A First Look at Compliance Manager for GDPR

Reading Time: 3 minutes

I had an opportunity to test-drive the new Compliance Manager currently in Preview for Office 365. In my day-to-day work with clients, I spend quite a bit of my time focusing on data protection and governance so when Microsoft announced the Compliance Manager at Ignite in September, I was looking forward to trying it out and seeing what kind of assessment and recommendations it would make.

Click here to sign up for the Preview program. Once you do, it will activate it for your tenant and then you can launch the Compliance Manager via this URL:


The preview program includes the following capabilities:

  • A dashboard to summarize Microsoft’s and your GDPR, ISO 27001, and ISO 27018 control implementation progress for Office 365
  • Actionable insights to help you improve your data protection capabilities
  • Control management and audit-ready reporting tools

Microsoft is looking for our feedback on the Preview product so try it out and make sure you give them some!

With GDPR being top-of-mind for many in the industry right now (and since it’s one of the three regulations included in the Preview), I focused on how the Compliance Manager would report on that regulation.

The GDPR Assessment covers these Office 365 Cloud Services:

Services in-scope for GDPR Assessment

Let’s take a look at how my small tenant (with no controls implemented) is assessed for GDPR compliance. Not surprisingly, it identifies 0 of 47 controls implemented since no work has been done on the controls in this tenant.


Two things struck me, however, about the GDPR assessment on my tenant’s dashboard:

First, the sheer volume of controls an organization has to implement to be compliant with the regulation is alarming. 47!

Second is the level of planning, documentation, implementation and testing that goes into each one of those controls once you dig into the details.

In the example assessment above, if you click the GDPR hyperlink on your dashboard, Microsoft has provided detailed steps for each of the 47 customer controls to help an organization implement them.

For example, one of the controls is Access Control.

Customer Actions for Access Control includes, among other things, data classification, data loss prevention, access control policies and retention schedules. For each control, the customer would update the following:

Properties to be set for each Customer Control
  1. Status values: Not Implemented, Implemented, Alternative Implementation, Planned, Not In Scope
  2. Test Result values: Not Assessed, Passed, Failed-Low Risk, Failed-Medium Risk, Failed-High Risk

The customer is responsible for not only documenting the policies and procedures around each of these controls but also testing and implementing the specific technical features within Office 365 for each. A big undertaking to say the least.

I have recently blogged about the Office 365 Information Manager role and the importance of it. Implementing the customer actions identified above is one of the many reasons why this role will be critical going forward.

Organizations with a GDPR requirement should start leveraging this tool to lay the groundwork for the very big job in front of them. If an organization was under-estimating the work required to become compliant with the GDPR, this tool should be an abrupt wake-up call for them.

Thanks for reading.


Photo by Денис Евстратов on Unsplash

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.