Microsoft Purview Compliance Manager – GDPR and ISO 27001 Tracking for Small Businesses in Berlin

Most Berlin SMBs understand that they have compliance obligations — GDPR at minimum, often ISO 27001 aspirations if they serve regulated clients, and increasingly specific frameworks required by enterprise customers or insurers. What they typically lack is a structured way to track their compliance posture, identify gaps, and demonstrate progress. Microsoft Purview Compliance Manager is the Microsoft 365 tool that bridges the gap between knowing you have compliance obligations and actually managing them systematically.

What Compliance Manager Does

Compliance Manager provides:

• A Compliance Score — a numerical score (0–100%) representing your current compliance posture based on implemented controls, analogous to Secure Score but for regulatory compliance
• Assessments — structured evaluations against specific regulatory frameworks (GDPR, ISO 27001, SOC 2, NIS 2, etc.) broken into controls, implementation guidance, and testing procedures
• Improvement Actions — specific technical or procedural steps that increase your score, each with Microsoft documentation and owner assignment capability
• Automated control testing — for controls that can be verified through Microsoft 365 configuration (e.g., MFA enforcement, encryption at rest), Compliance Manager reads your actual tenant configuration and auto-updates test status

The Compliance Score Model

The score is weighted across two dimensions:

Dimension	Weight	Meaning
Microsoft-managed controls	~40%	Controls Microsoft handles in their infrastructure (physical security, platform encryption, datacenter compliance) — automatically credited
Customer-managed controls	~60%	Controls you implement in your tenant and organization — require your action

This means your starting score is often already 30–50% before you configure anything, because Microsoft’s platform controls contribute. The actionable portion is the customer-managed controls, which Compliance Manager surfaces as Improvement Actions.

Available Assessment Templates

Compliance Manager includes over 360 regulatory templates. Relevant for Berlin SMBs:

Framework	Included In	Priority
GDPR	M365 Business Premium / E3	Mandatory for all
ISO/IEC 27001:2022	Included	High if enterprise customers require it
NIS 2 Directive	Included	High for critical infrastructure supply chains
SOC 2	Included	Relevant for SaaS/MSP businesses
BSI C5	Included	Relevant for cloud services targeting German public sector

You can activate multiple assessments and track them simultaneously. The GDPR assessment is the natural starting point for any Berlin business. ISO 27001 is the next natural layer if you’re pursuing certification or if clients require it.

How Automated Testing Works

For technical controls that Microsoft can directly verify, Compliance Manager periodically scans your Microsoft 365 configuration and automatically marks improvement actions as “Passed” or “Failed.” Examples of automatically tested controls:

• Multi-factor authentication enforcement
• Password policy configuration
• Data encryption at rest and in transit
• Audit logging enabled
• Data loss prevention policy existence
• Sensitivity label publication
• Privileged access controls

For controls that require human judgment or external documentation (e.g., “Does the organization have a documented incident response procedure?”), you manually mark the control as implemented, upload evidence documents, and set the test date. Compliance Manager stores the evidence chain for audit purposes.

Improvement Actions Workflow

Navigation: Microsoft Purview compliance portal → Compliance Manager → Improvement actions

Each improvement action shows:

• Current score contribution: how many points implementing this action adds
• Control type: Preventive, Detective, or Corrective
• Implementation guidance: step-by-step instructions or links to Microsoft documentation
• Test status: Not assessed / Passed / Failed / Low risk / Non-Microsoft
• Owner assignment: you can assign each action to a team member for accountability

For an SMB starting from scratch, filter by high point value + automated testing first — these are the technical controls that immediately update your score once configured in your tenant, with zero documentation overhead.

Compliance Manager and GDPR Specifically

The GDPR assessment in Compliance Manager maps its controls to the specific GDPR articles they address. For Article 25 (Data Protection by Design and Default), relevant improvement actions include:

• Enable sensitivity labels (links directly to your AIP/sensitivity label configuration)
• Configure DLP policies (detected from your Purview DLP deployment)
• Enable customer lockbox
• Configure data retention policies

This is not a legal compliance tool — it does not replace a Data Protection Impact Assessment, a privacy attorney, or your Datenschutzbeauftragter. What it does is help you demonstrate to auditors, clients, and insurers that your Microsoft 365 technical controls are implemented and tracked against recognized frameworks.

Licensing Requirements

Compliance Manager core functionality (assessments, improvement actions, score) is included in:

• Microsoft 365 Business Premium
• Microsoft 365 E3 / E5
• Office 365 E3 / E5

Premium assessment templates beyond the default set (some industry-specific frameworks) may require Microsoft Purview Compliance P1/P2 (included in E5 or available as an add-on).

Operationalizing Compliance Manager for an SMB

1. Activate the GDPR assessment — this is your baseline
2. Review the Improvement Actions dashboard filtered by highest score impact
3. Assign each action to an owner with a target date
4. Implement the top 10–15 technical improvement actions (most have direct Intune/Entra/Purview configuration steps)
5. Upload evidence for procedural controls (incident response plan, data classification policy, vendor agreements)
6. Enable automated testing refresh — Compliance Manager rescans on its own schedule but you can trigger manual refresh
7. Activate the ISO 27001 assessment when GDPR score exceeds 70% — many controls overlap
8. Export the assessment report for client or auditor presentations

For Berlin SMBs that need to demonstrate regulatory diligence to enterprise clients, insurers, or during contract due diligence, a Compliance Manager assessment report showing a documented score, implemented controls, and assigned ownership is a concrete artifact that proves your compliance program is actively managed rather than aspirational.