FY18 To access all content view this file as a slide show Welcome We need data to innovate Customers will only give us their data if they trust us Thats why we have to get privacy and security right ID: 631306
Download Presentation The PPT/PDF document "Microsoft Supplier Privacy & Securit..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Microsoft Supplier Privacy & Security 101
June 2019Slide2
01 Welcome
Welcome
We need data to innovate. Customers will only give us their data if they trust us. That’s why we have to get privacy and security right.
What we’ll cover
Why privacy and security compliance is essential
Understanding Microsoft Personal and/or Confidential data
Microsoft’s commitment to privacy and security
Privacy and security considerations for suppliers
Incident recognition and reportingSlide3
01 Welcome
Privacy
regulations
There are many laws and regulations that cover the use of private data
Violations of the EU’s GDPR can cost 4% of worldwide revenue. Imagine the impact to your company
Data protection is essential to businessSlide4
01 Welcome
We protect data by making good decisions driven by the commitments Microsoft
has made to customers
Control
Transparency
Security
Strong legal protections
No content-based targeting
Benefits to you
Put the customer in control of their privacy
with easy to use tools and clear choices
Be transparent about data collection and use so customers can make informed decisions
Protect the data that is entrusted to you through strong security, encryption, and good data handling practices
Respect local privacy laws and fight for legal protection of privacy as a fundamental human right
Do not use email, chat, files, or other personal content to target ads to the customer without consent
When Microsoft collects data, we will use it to benefit the customer and to make their experience betterSlide5
02 Identifying data
What is Personal data?
Any information that is linked
or
linkable
to a particular person is Personal data and
requires protections and controls
Linked
Linkable
Data relating to a specific person whose identity is known
Identifies a person directly
e.g., name, email address, phone number, or "Persistent ID" (PUID)
Links directly to information that identifies a person
e.g., browser history, location, error or usage data, or any other data that is stored with a PUID
Data not directly associated with the identifiable information, but associated with an identifier that could be used to create a link to the identified personSlide6
02 Identifying data
Data classifications
Classifying data determines its value and the security controls necessary to protect it appropriately
General
Confidential
Highly confidential
Definition
Business data not meant for public consumption
Definition
Sensitive business data that could cause business harm if over-shared
Definition
Very sensitive business data that would cause business harm if over-shared
Examples
Microsoft companywide announcements for employees and contingent staff
Examples
Documentation for MS services or devices including process or procedural guides, configuration data, etc.
Examples
Authentication credentials, customer payment data, new product design specifications, unreleased marketing plansSlide7
03 Commitment to privacy and security
Commitment to privacy and security
We will protect
the Personal and/or Confidential data we are entrusted with and make security a key part of our business
Here’s how you help
Engage privacy early
Some projects will require a privacy review, plan ahead and have your Microsoft contact work with the privacy experts
to identify requirements
Read and understand the Microsoft Supplier Data Protection Requirements (DPR)
Microsoft can only work with suppliers that fully comply with the requirements in the DPR
Align with Microsoft’s requirements
Aligning your company’s data collection, use, storage, retention, and deletion planning to Microsoft’s requirements is essential to protecting privacy and attaining Microsoft compliance
Adopt strong security practices
Protect Microsoft data from unauthorized access, misuse, and breachesSlide8
03 Commitment to privacy and security
Design data protection from the start
At the start of any project, ask yourself
What data do
you need?
What rules apply?
How will the customer benefit?
Only collect the data you need, and don’t keep it longer just because you can
Microsoft has legal requirements and customer commitments regarding the appropriate use of data, Business groups may have additional requirements
If you can’t explain why you need the data in terms that benefit the customer, you need to rethink what you are doingSlide9
04 Considerations for Microsoft suppliers
Working as a supplier for Microsoft
When working with Microsoft as a supplier, you must accept responsibility for maintaining the high privacy and security standards already in place at Microsoft
Here’s where to start
Your company must be in good standing
with the Supplier Security and Privacy Assurance Program (SSPA), which means full compliance with the DPR as it relates to the services provided to Microsoft
Only access and work with information that is actually needed
to perform the service, don’t use it for any other purpose
Understand the type of data
used in projects you work on and apply proper data classifications
Protect the data you work with
for example, lock your computer, enable encryption, and avoid hallway conversations about confidential projects
Store and share any Microsoft information securely
appropriately dispose of any information that is no longer needed
Microsoft’s Supplier Data Protection Requirements (DPR)
contain the full list of privacy and security requirements for suppliers Slide10
04 Considerations for Microsoft suppliers
Protection of intellectual property
Suppliers often are exposed to intellectual property and
confidential information
Your non-disclosure agreement (NDA) applies both during and after your work with Microsoft
Microsoft products, components, or Line of Business applications
Pre-release marketing materials
Unannounced corporate financial data
Documentation for Microsoft services or devices
Respect and protect the intellectual property rights of all parties
Protect Microsoft’s physical and intellectual assets
Use Microsoft-provided information technology and systems only for authorized Microsoft business-related purposes
Comply with all Microsoft requirements and procedures for maintaining passwords, confidentiality, security, and privacy
Comply with the intellectual property ownership rights of Microsoft and othersSlide11
05 Preventing and reporting incidents
Preventing incidents
Prevention of privacy incidents starts with good security - but that’s not enough
Use smart data-handling techniques to complement security
Access control management
Data tracking and auditing
De-identification of data
Data encryption
Separation of certain data from other data
Data retention policies that are real and enforced
What to do
If you identify an incident,
you must report it immediately
by emailing
SuppIR@microsoft.comSlide12
05 Preventing and reporting incidents
Recognizing and reporting incidents
High-profile attacks by hackers and other data breaches are regularly in the news, but can you spot subtle privacy or security incidents?
Review the following examples
Example 1: promotional emails
Example 2: customer contact
Example 3: enterprise data
A promotional email is sent without an approved email footer and a link to our privacy statement and opt-out mechanisms
A customer contacts Microsoft with a complaint about misuse of their Personal data
Enterprise data is shared with another service in a way that was not explicitly authorized by the customer
Why this is an incident
Anytime we contact a customer, we need to provide them with privacy notice & consent options.
Why this is an incident
Customer expectations are a key factor in privacy incidents. If we violate them and misuse their data, we have a privacy incident.
Why this is a privacy incident
The enterprise customer is the data controller who determines the purposes and means of processing Personal data.
Tips
Depending on the nature of the communication, the notice and consent mechanism varies. One size does not fit all! Work with your Microsoft contact and their privacy team to ensure this is done properly.
Tips
Clearly describing the benefit a customer receives from our data collection and use is a simple way to avoid violating user expectations. If you can’t describe it without sounding creepy, you probably shouldn’t do it!
Tips
Where Microsoft provides an enterprise service, we are data processors and can only process data based on the enterprise customer’s instructions. We can’t even flow Customer Data to a system or service with lesser privacy commitments without a customer deliberately authorizing the data transfer.
What to do
If you identify an incident,
you must report it immediately
by emailing
SuppIR@microsoft.comSlide13
06 Summary
The most important things to remember
Privacy and security is everyone's responsibility - from engineering to HR, your actions reflect on Microsoft and impact our trustworthiness and reputation
Everyone has a responsibility to
Take privacy and security training appropriate to their role
Apply Microsoft’s privacy and security policies, standards, and guidelines to all Microsoft projects
involving Microsoft Personal and/or Confidential data
Support Microsoft engagement owners in adhering to regulation requirements
Report privacy and security incidents
What to do
If you identify an incident,
you must report it immediately
by emailing
SuppIR@microsoft.comSlide14
Thank you!
We value suppliers who help us innovate and deliver our products and services to meet the needs of our customers, partners, and employees while demonstrating our commitment to compliance