Matti Neustadt Storie, Microsoft Alex Harmon, Microsoft Christopher Mills, Microsoft The European Union’s General Data Protection Regulation (GDPR) is the most impactful privacy law of the last generation. The GDPR requires us to apply more rigor to data privacy to avoid burdensome restrictions on data collection, and use, significant fines and credibility issues. Microsoft has developed a cross-company privacy architecture that will help enable compliance with this law, and those efforts include processes and procedures to manage and delete data as well as respond to data subject requests and enforce data subject rights. A general misunderstanding of when to de-identify items such as IP addresses, email addresses, internal customer or resource IDs, certificate thumbprints, VM names or any other piece of information can be considered “Personal Data” can lead to negative impact on security response. Learning how to work within the law while still preserving this key evidence like service tenant VM names, crash dumps, system logs containing personal identifiers, subscription IDs, or identifying content relating to vulnerability descriptions or proofs-of-concept, is necessary to do continued work in cybersecurity threat intelligence, forensic investigation, attacker attribution, and incident response. This presentation is designed to provide actionable information about how you can address your GDPR compliance obligations while still ensuring an effective cybersecurity readiness program.