Security · IT Support
M365 Security & UK GDPR: Who's Liable?
7 July 2026

Reviewed by Blake Smith, Head of Service at LBT, who leads the team responsible for configuring and securing Microsoft 365 environments for LBT's managed clients. Last updated July 2026.
Here's a sentence we hear constantly, usually right before a problem: "We're fine, we're on Microsoft 365." Having Microsoft 365 says very little about whether your business has configured it to support UK GDPR obligations. Microsoft 365 is powerful, extensively documented, and genuinely capable of supporting compliance — but the platform being secure and your tenant being secure are two different things, and the gap between them is where most businesses actually live.
This is not legal advice. It's a practical technology risk guide to help business owners and operations leads understand which Microsoft 365 configuration choices usually affect their UK GDPR posture — for anyone who's been asked "are we GDPR compliant on Microsoft 365?" and wasn't entirely sure of the answer. If Microsoft 365 compliance is one symptom of a broader question about your IT support model, see what's included in LBT's managed IT support; and if you're unsure whether this is only a Microsoft 365 issue or part of a wider technology risk problem, our IT health check guide explains what a broader assessment should cover.
Microsoft's Job vs Your Job: The Shared Responsibility Model
Microsoft operates what's generally called a shared responsibility model. Microsoft is responsible for the security of the cloud: physical data centre security, platform uptime, and the underlying infrastructure. You are responsible for security in the cloud: who has access to what, how your data is configured, retention and classification, and whether the controls Microsoft makes available are actually switched on.
Microsoft's own compliance documentation is explicit that meeting a regulation like UK GDPR is a shared effort — the tools exist, but configuring and operating them compliantly is the customer's responsibility, not something that happens by default the moment you sign up (Microsoft Learn: GDPR). The Information Commissioner's Office has published Data Protection Impact Assessment guidance specifically covering Microsoft 365 deployments, reflecting how central the platform now is to UK businesses' data handling (ICO: Microsoft 365 DPIA) — which is itself a signal that "we use Microsoft 365" is not an answer regulators treat as sufficient on its own.
The Compliance Risks Hiding in a Default Microsoft 365 Tenant
Most compliance exposure in Microsoft 365 doesn't come from a dramatic breach — it comes from configuration that was never tightened after go-live. The risks we see most often:
- Weak or absent MFA — CoreView's analysis of Microsoft 365 environments found 87% of organisations had at least some administrators operating without multi-factor authentication, with MFA missing for 28% of admin accounts and 7% of user accounts (CoreView State of Microsoft 365) — and only 41% of organisations report having MFA enforcement in place, rather than relying on users to opt in or complete setup voluntarily.
- Oversharing in SharePoint and OneDrive — "Anyone" links, unclear file ownership, and permission sprawl across SharePoint, Teams and OneDrive routinely outpace anyone's ability to track who can actually see what.
- Unmanaged devices — company data accessible from personal phones and laptops with no encryption, no passcode requirement, and no way to remotely wipe them if lost.
- No retention policy — data kept indefinitely by default, or deleted before it should be, because nobody configured retention deliberately.
- Mailbox forwarding rules — a classic sign of a compromised account, and something that goes unnoticed for months without active mailbox auditing.
- Poor leaver process — former employees' accounts and access left active long after they've left the business.
- Lack of audit logging — no way to reconstruct who accessed or changed what, which becomes a serious problem the moment you need to demonstrate compliance after an incident.
None of these are Microsoft's failure. They're the result of a tenant that was set up for productivity and never revisited for compliance — and CoreView's research bears this out at scale: 45% of large organisations reported a security or compliance incident caused by a Microsoft 365 misconfiguration in the past 12 months, and 90% struggle to enforce even basic controls like password policies and failed-login monitoring (CoreView).
Our practical 6-step guide to securing Microsoft 365 — or, for the leadership-level case for why this matters, our executive guide to M365 business security.
What UK Businesses Should Actually Configure
Closing the gap between owning Microsoft 365 and being compliant on Microsoft 365 comes down to a defined list, not a mystery:
- Multi-factor authentication, enforced with no exceptions — including for the owner or MD
- Conditional Access policies governing sign-in risk, device compliance, and location
- Retention policies, set deliberately rather than left on default
- Data Loss Prevention (DLP) rules for sensitive data categories relevant to your business
- Audit logging, switched on and actually reviewed, not just enabled and forgotten
- Data classification, so sensitive information is labelled and handled consistently
- Device management, so only compliant, managed devices can access company data
- A genuine backup solution — Microsoft 365's retention and version history are not a substitute for independent backup of Exchange, SharePoint, OneDrive and Teams data
Some of these controls depend on your licence level, but the principle is the same: decide what data matters, who can access it, how long it should be kept, and how misuse or accidental exposure will be detected.
Where Business Premium Helps, and Where You Might Need More
Microsoft 365 Business Premium includes Microsoft Entra ID P1, which covers Conditional Access, enforced MFA, and the identity fundamentals most SMEs need to meet a reasonable compliance bar (Microsoft Learn). For many SMEs, Business Premium configured properly is a genuinely solid compliance foundation — the problem is almost always the "configured properly" part, not the licence.
Where businesses typically need to look beyond Business Premium is when they need advanced identity risk detection, deeper Defender capabilities, or sector-specific controls that exceed the SME baseline. Microsoft now offers the Microsoft Defender Suite for Business Premium — formerly known as the Microsoft 365 E5 Security add-on — giving organisations under 300 seats access to Microsoft Entra ID P2, Defender for Identity, Defender for Endpoint Plan 2, Defender for Office 365 Plan 2 and Defender for Cloud Apps, without moving fully to E3 or E5 (Microsoft Learn: Add Microsoft Defender Suite for Business Premium). Buying the higher tier without configuring it properly doesn't solve anything — licensing is the ceiling on what's possible, not the guarantee that it's switched on.
What This Means for Business Owners and Operations Leads
You don't need to become a Microsoft 365 engineer, but you do need someone accountable for the configuration. At leadership level, the questions are simple:
- Do we know who has access to sensitive data?
- Is MFA enforced for every user and admin, with no exceptions?
- Can we prove retention and deletion rules are deliberate, not default?
- Can we recover Microsoft 365 data independently if something is deleted or encrypted?
- Can we show evidence if a client, insurer or regulator asks?
If you can't answer those confidently, the issue isn't that Microsoft 365 is unsuitable. It's that the tenant needs reviewing.
How LBT Reviews Microsoft 365 in a Technology Resilience Score Assessment
Data protection and compliance is one of the ten domains scored in LBT's Technology Resilience Score™ assessment, alongside identity and access management and cyber security controls — because a Microsoft 365 compliance gap is rarely just a Microsoft 365 problem; it's usually a symptom of weaker identity and access practices across the whole estate. Rather than treating "are we GDPR compliant on M365" as a yes/no question, TRS™ gives you a scored, evidence-based view of exactly which configuration gaps are driving your exposure, and what fixing them is worth to the business — not just in reduced risk, but in the confidence to onboard bigger clients and pass their own due diligence.
Get an independent check of your Microsoft 365 security and compliance posture
Frequently Asked Questions
Is Microsoft 365 GDPR compliant out of the box?
No single product is "GDPR compliant" on its own — compliance depends on how data is configured, accessed, and governed. Microsoft 365 provides the tools to support UK GDPR compliance, but configuring and operating them correctly is the customer's responsibility.
What's the single biggest Microsoft 365 compliance risk for small businesses?
Oversharing and weak identity controls, in that order. Files shared more broadly than intended and admin accounts without enforced MFA are the two issues that show up most often once someone actually looks.
Do we need Microsoft 365 E5 to be compliant?
Not usually. Business Premium, properly configured, covers the compliance fundamentals most SMEs need. E5 or the Microsoft Defender Suite add-on becomes relevant when you need advanced risk-based detection or your sector demands a higher bar.
How do we know if our Microsoft 365 tenant has compliance gaps we don't know about?
An independent review — rather than a self-assessment — is the only reliable way. That's exactly what LBT's Technology Resilience Score™ assessment is built to surface.
Does having a Data Processing Agreement with Microsoft cover our compliance obligations?
No. A DPA with Microsoft covers Microsoft's obligations as a processor. Your obligations as the data controller — access control, retention, breach response, and data subject rights — remain yours regardless of what agreement is in place with any vendor.
Is your business's technology environment resilient?
Find out how prepared you really are to keep operating and recover quickly if disruption hits — with a free Technology Resilience Score™.