What SC-900 Tests
Objective 4.4: Describe compliance management capabilities in Microsoft 365. This includes understanding GDPR, CCPA, and LGPD at a conceptual level. The exam does not test deep legal nuances but expects you to:
Identify the purpose and key provisions of GDPR (rights, fines, breach notification).
Distinguish between GDPR, CCPA, and LGPD (especially applicability thresholds and penalty amounts).
Recognize how Microsoft Compliance Manager and Priva help meet regulatory requirements.
Understand data subject rights and lawful bases.
Common Wrong Answers
'GDPR applies only to EU-based organizations.' Many candidates assume territorial scope is limited to EU companies. In reality, GDPR applies to any organization processing personal data of EU residents, regardless of location. The exam tests this extraterritorial application.
'The maximum fine under GDPR is a fixed amount.' Candidates often forget the turnover-based alternative: 4% of annual global turnover or €20 million, whichever is higher. They may pick a fixed number like €10 million.
'CCPA and GDPR are identical.' While similar, CCPA has different thresholds ($25M revenue, 50K consumers) and penalties ($7,500 intentional). The exam may ask which regulation applies to a California-based company with $10M revenue (CCPA does not apply).
'Data portability applies to all personal data.' Portability only applies to data processed by automated means and based on consent or contract. Many candidates think it applies to any data.
Specific Numbers and Terms
GDPR breach notification: 72 hours to supervisory authority.
GDPR fines: up to €20M or 4% of global annual turnover.
CCPA penalties: $7,500 intentional, $2,500 unintentional per violation.
CCPA applicability: $25M revenue, 50,000+ consumers, or 50% revenue from selling data.
LGPD fines: up to 2% of revenue in Brazil, capped at 50 million reais.
Data subject rights: 8 rights under GDPR.
Lawful bases: 6 under GDPR, 10 under LGPD.
DPO mandatory: for public authorities, large-scale monitoring, large-scale special category data.
Edge Cases and Exam Traps
Exemptions: The right to erasure does not apply when processing is necessary for exercising the right of freedom of expression, compliance with a legal obligation, or public health reasons. The exam may present a scenario where erasure is requested but an exception applies.
Transfer Mechanisms: Standard Contractual Clauses (SCCs) are a common transfer mechanism, but the exam may ask which mechanism is used for intra-group transfers (Binding Corporate Rules).
CCPA vs. CPRA: The California Privacy Rights Act (CPRA) amended CCPA effective 2023, but SC-900 focuses on CCPA. Be aware that CPRA introduced sensitive data categories and a new enforcement agency.
UK GDPR: Post-Brexit, the UK has its own GDPR but it is essentially the same. The exam may refer to 'UK GDPR' as a separate regulation.
How to Eliminate Wrong Answers
Look for numbers: If a question mentions a fine amount, check if it matches the regulation's specific penalty structure. If the amount is €10 million, it might be a distractor for GDPR.
Look for scope: If the scenario involves a company with no EU presence but processing EU data, GDPR applies. If the company is in California with $10M revenue, CCPA likely does not apply.
Look for rights: If a question asks about the right to opt-out of sale, that is CCPA-specific, not GDPR.
For Microsoft tools: Compliance Manager gives a score; Priva manages subject rights requests. Mixing these up is a common error.
GDPR applies to any organization processing personal data of EU residents, regardless of location.
GDPR maximum fine: €20 million or 4% of annual global turnover, whichever is higher.
Data breach notification to supervisory authority must occur within 72 hours of awareness.
Data subjects have eight rights: informed, access, rectification, erasure, restrict, portability, object, and automated decisions.
Six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, legitimate interests.
CCPA applies to businesses with >$25M revenue, >50K consumers, or >50% revenue from selling data.
LGPD fines: up to 2% of revenue in Brazil, capped at 50 million reais.
Microsoft Compliance Manager provides a compliance score; Microsoft Priva manages subject rights requests.
Data portability under GDPR only applies to automated processing based on consent or contract.
DPO appointment is mandatory for public authorities, large-scale monitoring, or large-scale processing of special categories.
These come up on the exam all the time. Here's how to tell them apart.
GDPR
Applies to any organization processing personal data of EU residents
Maximum fine: €20M or 4% of global annual turnover
Requires appointment of a DPO for certain organizations
Eight data subject rights including portability and erasure
Breach notification to authority within 72 hours
CCPA
Applies to for-profit businesses with $25M+ revenue, 50K+ consumers, or 50% revenue from selling data
Maximum penalty: $7,500 per intentional violation, $2,500 unintentional
No DPO requirement
Four main rights: know, delete, opt-out, non-discrimination
No specific breach notification timeline in CCPA (amended by CPRA)
GDPR
Six lawful bases for processing
Supervisory authority: national bodies (e.g., ICO, CNIL)
Fine: up to €20M or 4% of global turnover
Data portability right applies to automated data based on consent/contract
DPO mandatory for public authorities and large-scale monitoring
LGPD
Ten lawful bases, including credit protection
Supervisory authority: ANPD (National Data Protection Authority)
Fine: up to 2% of revenue in Brazil, capped at 50 million reais
Data portability similar to GDPR
DPO mandatory for certain organizations, similar to GDPR
Mistake
GDPR only applies to companies located in the European Union.
Correct
GDPR has extraterritorial scope. It applies to any organization, regardless of location, that processes personal data of individuals residing in the EU. For example, a US-based e-commerce site selling to EU customers must comply.
Mistake
The maximum fine under GDPR is a fixed €20 million.
Correct
The maximum fine is the higher of €20 million or 4% of the organization's annual global turnover. For large companies, the turnover-based amount can be substantially higher.
Mistake
Data portability under GDPR applies to all personal data an organization holds.
Correct
Data portability only applies to personal data processed by automated means and based on consent or contract. Manual or paper-based processing is excluded.
Mistake
CCPA is the US equivalent of GDPR with identical rights and penalties.
Correct
While similar, CCPA has different thresholds (e.g., $25M revenue, 50,000 consumers), different penalties ($7,500 intentional), and a distinct right to opt-out of sale. CCPA does not require a DPO.
Mistake
Once a DPIA is conducted, it does not need to be revisited.
Correct
DPIAs must be reviewed and updated when processing activities change or new risks emerge. They are living documents, not one-time exercises.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the controller. For example, a bank (controller) uses a cloud provider (processor) to store customer data. The controller is primarily responsible for compliance, but processors have direct obligations under GDPR, such as maintaining records of processing activities and implementing security measures.
No. DPO appointment is mandatory only for: (1) public authorities and bodies, (2) organizations that engage in large-scale systematic monitoring of individuals (e.g., online behavior tracking), and (3) organizations that process special categories of data (e.g., health, biometrics) on a large scale. Small businesses that do not meet these criteria are not required to appoint a DPO, though it is recommended.
A DPIA is a process to identify and minimize data protection risks of a project. It is required under GDPR when processing is likely to result in high risk to individuals' rights and freedoms, such as systematic profiling, large-scale processing of special categories, or monitoring of publicly accessible areas. The DPIA must describe the processing, assess necessity and proportionality, and outline measures to address risks.
Microsoft Compliance Manager provides a dashboard that assesses an organization's compliance posture against GDPR and other regulations. It offers a compliance score based on implemented controls, suggests improvement actions with step-by-step guidance, and allows you to track progress. It integrates with Microsoft 365 and Azure to automate evidence collection and reporting.
The right to data portability allows individuals to obtain their personal data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance. This right applies only to data processed by automated means and based on consent or contract. It does not apply to manual processing or data processed under other lawful bases.
CCPA penalties are $7,500 per intentional violation and $2,500 per unintentional violation. Unlike GDPR, there is no percentage-of-revenue cap. The California Attorney General enforces the law, and private right of action exists for data breaches, with statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.
Yes, LGPD requires the appointment of a Data Protection Officer (DPO) for organizations that process personal data. The DPO's role is similar to GDPR: to advise on compliance, monitor adherence, and act as a point of contact with the ANPD and data subjects. The DPO's contact information must be publicly disclosed.
You've just covered GDPR and Global Privacy Regulations Overview — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?