Chapter 19 — Azure Compliance & Privacy - Clinux

Why Compliance Matters in the Cloud

When organizations move data to the cloud, they must ensure that:

Regulatory requirements are met (laws like GDPR, HIPAA, PCI DSS)
Customer data is handled with privacy and care
Security controls meet industry standards
Microsoft's practices can be audited and trusted

Azure provides tools and documentation to help you understand, meet, and prove compliance.

Key Compliance Concepts

Term	Meaning
Compliance	Meeting regulatory, legal, or industry requirements
Data residency	Where your data is physically stored
Data sovereignty	Legal control over data based on location
Privacy	How personal data is collected, used, and protected
Audit	Independent verification that controls are in place
Certification	Third-party confirmation of compliance (e.g., ISO 27001 certified)

1. Microsoft Trust Center

What Is It?

The Microsoft Trust Center is the central resource for understanding how Microsoft approaches security, privacy, and compliance across all its products, including Azure.

Access it at: microsoft.com/en-us/trust-center

What You'll Find in the Trust Center

Section	Content
Privacy	How Microsoft collects and uses your data
Security	Microsoft's security practices and commitments
Compliance	Compliance offerings — certifications and regulations
Legal	Legal terms, contracts, regulatory compliance
Transparency	Government requests for data, data flows

The Trust Center is designed for:

Legal and compliance teams
IT security teams
Executives evaluating Azure for regulated industries

2. Azure Compliance Documentation

What Is It?

Microsoft provides detailed compliance documentation explaining how Azure meets specific regulatory requirements. This is available at:

learn.microsoft.com/en-us/azure/compliance/

Azure Compliance Offerings Overview

Azure has over 100 compliance certifications — more than any other cloud provider. Here are the major ones relevant to AZ-900:

Global Standards

Standard	What It Is
ISO 27001	International standard for information security management
ISO 27018	Privacy in cloud computing — protection of personal data
SOC 1	Internal controls over financial reporting
SOC 2	Security, availability, processing integrity, confidentiality, privacy
SOC 3	Publicly available summary of SOC 2

Regional / Government

Standard	Region/Country	What It Covers
GDPR	European Union	Protection of EU citizens' personal data
UK G-Cloud	United Kingdom	UK government cloud services
FedRAMP	United States	US federal government cloud usage
DoD CC SRG	United States	US Department of Defense
IRAP	Australia	Australian government
MTCS	Singapore	Singapore government

Industry-Specific

Standard	Industry	What It Covers
HIPAA / HITECH	Healthcare	US patient health information
PCI DSS	Financial / Retail	Payment card data security
FERPA	Education	US student education records
ITAR	Defense	US export-controlled defense data

3. GDPR — General Data Protection Regulation

What Is It?

GDPR is an EU regulation that governs how organizations collect, store, process, and share the personal data of EU residents — regardless of where the organization is based.

Effective since: May 25, 2018

Key GDPR Principles

Principle	Meaning
Lawfulness	You must have a legal basis to process personal data
Purpose limitation	Collect data only for a specific, stated purpose
Data minimization	Collect only the data you actually need
Accuracy	Keep personal data accurate and up to date
Storage limitation	Don't keep data longer than necessary
Security	Protect data with appropriate security measures
Accountability	Be able to prove you comply

GDPR Rights for Individuals

Right	Description
Right to access	Individuals can request to see their data
Right to erasure	"Right to be forgotten" — delete their data
Right to portability	Receive their data in a portable format
Right to rectification	Correct inaccurate data
Right to restrict processing	Limit how their data is used

GDPR Penalties

Up to €20 million or 4% of global annual revenue, whichever is higher.

How Azure Helps with GDPR

Data Processing Agreements (DPAs) with Microsoft as data processor
Data residency — keep data in EU regions
Encryption, access controls, audit logs
Microsoft Purview for data governance and compliance
Azure Policy for enforcing data handling rules

4. Microsoft Purview

What Is It?

Microsoft Purview is a unified data governance and compliance solution. It helps organizations:

Discover and understand their data across all environments
Protect sensitive data
Manage data access
Meet compliance obligations

Key Purview Capabilities

Capability	Description
Data Map	Automatically discover and classify data across Azure, on-premises, and multi-cloud
Data Catalog	Browse and search your data assets
Data Loss Prevention (DLP)	Prevent sensitive data from leaving the organization
Information Protection	Apply sensitivity labels to documents and emails
Compliance Manager	Assess and manage your compliance posture
Audit	Track user and admin activity across Microsoft 365 and Azure
eDiscovery	Search, hold, and export data for legal purposes

5. Compliance Manager

What Is It?

Microsoft Compliance Manager (part of Microsoft Purview) is a risk assessment tool that helps you manage compliance activities across Microsoft cloud services.

It provides:

A compliance score — how well your configuration meets regulatory requirements
Action items — what you need to do to improve compliance
Templates for 300+ regulatory standards
Pre-built assessments for GDPR, ISO 27001, HIPAA, NIST, etc.

Compliance Score: 68%
──────────────────────
GDPR Assessment:     72% compliant
ISO 27001 Assessment: 65% compliant
HIPAA Assessment:    58% compliant

Top actions to improve:
  1. Enable audit logging for all services
  2. Implement data retention policies
  3. Enable MFA for all users
  4. Classify and label sensitive data

6. Azure Privacy Statement

What Is It?

The Microsoft Privacy Statement explains what data Microsoft collects, how it is used, and how you can manage your data.

Key commitments:

Microsoft will not sell your data to third parties
Microsoft will only use your data to provide services (not for advertising profiling)
You can export and delete your data
Microsoft publishes transparency reports on government data requests

Read it at: privacy.microsoft.com

7. Online Service Terms and Data Processing Agreement

Online Service Terms (OST)

The Online Service Terms (now called the Product Terms) is the legal agreement between you and Microsoft when using Azure services. It defines:

What Microsoft will and won't do with your data
Service availability commitments
Data processing and protection terms

Data Processing Agreement (DPA)

The DPA is included within the OST/Product Terms. It:

Makes Microsoft a data processor on your behalf (you are the data controller)
Ensures Microsoft processes your data according to your instructions
Meets GDPR requirements for third-party data processing agreements

Compliance Summary

Tool / Standard	Purpose
Trust Center	Central resource for Microsoft's compliance and privacy commitments
Azure Compliance Docs	Detailed per-regulation compliance guides
ISO 27001	Global information security management standard
SOC 2	Security and privacy controls audit
GDPR	EU personal data protection regulation
HIPAA	US healthcare patient data regulation
PCI DSS	Payment card data security
Microsoft Purview	Data governance, DLP, compliance management
Compliance Manager	Compliance score and action items
Privacy Statement	Microsoft's data use commitments

Quick Recap

Trust Center         → Microsoft's security/privacy/compliance hub
Azure Compliance     → 100+ certifications (ISO, SOC, FedRAMP, GDPR)
GDPR                 → EU personal data law — max €20M penalty
HIPAA                → US healthcare data law
PCI DSS              → Payment card data security
Microsoft Purview    → Data governance + compliance management platform
Compliance Manager   → Score your compliance, get action items
Privacy Statement    → How Microsoft uses your data (they don't sell it)

Official References

Next Chapter → Chapter 20: AZ-900 Exam Preparation Guide