The UK Business Guide to GDPR and Microsoft 365 Compliance

Most businesses know they need to comply with UK GDPR. Fewer realise how much of what they need is already built into Microsoft 365, and how many organisations are not using it. This guide walks through the key compliance capabilities in Microsoft 365 and the settings that most businesses overlook.

Data Loss Prevention (DLP). Microsoft Purview DLP allows you to detect and prevent sensitive information, such as National Insurance numbers, credit card numbers, health data, and financial records, from being shared inappropriately via email, Teams, SharePoint, or OneDrive. DLP policies can automatically block, warn, or notify users in real time. Most organisations with Microsoft 365 Business Premium or E3 and above have access to DLP but have never configured it.

Retention policies and labels. UK GDPR requires that personal data is not kept longer than necessary. Microsoft Purview retention policies allow you to automatically delete or preserve content based on age, type, or label. This is essential for managing email archives, Teams messages, and SharePoint documents in a GDPR-compliant way. Retention labels can be applied automatically using machine learning classifiers trained to identify personal data.

Sensitivity labels. Microsoft Information Protection allows you to classify and label documents and emails based on their sensitivity. Labels can apply encryption, restrict forwarding, and add visual markings. For businesses handling commercially sensitive or personal data, sensitivity labels are one of the most effective controls available.

Audit logging. Microsoft 365 maintains a unified audit log covering user and admin activity across Exchange, SharePoint, Teams, OneDrive, and more. Under GDPR, being able to demonstrate who accessed what data and when is essential for breach investigation and regulatory reporting. Audit log retention defaults are 90 days for most plans, extendable to one year or longer with E5 or the Purview add-on.

Subject Access Requests (SARs). Under UK GDPR, individuals have the right to request all personal data you hold about them. Microsoft Purview's Content Search and eDiscovery tools allow you to search across all Microsoft 365 services for content relating to a specific person, making SAR responses significantly faster and more complete.

The ICO expects organisations to be able to demonstrate their compliance controls, not just assert them. Microsoft 365 provides the tools. Cloud Centrify can help you configure them correctly, document your data processing activities, and prepare for regulatory scrutiny.