DSR Requests
Start course

This course is designed to give you a firm understanding of the compliance features available to a Microsoft 365 administrator and how to manage regulatory compliance in a Microsoft 365 environment. Taking this course will also help you to prepare for the regulatory and compliance aspects of Microsoft's MS-500 certification exam.

Learning Objectives

  • Understand what regulatory compliance is
  • Plan and implement regulatory compliance features
  • Learn how to manage regulatory compliance in Microsoft 365
  • Manage Data Subject Rights (DSR) requests
  • Report on compliance in Microsoft 365

Intended Audience

This course is intended for anyone who wants a greater understanding of the regulatory compliance features that are available in Microsoft 365.


To get the most out of this course, you should have some experience using Microsoft 365 and a basic understanding of how the Microsoft 365 system works.

External Resources

Microsoft Compliance Offerings: 

Microsoft 365 GDPR action plan: 

Microsoft Compliance Documentation & Resources: 




So next we're going to cover DSR or Data Subject Rights. Now, so this all makes sense, there are a couple of terms that you will need to get familiar with. The first one is data subject. Now a data subject is the person whose identifiable data is being held. So for example, if you're a citizen of the EU and Cloud Academy held some data on you that would mean you would be the data subject.

The next term is data controller, which is sometimes just called the controller. Now the controller is the organization that is holding the data. So in the last example, Cloud Academy would be the data controller.

The third term that you need to know is the processor. The processor is the entity that is storing the data on behalf of the controller. So let's imagine Cloud Academy is storing all of your personal data in SharePoint that makes Microsoft the processor as Microsoft is actually processing and storing that data on behalf of the controller Cloud Academy.

So now we have those definitions out of the way, what actually is a DSR? So with the GDPR it gives data subjects the following rights for their personal data. To obtain copies of their personal data, to request corrections of their personal data, to restrict processing of their data, to delete their data, and also to receive their data in an electronic format so it can be moved to another controller.

A formal request by the data subject to the data controller to take any of these actions is called a Data Subject Rights Requests or a DSR Requests for short. Now as a data controller, you are obligated to promptly consider each DSR Request and provide a substantive response either by taking the request action or by providing an explanation to the data subject why the DSR cannot be accommodated by the controller.

It is advised to consult with legal or compliance advisors inside of your organization or outside of your organization regarding the proper disposition of any DSRs. There are several processes that may be involved in completing a DSR. The first one is the discovery process. This will be involved in all DSR Requests as you cannot act on a DSR without actually discovering the data.

The access process is the retrieval and potential transmission to the data subject of the discovered data. The rectify process is when the data subject has requested changes to their personally identifiable data and you as the data controller will implement the changes or requests the changes to the data. The restrict process as it sounds like, is changing the access rights to the personal data, or even possibly moving it out of the Microsoft cloud.

The export process is similar to the access process but in the export process you are providing a structured machine-readable format of that data. The basis of this is because the data subject has the right to data portability or to move that data to a different data controller. Exporting the data gives the data subject the means to do this. The delete process, now this one's pretty straightforward, it is the removal of personal data from the Microsoft cloud.

About the Author

Jake is an IT manager for a managed services company that works with small- to medium-size businesses and manages their IT. He mainly works with a Microsoft Stack, from Servers to Microsoft 365 & Azure. He also specializes in business process improvement helping businesses to leverage technology to speed up their workflows. Jake really enjoys testing out new technologies and seeing what they can do. Outside of work he enjoys kayak fishing, gardening, and going to the gym.