Directors are personally liable under GDPR Article 32 — not just the organisation. Most assume Microsoft handles compliance for them, that assumption is wrong. Microsoft secures its infrastructure. Configuring your tenant is your responsibility.
What Article 32 Actually Requires
"Appropriate technical measures" means your tenant must be configured, not just capable. Microsoft provides the tools; compliance requires activation and configuration by the controller — that is you. An available-but-unused security feature offers zero protection under Article 32.
The regulation requires confidentiality, integrity, availability, and the ability to restore access to personal data following an incident. All of these depend on what is actually switched on in your environment.
Common Gaps in M365 Tenants
- Multi-factor authentication not enforced for all users
- Audit log retention set below regulatory minimum
- No data loss prevention on sensitive data categories
Each of these gaps has a direct Article 32 implication. None of them are technical edge cases — they are default states that Microsoft ships to ensure broad compatibility. Compliance requires you to change them.
What Happens When a Gap Is Found
Supervisory authorities can investigate following a breach or complaint. Fines under Article 83 reach 4% of global turnover for serious violations and 2% for Article 32 breaches specifically. Regulators will ask what technical measures were in place — and whether they were actually configured.
Management personal liability depends on whether reasonable precautions were taken. A known, unaddressed security gap is a difficult position to defend. In some sectors — legal services, tax advisory, healthcare — negligent IT security can carry criminal exposure under national law alongside GDPR enforcement.
The Practical Starting Point
You cannot fix what you cannot see. A technical inventory of your M365 tenant shows which Article 32-relevant controls are active, which are partially configured, and which are absent. Most gaps can be closed through configuration changes alone — no new software or licences required.
The inventory also produces documentation you can show a data protection officer or supervisory authority. That documentation is itself part of demonstrating compliance.
Find out whether your M365 tenant meets Article 32 requirements. Book your free compliance check — no commitment, results within 48 hours.