Browse all topics
All guidesGlossary

Microsoft Priva privacy management

Microsoft Priva is the data-privacy management product in Microsoft 365 — risk management and subject rights requests.

Microsoft Priva is the data privacy management product in Microsoft 365, addressing regulatory privacy concerns like GDPR, CCPA, and similar regimes. It sits alongside Purview but focuses on privacy specifically: where personal data is, who has access, and how to handle subject rights requests.

What Priva does

Priva has two main capabilities:

Privacy Risk Management

Continuously evaluates personal data in your Microsoft 365 environment and flags risks:

  • Data overexposure — personal data shared with too many people internally.
  • Data transfers — personal data crossing geographic or organisational boundaries inappropriately.
  • Data minimisation — personal data being collected or retained without clear purpose.
  • Sensitive types in unusual locations — credit cards in OneDrives, government IDs in chat.

Risk findings drive policies — automated controls that warn users, restrict actions, or alert admins when risks are detected. For example: "Block sharing of a document containing more than 100 customer records to anyone outside the organisation."

Subject Rights Requests

When a customer or employee submits a subject rights request under GDPR / CCPA / equivalents (right to access, right to deletion, right to correction), Priva orchestrates the response:

  • Define the request — what kind, what subject, what scope.
  • Identify data — Priva searches across Microsoft 365 for content related to the subject.
  • Review — reviewer assesses what to include, what to redact.
  • Generate response — package the data for the requester.
  • Audit trail — every step is logged for compliance evidence.

Built on top of eDiscovery infrastructure, with privacy-specific workflows.

Why this matters

GDPR went live in 2018 and subject rights requests have grown steadily. CCPA, China PIPL, India DPDP, and many others have followed. For organisations subject to these regimes, a structured way to respond is necessary — and "we'll search email manually when someone asks" doesn't scale.

Priva offers the structured workflow that legal teams can run repeatedly.

How it integrates

  • Microsoft Purview handles general compliance (retention, eDiscovery, DLP); Priva specifically addresses privacy.
  • Defender signals contribute to risk detection in Priva.
  • Sensitivity labels in Purview can drive Priva risk assessments.
  • Subject Rights Requests in Priva are technically eDiscovery cases with a privacy-specific UI on top.

Licensing

Priva is licensed as a per-user add-on, with separate skus for Privacy Risk Management and Subject Rights Requests. Included with Microsoft Priva standalone licences or bundled in Microsoft 365 E5 Compliance for some scenarios.

For organisations handling significant personal data — anyone with European customers, anyone in healthcare, anyone in financial services — Priva is increasingly part of the compliance baseline.

Practical rollout

  1. Inventory personal data across Microsoft 365 — use Priva's automatic discovery.
  2. Set up the SRR workflow with named reviewers (legal, privacy officer, HR).
  3. Define risk policies for high-priority data classes (customer PII, employee records, payment data).
  4. Train the team on running SRRs through Priva rather than ad-hoc.
  5. Audit and report quarterly on SRRs handled, risks closed, policy effectiveness.

Priva doesn't make privacy management easy — privacy is inherently a structured legal / process exercise — but it makes the Microsoft 365 side of it dramatically more manageable than doing it by hand.