Is My Office 365 GDPR Compliant? : Security Issues in Authentication and Administration

The General Data Protection Regulation, commonly referred as GDPR, will be enforced in all European Union countries in May 2018. GDPR sets requirements for processing EU citizens’ personal data regardless of the physical location of the organisation processing the data. Over 40 percent of European organisations are using Office 365. Microsoft claims that Office 365 service is GDPR compliant, and has provided tools to help Office 365 customers to ensure their GDPR compliancy. In this paper, we present some security issues related to the very foundation of Office 365 service, namely Azure Active Directory and administrative tools, and assess their GDPR compliancy. Our findings reveal that personal data stored in Office 365 is subject to undetectable security breaches, preventing organisations to be GDPR compliant. We also propose actions to take to minimise the impact of the security issues. peerReviewed