Compliance Misconception — Azure Administrator (AZ-104)

The Scenario

A European company needs GDPR compliance for customer data stored in Azure. You recommend deploying in the West Europe region and enabling encryption at rest with platform-managed keys. Region placement and encryption are necessary but nowhere near sufficient. GDPR requires: data residency controls (regions are a start), right to deletion (you must implement data purge APIs), consent management (application-level, not infrastructure-level), data processing records (Azure Activity Log and custom audit trails), and a Data Protection Officer. The exam tests whether you know that GDPR is a legal and procedural framework, not just a technical checklist.

How to Spot It

• •Azure Compliance Manager shows your compliance score and gives recommendations, but a high score does not equal compliance. Compliance is a shared responsibility — Microsoft certifies infrastructure controls; you implement data handling, consent, and access controls.
• •GDPR right to erasure means you must be able to find and delete all data for a specific individual across all storage systems — Cosmos DB, SQL Database, Blob Storage, Application Insights, Log Analytics. If your architecture spreads personal data across multiple stores, you need a data map and deletion pipeline. The exam tests this.
• •Azure Policy can enforce data residency (restrict resource deployment to specific regions) and Azure Purview can classify sensitive data. But neither implements consent management or data subject access requests — those are application-level responsibilities the exam expects you to identify.