Download to read offline
More Related Content
Similar to General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
- 2. "Empower every personand every organization on the planet to achieve more." Our mission Our ambitions Data is driving innovation Data privacy is driving trust
- 3. Your data, poweringyour experiences, controlled by you. Microsoft Privacy Microsoft Privacy Principles
- 4. Approach to privacygovernance
- 5. Privacy program structure Centralized Engineering & Services Human Resources Finance Operations &IT Sales & Marketing Each divisional group has: • Accountable Executive • Privacy Program Owner(s) • Privacy Managers • General Contractor (for engineering work)
- 6.
- 9. TRANSPARENCY SECURITY COMPLIANCE PRIVACY Principles for how we manageyour data Enterprise privacy solutions
- 10. We will ensurethat all your data is secure We spend over $1 billion a year on cybersecurity. 3,500+ security professionals work to secure datacenters and hunt down attackers. We block more than 5 billion distinct malware threats per month.
- 11. We will ensureyour data is private and is under your control We used GDPR as a catalyst for broader efforts to improve data handling globally. We have brought 4 privacy lawsuits against the U.S. government to protect customer privacy rights. We build privacy into our services as part of the Microsoft Security Development Lifecycle. Brad Smith, President and Chief Legal Officer
- 12. Preparing for theGDPR just got easier Get ready for GDPR compliance and protect sensitive data residing in hybrid environments across the cloud and on-premises. Discover how new features in Microsoft 365 help you secure personal data and meet strict GDPR privacy requirements. Get the latest on GDPR compliance > Compliance Simplified Control management, integrated task assignment, evidence collection, and audit-ready reporting tools to streamline your compliance workflow. LAUNCH COMPLIANCE MANAGER > We will be transparent about the collection and the uses of data We provide geographic locations where customer data is stored. We provide visibility into what we do with customer data, how we protect it, and how they are in control. We publish the number of legal demands for customer data that we receive from law enforcement agencies.
- 13. We will manageyour data in accordance with the law of the land microsoft.com/en-us/trustcenter/compliance/complianceofferings Global ISO 27001:2013 ISO 27017:2015 ISO 27018:2014 ISO 22301:2012 ISO 9001:2015 ISO 20000-1:2011 SOC 1 Type 2 SOC 2 Type 2 SOC 3 CSA STAR Certification CSA STAR Attestation CSA STAR Self- Assessment WCAG 2.0 (ISO 40500:2012) Regional Argentina PDPA Australia IRAP Unclassified Australia IRAP PROTECTED Canada Privacy Laws China GB 18030:2005 China DJCP (MLPS) Level 3 China TRUCS / CCCPPF EN 301 549 EU ENISA IAF EU Model Clauses EU – US Privacy Shield GDPR Germany C5 Germany IT- Grundschutz workbook India MeitY Japan CS Mark Gold Japan My Number Act Netherlands BIR 2012 New Zealand Gov CC Framework Singapore MTCS Level 3 Spain ENS Spain DPA UK Cyber Essentials Plus UK G-Cloud UK PASF US Gov FedRAMP High FedRAMP Moderate EAR DFARS DoD DISA SRG Level 5 DoD DISA SRG Level 4 DoD DISA SRG Level 2 DoE 10 CFR Part 810 NIST SP 800-171 NIST CSF Section 508 VPATs FIPS 140-2 ITAR CJIS IRS 1075 Industry Industry PCI DSS Level 1 GLBA FFIEC Shared Assessments FISC (Japan) APRA (Australia) FCA (UK) MAS + ABS (Singapore) 23 NYCRR 500 HIPAA BAA HITRUST 21 CFR Part 11 (GxP) MARS-E NHS IG Toolkit (UK) NEN 7510:2011 (Netherlands) FERPA CDSA MPAA DPP (UK) FACT (UK) SOX We have the most comprehensive compliance coverage in the industry. We committed to sharing our experiences in complying with complex regulations. We make several resources available to help our customers along their Compliance journey.
- 14. Future proof customers’organizations Trained our people Enhanced our privacy processes Invested in technology Actions we took as part of our commitment to GDPR compliance to the benefit of our customers At Microsoft, we are deeply committed to privacy. In 2000, we established our first corporate privacy function, laying the foundation of people, process and technology investments for what is now a broad privacy governance program across Microsoft. -Brendon Lynch, Microsoft Chief Privacy Officer
- 15. GDPR documentation onthe Microsoft Trust Center The Microsoft Trust Center provides a focus on compliance with special attention to data subject rights, breach notifications, and authoring Data Protection Impact Assessments (DPIAs)
Editor's Notes
- #10 So we just discussed actions we’ve taken, but at a higher level, what are the principles we stand by when considering how we manage customer data? These principles are: Security Privacy Transparency Compliance Many companies can state that these principles matter to them, however it’s important that we demonstrate how we apply these principles when it comes to customer data. In the next few slides we’ll double click on each of the principles…
- #11 For Security, we will ensure that all of your data is secure. A few examples of how we apply security as a principle: We spend over $1B per year on cybersecurity resulting in various solutions around identity and access management, information and threat protection, and security management. Today, more than 3,500 full-time security professionals work to secure datacenters, run our Cyber Defense Operations Center, hack our own defenses, and hunt down attackers As a result of our analysis and other security efforts, we block more than 5 billion distinct malware threats per month. Just one recent example shows the power of the cloud. Microsoft’s cloud-based machine learning models detected a stealthy and highly targeted attack on small businesses across the U.S. with only 200 discrete targets called Ursnif and neutralized the threat. We surface this operational experience and the insights we derived in the security technology we build. More info here: https://cloudblogs.microsoft.com/microsoftsecure/2018/09/24/delivering-security-innovation-that-puts-microsofts-experience-to-work-for-you/
- #12 When it comes to Privacy, we will ensure that your data is private and is under your control. Some examples of how we demonstrate that: GDPR is a Europe specific regulation, however we applied it globally which improved our data handling practices The 4 privacy lawsuits have been brought against the US government began in 2013 Why only since 2013? The Foreign Intelligence Surveillance Act (FISA) is the mechanism used by the National Security Agency (NSA) and other US government agencies to gather data about foreign internet users. Microsoft wanted to be allowed to tell the public when they received US government requests under FISA. The US government didn’t want them to. So we began litigation in 2013. Learn more here: https://www.theguardian.com/law/2013/aug/31/microsoft-google-sue-us-fisa Results of the litigations: The first lawsuit resulted in a good and appropriate settlement allowing us to disclose the number of legal requests we receive. The second resulted in the government withdrawing a National Security Letter after we challenged a non-disclosure order attached to the letter. The third, resulted in that Microsoft is not required to comply with a warrant for the users’ emails if the data is not stored within the U.S. More info here: https://techcrunch.com/2016/07/14/microsoft-wins-second-circuit-warrant/ The fourth suit resulted in the Department of Justice creating a new policy that limits the overused practice of requiring providers to stay silent when the government accesses personal data stored in the cloud More info here: https://blogs.microsoft.com/on-the-issues/2017/10/23/doj-acts-curb-overuse-secrecy-orders-now-congress-turn/ We build privacy into our services as part of the Microsoft Security Development Lifecycle In step 2 of a 7 step process in the development lifecycle: We define and integrate security and privacy requirements, enabling us to more easily identify key milestones and deliverables We define minimum acceptable levels of security and privacy quality at the start, enabling the team to understand risks associated with security issues, identify and fix security bugs during development, and apply the standards throughout the entire project We examine software design based on costs and regulatory requirements, enabling a team to identify which portions of a project will require threat modeling and security design reviews before release and determine the Privacy Impact Rating of a feature, product, or service. Source: https://www.microsoft.com/en-us/SDL/process/requirements.aspx
- #13 We will be transparent about the collection and uses of data. Examples of how we apply this principle are: We provide geographic locations where customer data is stored. This can be found on the Trust Center (Microsoft.com/trust) Top right image. We publish the number of legal demands for customer data that we receive from law enforcement agencies. This can be found via the Trust Center which will lead you to our Law Enforcement Requests Report. We provide visibility into what we do with customer data, how we protect it, and how they are in control. This can be found on Service Trust Portal. (servicetrust.Microsoft.com) Bottom right image. We put major investment in documentation and tools related to GDPR compliance for our customers to increase transparency and make it easier for customers to understand our technologies and how they relate to GDPR requirements. These tools and documentation include: Audit reports Commitments to ISO 27001 standards Detail on how to manage data subject and portability requests related to Microsoft technologies Information to support customers in preparing DPIAs related to their use of Microsoft technologies Compliance Manager, which helps customers to track their compliance with regulatory requirements related to data privacy and security. Penetration testing reports and other detailed security documentation
- #14 When it comes to compliance, we will manage your data in accordance with the law of the land (i.e. your region). To help you comply with national, regional and industry-specific requirements governing the collection and use of individual's data, Microsoft offers the most comprehensive set of compliance offerings of any cloud service provider. Detailed information about each of these can be found on our trust center under Compliance/complianceofferings. A sampling of these offerings is on the right of this slide. We committed to sharing our experiences in complying with complex regulations. An example of our commitment to sharing our experience in complying with regulations is that we have a webinar coming up in January 2019 where we’ll discuss some of our learnings from this compliance journey and how customers can benefit from our learnings and solutions. As we’ve discussed before, we’ve made several resources available to customers so they can validate our commitments. While there are companies that specialize in specific aspects of the principles we outlined, we have several solutions and resources that span all four principles, which is our differentiator. We are committed to applying all of these principles in everything we do, especially when it comes to managing customer data. So, protecting your data is our top priority, which means securing your data, giving you the controls to determine what your data can be used for, and giving you visibility into our third-party validated certifications and processes that back our commitments. We not only hold ourselves accountable to these principles internally, we translate them into benefits for our customers to help empower them to achieve more.
- #15 We wanted to provide customers with some visibility into what we went through as part of our commitment to GDPR compliance as well, so they can better understand how this translates into their benefit: We trained our people: We expanded our corporate privacy training significantly to help educate our employees, partners, suppliers, and vendors about upcoming privacy requirements affecting their roles, and how we would approach compliance. Led to investments in: Internal webinars, workshops, online training courses, and reference materials Train-the-trainer programs Abbreviated technical and privacy documentation for our customers, detailing our compliance with GDPR, and guides to help enable secure and compliant use of our products and services We enhanced our privacy practices: We drove accountability to these regulations through a centralized privacy team that included legal, privacy, engineering, compliance professionals We invested in new technology. We put major investment in documentation and tools related to GDPR compliance for our customers to increase transparency and make it easier for customers to understand our technologies and how they relate to GDPR requirements. These processes, tools, and documentation include: creating connections between systems that use personal data to help us manage them more efficiently; updated the code of our internal IT, consumer, and commercial products and services with compliance controls to enable our teams to meet compliance obligations. Audit reports validated by 3rd parties Commitments to ISO 27001 standards Detail on how to manage data subject and portability requests related to Microsoft technologies Information to support customers in preparing DPIAs related to their use of Microsoft technologies Compliance Manager, which helps customers to track their compliance with regulatory requirements related to data privacy and security. Penetration testing reports and other detailed security documentation Regulatory response documentation Important to land how this benefits the customer: As a result of our vast experience (connects to the quote from Brendon on bottom right) and internal efforts to comply with several regional and global standards and regulations, our customers can benefit from: solutions built (i.e. Compliance Manager, eDiscovery, etc.) our ability to scale to meet the ever changing regulation needs of customers (we’ve complied with global regulations and are often one of the first companies to be compliant with new regulations) our ability to partner with you to “future proof” your business against changing regulations (i.e. upcoming California Consumer Privacy Act that is effective in 2020). Regulation needs change daily, as you’ll see in later slides, so it’s important that a trusted partner has the experience and scale to help manage those changes. We are committed to empowering every person and organization on the planet to achieve more.