Foration Blog

Office 365 compliance in regulated industries

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

[fa icon="clock-o"] 1 April 2015 [fa icon="user"] Paul Weeden [fa icon="folder-open'] Compliance, Office 365, regulated industries, FCA

Firms working within regulated industries, such as solicitor practices and financial services, are subject to strict regulatory standards. These standards extend across all aspects of business, including technology. Regulatory bodies, such as the Solicitors Regulation Authority and the Financial Conduct Authority, impose strict requirements around the management, processing and security of client data. Despite common misconceptions, these requirements do not preclude the use of Cloud based technologies.

In response to Brexit, we've published some update guidance for regulated business, that suppliments this article.  Please see the link at the bottom of this article for more information.

In this article, we look at Office 365 compliance in regulated industries and how it addresses key requirements.

Data Residency and Data Protection

The EU data protection regulation stipulates that data should not be transferred outside the EU, unless to a country with similarly high data protection standards. Office 365 complies with this legislation by adopting a regionalised data centre strategy, storing European customer data in either its Dublin or Amsterdam data centres.

In April 2014, Microsoft became the first (and to date, only) Cloud provider to receive approval from the Article 29 Working Party, an independent advisory body established by the European Parliament to focus on data protection. The ruling confirmed that Microsoft meets the high standards of EU data protection legislation so regardless of where data is stored, it is protected to a standard approved by EU authorities.

Microsoft is also certified under the Safe Harbor Framework, recognising companies aligned with EU data privacy rules. Businesses that wish to legally transfer data from the EU to the U.S. must comply with the Safe Harbour principles.

Client Confidentiality

Client confidentiality is a key concern for businesses working within regulated industries. Microsoft provides contractual security commitments that protect your data at all times. Confidential information will not be disclosed to third parties, nor used for any purpose other than that agreed. If a government request is received to access your data, Microsoft commit to notifying you, unless they are legally prohibited from doing so.


Regulatory bodies often request security compliance with IS027001 2005 as minimum. Office 365 and the infrastructure layer on which it relies are ISO 27001 certified, delivering:

  • 24-hour monitoring and restricted access to data centres
  • Encryption of data at rest and during transmission
  • Data loss prevention to avoid sensitive data from leaking either inside or outside the organization
  • Enforcement of "hard" passwords and multi-factor authentication

Data Ownership and Regulatory Access

Regulated firms must have adequate agreements with their providers to allow regulatory bodies to access and inspect their data. With Office 365, you own your data, retain all rights to it and can download a copy of it at any time. This can be done without Microsoft assistance and subsequently issued to your regulatory body.

Data Recovery

The data backup and continuity arrangements of your Cloud provider are important. Office 365 backs up your data at least once a week and maintains multiple copies across its data centres. It also commits to delivering at least 99.9% up-time with a financially-backed guarantee.

USA Patriot Act

The USA Patriot Act applies to companies based anywhere in the world with a US parent company. It obliges them to disclose information on their customers to US Government agencies without their knowledge or consent, potentially conflicting with EU data protection laws. Despite its severe reputation, the Patriot Act is no more intrusive than similar interception regimes across EU member states, such as the UK Regulation of Investigative Powers Act 2000. The Patriot Act is also limited in scope and does not apply to the majority of Cloud customers. Where it does apply, Microsoft’s certification with the Safe Harbor Agreement ensures compliance with the EU Data Protection Directive.


In response to Brexit, we've published an article detailing the areas you'll need to consider as part of your Cloud migration strategy.  Click here for more information. 


Microsoft is at the forefront of security and management of Cloud services. As highlighted above, Office 365 provides a good fit for companies working within heavily regulated industries. The benefits of Office 365 are there to be reaped and in addition to Microsoft's commitments, undertaking your own due diligence, establishing policies, security measures and training are key to ensuring continued regulatory compliance.

For more information on Office 365 and how it specifically complies with the Solicitors Regulation Authority, visit Office 365: A View on Legal Sector Guidance.

Click here to find out how we can help your business be compliant...

IT support for regulated business

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

Subscribe to our Blog

Recent Posts