Privacy by Design The Microsoft Experience 11/8/2018 7:08 AM Privacy by Design The Microsoft Experience Roger Halbheer Chief Security Advisor Microsoft Corporation Ton van Gessel Chief Security Advisor Microsoft Netherlands © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Introduction: The Evolution of Privacy Trustworthy Computing and Privacy by Design Microsoft’s Privacy Governance Program People Policy and Processes Tools Technology Innovation Conclusion

The Evolution of Privacy Introduction The Evolution of Privacy

Privacy is Getting Attention

Privacy is Evolving FTC Privacy Report (3/12): “Data that is truly de-identified (or anonymous) can’t be used to infer anything about an individual person or device, so it doesn’t raise privacy concerns.” “…. a good rule of thumb: if you plan to use a dataset to personalize or target content to individual consumers, it’s probably not de-identified.” FTC CTO’s blog (4/30/12): “…. pseudonyms are not “anonymous” and …. attaching a pseudonym to a user, or gathering information about a pseudonymous user over time, can impact privacy.”

Concrete Actions Publishers must provide access to app privacy statement Platform should implement: System for complaints on apps Process to follow up on complaints

Trustworthy Computing Privacy by Design

Privacy by Design “At Microsoft, Privacy by Design describes not only how we build products but also how we operate our services and organize ourselves as an accountable technology leader.”

Trustworthy Computing Secure against attacks Protects confidentiality, integrity and availability of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Dependable, Available Predictable, consistent, responsive service Maintainable Resilient, works despite changes Recoverable, easily restored Proven, ready Commitment to customer-centric interoperability Recognized industry leader, world-class partner Open, transparent Trustworthy Computing

Data Protection at Microsoft Compliance Transparency Telling customers what data we collect and how it will be used User Control Give users control over access to their person as well as collection, use and distribution of their personal data Security Secure the data, not just the network edge/end points Compliance Applicable laws and regulations Transparency Security User Control

Holistic Approach to Privacy “Hub-and-Spoke” model between Trustworthy Computing and individual business groups

Microsoft’s Privacy Governance Program Processes & Policy People Technology Innovation Tools

Governance Program People

People People The Team Expertise ~40 full-time privacy professionals ~400 part-time privacy managers and leads Expertise Legal Scientists IT Policy and Management Software Engineers Marketing Business People

The Virtual Privacy Team TwC Privacy Team Legal and Corporate Affairs Privacy Team Privacy Manager Privacy Lead Privacy Champ

Roles & Responsibilities Develops policy, standards, and processes in coordination with key stakeholders Develops company strategy and framework for privacy governance Develops training, tools, and processes to enable compliance Works with Business Group executives to put Privacy Manager in place Works with legal Manages escalation process TwC Privacy Team

Roles & Responsibilities Tracks international data protection laws and regulations Works with Trustworthy Computing Privacy to ensure legal requirements are integrated into policies and standards Provides legal counsel to members of the Microsoft Privacy community Helps craft Privacy Statements Helps drive outreach efforts with external stakeholders TwC Privacy Team Legal & Corp. Affairs Team

Roles & Responsibilities

Roles & Responsibilities Be a Partner Lead Privacy Review process for the Business Group Not a tax or a compliance cop, be a partner - provide value, help the team achieve goals in a compliant manner Know the Standards Ready/willing to answer privacy questions from the Business Group Weigh in If standards or tools don’t meet your needs, work with TwC to adapt them Be connected Know your privacy peers Know the people you support TwC Privacy Team Legal & Corp. Affairs Team Privacy Manager Privacy Lead Privacy Champ

Developing Capability Onboarding, mentoring and continuing education

Important You do not need a huge organization, you need to focus on covering three areas of expertise: Get legal advice Understand legal\compliance requirements Understand your privacy policy, what it says Understand your product, how it works and what your objectives are Leverage available resources ….

Governance Program Processes and Policy

Microsoft Privacy Standard Sales and Marketing Online Advertising Privacy for Developers Cloud Services Location Based Services Collection of information from children

Privacy all Along Development Lifecycle Information Lifecycle Concept Plan Collect Delete Update Transfer (New Lifecycle) Data Storage Design Develop Transfer Process

Privacy Review Process New Validation Review Meeting Remediation Complete Archive/ Deliver Gather Project Information Product Group Contact Confirms Accuracy Review Engagement (Capture Notes, Action Items, Supporting Docs) Resolve Action Items & Document Remediation Process is almost complete. Assessment Documentation is Read-Only Except for Final Approver Full Assessment Read-Only for all and Stored with Supporting Documentation Assign Project Team Complete Privacy Assessment For Cloud Services only: Reassess annually. Obtain Independent Validations as Appropriate Risk Rating Assigned based on classification of collected data

Privacy Reviews Players Objective Documentation Requirements Involve those that can answer questions about the project/product/service Ensure the team understands what they need to provide Distinguish between a Privacy consult and a Privacy review Privacy Approval Manager Complete User experience screenshots or demo (as applicable) Marketing materials (websites, emails, etc.) Previewed by Privacy Champ or Lead

Important You do not need a huge process, you need to focus on a few tasks: Get legal advice Understand legal/compliance requirements Make sure your product matches your privacy policy/statement The three key areas of expertise have to agree that this happening Have everyone sign off Leverage available resources ….

Governance Program Tools

Policy Approval Manager

Privacy Risk Mitigation in Place: PAM Tool New Privacy Reviews Initiated with PAM A grand total of 2,113 privacy reviews were initiated in first 12 months

Privacy Escalation Response Process Triage Triage incoming reported incidents by determining and documenting the alert level of the incident Mobilize To identify the Stabilization Team that will commence response to the incident Assess Understand the situation and involve the Stabilization Team in the development of the stabilization work plan Stabilize Execute plans to stabilize an incident, provide initial resolution or a workaround, and roll out an action plan to contain and close the incident Close To understand the incident process, and develop action items to improve process and prevent future incidents

Case Study

Office 365 TRUST PRINCIPLES Your Privacy Matters We Respect the Privacy of your Data. You Know “WHERE” data resides, “”WHO” can access it and “WHAT”we do with it. Transparent Compliance with Industry standards verified by 3rd parties Independent Verified Relentless On Security Excellence in Cutting edge security practices TRUST PRINCIPLES

Important You do not need a thousand tools, focus on a few key pieces: Easy Access and Management One Portal to your Environment LYNC OFFICE SHAREPOINT You will have full control over your own data Secure and reliable One address for all your additional questions Office 365 Trust Center http://www.microsoft.com/en-us/office365/trust-center.aspx#fbid=8p0jEDusiRN

Resources Learning TechNet http://europe.msteched.com Connect. Share. Discuss. http://europe.msteched.com Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

Submit your evals online 11/8/2018 7:08 AM Evaluations Submit your evals online http://europe.msteched.com/sessions © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/8/2018 7:08 AM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11/8/2018 7:08 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.