An Introduction to GDPR Compliance in an Azure environment

GDPR is short for General Data Protection Regulation, it is a European Union law created to protect personal data to be collected and used without the user’s consent.

In this article, we will describe the required steps to be GDPR Compliant when we are talking about collecting, storing, and using user data. Also, as GDPR Compliance is a whole new world with its own semantics, huge attention will be given to the terminologies that we usually find when talking about consent management.

To finalize the article, we will give also a brief description of how to collect users’ consents to access Microsoft services, such as calendars and messages from Exchange in Microsoft 365, using Azure AD Consent Framework.

There are different types of GDPR Compliance, but the focus of this blog post will be on General Consent Compliance. Below is an overview of the three types of GDPR Compliance:

Cookie Consent Compliance

This compliance type is related to receiving users’ consent before using any cookies, except strictly necessary cookies. The data and the purpose that each cookie tracks must be detailed in an accurate and specific way before consent is given. Also, if consent is not given, then this should not block users from using your service.

User’s consent must also be documented and stored. Withdrawing the consent must be as easy as giving it.

App Consent Compliance

Mobile applications should also collect users’ consent before collecting and sharing their data. This consent may be given once when the mobile application is used for the first time, or it can be given before a functionality that collects user data is used.

For example, the user may be required to give consent to the mobile application to track his location when the application is used for the first time, or the user may be required to give consent to the application to access his location every time the tracking functionality is used. The consent must be given, no matter if once or if the consent is given every time is required.

Any consent requested must be clear on how and why this information is going to be collected. Users must be allowed to easily remove the given consent as well.

General Consent Compliance

The general consent compliance process involves obtaining consent from users before storing their data, with a clear description of the purposes of how the data subject will be used by the data processor. Obtaining the consent could be in a Single or Double Opt-in, depending on the requirements.

Also, the general consent compliance framework demands the possibility for users to easily withdraw or update their preferences, including the ability to completely withdraw the consent or remove it for one or multiple purposes.

Terminologies

To fully understand the GDPR requirements it is vital to understand the terminologies and their meaning. Below, GDPR’s main terminologies and processes are described.

  • Data subject
  • Data controller
  • Data processor
  • Personal data
  • Purposes

Data subject

A data subject is any person formally residing in the EU who has their data collected, held, or processed by a data controller or data processor. When we consent our information to be stored, held, or processed by any data controller or data processor then we are the data subjects.

Data controller

A data controller refers to the entity responsible for determining the purpose and lawful basis for processing personal data.

In short, data controllers are the ones who decide why and how data subjects are being used and collected.

Data processor

The data processor is the entity that collaborates with the data controller, which refers to the individual responsible for processing personal data on behalf of the data controller.

Processing involves any automated or manual operation performed on personal data or subsets of personal data, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, and so on.

Personal data

Refers to any information related to a data subject that can directly or indirectly identify a person’s identity, as it relates to their private, professional, or public life. This information includes name, email address, photos, or even bank statements.

Purposes

Purposes are the key building blocks of Consent Management and are needed to set up Collection Points and Preference Centers.

A person’s consent is always stored against a defined purpose for which their data is collected or processed.

Obtaining the Consent

Obtaining consent from the data subject refers to any “freely given, specific, informed and unambiguous indication” that the data subject agrees to the processing of personal data related to them. Data subjects can provide consent with either a statement or explicit affirmative action.

There are two different ways to obtain the consent of the data subject, the single opt-in and the double opt-in.

Single Opt-In

The Single Opt-In method is the simplest one. It occurs when the person agrees to have his information collected. This agreement can be in many ways, but the most common is through a check box in a web form or a dialogue box.

Double Opt-In

The Double Opt-In is a more complex, two-step method. The double opt-in starts with a regular single opt-in, the difference is that the person receives a confirmation mail in their mailbox whereas the person must click on the link to confirm the consent.

Withdrawing the Consent – Opt-Out

Withdrawing the consent, or Opting-Out must be as easy as giving it. The person may withdraw the consent related to one or all purposes.

Preference Management

Preference management is usually handled by a preference center dashboard, whereas customers can manage their subscription preferences. In the preference center, customers should be able to set their preferences in a more granular way, other than being able to opt-in and opt-out through their different content choices, For example, customers should be able to set the frequency when they would like to be contacted.

If you give your customers the unique possibility to opt out through your preference center, it’s a good practice to review this strategy with the marketing team since it is through the right preference management strategy that you will be able to bring more value to your customers, reaching them when they want and with the content that they are more interested into.

Preference Center

Preference Centers is the name given to the pages used to update communication preferences. In the preference center, users can choose their subscription preferences and choose to opt in or opt out of any of them.

How can you set up your Consent Management Platform?

You may set up your Consent Management Platform from scratch or use existing tools that help you manage this feature. Make sure that you respect all the compliance requirements in the process.

At first, if you do not have experience with GDPR rules, it is highly recommended to use existing tools to manage your customer’s consent. Existing tools will provide built-in mechanisms and will help you through the process of being GDPR compliant.

But if you want to have your own Consent Management Platform with custom Data Controllers, Data Processors, and Preference Centers, then you must contact an attorney specialized in GDPR compliance to audit your process to validate it end to end.

GDPR compliance checklist

If you are unsure if your system is 100% compliant you can use the GDPR’s compliance checklist from the link below. This checklist, though not official, provides information, up to date with many details, that can help you better understand what is needed in each of the steps.

GDPR compliance non-official checklist

As this checklist is not official, we again highly recommend that you contact an attorney specializing in GDPR compliance, who can apply the law to your specific context and requirements.

Azure AD Consent Framework

The Azure AD Consent Framework is built on OAuth 2.0, making it possible to access the users’ resources after consent in many different types of client applications (phone, tablet, server, or web application). To use the Azure AD Consent Framework and collect information from other APIs on behalf of the user, your application must be registered in Azure AD App Registrations.

The Azure AD Consent workflow is described in the picture below, with the Microsoft Graph API being responsible for making the bridge between your App and the desired service.

From your Application in Azure App Registrations, navigate to API permissions and select the scopes that you would like to have consent from your users. In the picture below you can see that the API has the permission to read the user profile from Microsoft Graph.


The first time that your users log into your application, they will be asked to give their consent according to the permissions set above. If the users grant their permission, then your application will access user data on their behalf.

After consent, now your App can collect the users’ data.

How can we help you?

At Stellium we can help you analyze your business environment and explore together how to be compliant when storing and processing user data to avoid unwanted fines.