1. Privacy by Design The Microsoft Experience
11/8/2018 7:08 AM
Privacy by Design The Microsoft Experience
Roger Halbheer
Chief Security Advisor
Microsoft Corporation
Ton van Gessel
Chief Security Advisor
Microsoft Netherlands
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Agenda Introduction: The Evolution of Privacy
Trustworthy Computing and Privacy by Design
Microsoft’s Privacy Governance Program
People
Policy and Processes
Tools
Technology Innovation
Conclusion

3. The Evolution of Privacy
Introduction
The Evolution of Privacy

4. Privacy is Getting Attention

5. Privacy is Evolving FTC Privacy Report (3/12):
“Data that is truly de-identified (or anonymous) can’t be used to infer anything about an individual person or device, so it doesn’t raise privacy concerns.”
“…. a good rule of thumb: if you plan to use a dataset to personalize or target content to individual consumers, it’s probably not de-identified.”
FTC CTO’s blog (4/30/12):
“…. pseudonyms are not “anonymous” and …. attaching a pseudonym to a user, or gathering information about a pseudonymous user over time, can impact privacy.”

6. Concrete Actions
Publishers must provide access to app privacy statement
Platform should implement:
System for complaints on apps
Process to follow up on complaints

7. Trustworthy Computing
Privacy by Design

8. Privacy by Design
“At Microsoft, Privacy by Design describes not only how we build products but also how we operate our services and organize ourselves as an accountable technology leader.”

9. Trustworthy Computing
Secure against attacks
Protects confidentiality, integrity and availability of data and systems
Manageable
Protects from unwanted communication
Controls for informational privacy
Products, online services adhere to fair information principles
Dependable, Available
Predictable, consistent, responsive service
Maintainable
Resilient, works despite changes
Recoverable, easily restored
Proven, ready
Commitment to customer-centric interoperability
Recognized industry leader, world-class partner
Open, transparent
Trustworthy Computing

10. Data Protection at Microsoft
Compliance
Transparency
Telling customers what data we collect and how it will be used
User Control
Give users control over access to their person as well as collection, use and distribution of their personal data
Security
Secure the data, not just the network edge/end points
Compliance
Applicable laws and regulations
Transparency
Security
User Control

11. Holistic Approach to Privacy
“Hub-and-Spoke” model between Trustworthy Computing and individual business groups

12. Microsoft’s Privacy Governance Program
Processes
& Policy
People
Technology
Innovation
Tools

13. Governance Program
People

14. People People The Team Expertise ~40 full-time privacy professionals
~400 part-time privacy managers and leads
Expertise
Legal
Scientists
IT Policy and Management
Software Engineers
Marketing
Business
People

16. The Virtual Privacy Team
TwC Privacy Team
Legal and Corporate Affairs Privacy Team
Privacy Manager
Privacy Lead
Privacy Champ

17. Roles & Responsibilities
Develops policy, standards, and processes in coordination with key stakeholders
Develops company strategy and framework for privacy governance
Develops training, tools, and processes to enable compliance
Works with Business Group executives to put Privacy Manager in place
Works with legal
Manages escalation process
TwC Privacy Team

18. Roles & Responsibilities
Tracks international data protection laws and regulations
Works with Trustworthy Computing Privacy to ensure legal requirements are integrated into policies and standards
Provides legal counsel to members of the Microsoft Privacy community
Helps craft Privacy Statements
Helps drive outreach efforts with external stakeholders
TwC Privacy Team
Legal & Corp. Affairs Team

19. Roles & Responsibilities

20. Roles & Responsibilities
Be a Partner
Lead Privacy Review process for the Business Group
Not a tax or a compliance cop, be a partner - provide value, help the team achieve goals in a compliant manner
Know the Standards
Ready/willing to answer privacy questions from the Business Group
Weigh in
If standards or tools don’t meet your needs, work with TwC to adapt them
Be connected
Know your privacy peers
Know the people you support
TwC Privacy Team
Legal & Corp. Affairs Team
Privacy Manager
Privacy Lead
Privacy Champ

21. Developing Capability
Onboarding, mentoring and continuing education

22. Important
You do not need a huge organization, you need to focus on covering three areas of expertise:
Get legal advice
Understand legal\compliance requirements
Understand your privacy policy, what it says
Understand your product, how it works and what your objectives are
Leverage available resources ….

23. Governance Program
Processes and Policy

24. Microsoft Privacy Standard
Sales and Marketing
Online Advertising
Privacy for Developers
Cloud Services
Location Based Services
Collection of information from children

25. Privacy all Along Development Lifecycle Information Lifecycle Concept
Plan
Collect
Delete
Update
Transfer
(New
Lifecycle)
Data Storage
Design
Develop
Transfer
Process

26. Privacy Review Process
New
Validation
Review Meeting
Remediation
Complete
Archive/ Deliver
Gather Project Information
Product Group Contact Confirms Accuracy
Review Engagement (Capture Notes, Action Items, Supporting Docs)
Resolve Action Items & Document Remediation
Process is almost complete. Assessment Documentation is Read-Only Except for Final Approver
Full Assessment Read-Only for all and Stored with Supporting Documentation
Assign Project Team
Complete Privacy Assessment
For Cloud Services only: Reassess annually. Obtain Independent Validations as Appropriate
Risk Rating Assigned based on classification of collected data

27. Privacy Reviews Players Objective Documentation Requirements
Involve those that can answer questions about the project/product/service
Ensure the team understands what they need to provide
Distinguish between a Privacy consult and a Privacy review
Privacy Approval Manager Complete
User experience screenshots or demo (as applicable)
Marketing materials (websites, s, etc.)
Previewed by Privacy Champ or Lead

28. Important
You do not need a huge process, you need to focus on a few tasks:
Get legal advice
Understand legal/compliance requirements
Make sure your product matches your privacy policy/statement
The three key areas of expertise have to agree that this happening
Have everyone sign off
Leverage available resources ….

29. Governance Program
Tools

30. Policy Approval Manager

31. Privacy Risk Mitigation in Place: PAM Tool
New Privacy Reviews Initiated with PAM
A grand total of 2,113 privacy reviews were initiated in first 12 months

32. Privacy Escalation Response Process
Triage
Triage incoming reported incidents by determining and documenting the alert level of the incident
Mobilize
To identify the Stabilization Team that will commence response to the incident
Assess
Understand the situation and involve the Stabilization Team in the development of the stabilization work plan
Stabilize
Execute plans to stabilize an incident, provide initial resolution or a workaround, and roll out an action plan to contain and close the incident
Close
To understand the incident process, and develop action items to improve process and prevent future incidents

33. Case Study

35. Office 365 TRUST PRINCIPLES Your Privacy Matters We Respect the
Privacy of your
Data.
You Know
“WHERE” data resides, “”WHO”
can access it and “WHAT”we do with it.
Transparent
Compliance with Industry standards verified by 3rd parties
Independent
Verified
Relentless
On Security
Excellence in Cutting edge security practices
TRUST PRINCIPLES

36. Important You do not need a thousand tools, focus on a few key pieces:
Easy Access and Management
One Portal to your Environment
LYNC
OFFICE
SHAREPOINT
You will have full control over your own data
Secure and reliable
One address for all your additional questions
Office 365 Trust Center

37. Resources Learning TechNet http://europe.msteched.com
Connect. Share. Discuss.
Microsoft Certification & Training Resources
TechNet
Resources for IT Professionals
Resources for Developers

38. Submit your evals online
11/8/2018 7:08 AM
Evaluations
Submit your evals online
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. 11/8/2018 7:08 AM
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. 11/8/2018 7:08 AM
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.