RSA Session : Privacy and Security, It’s Good Business

  • Article

Yesterday at the annual RSA Conference in San Francisco, Microsoft’s Chief Privacy Officer, Brendon Lynch, took part in a session on “Privacy and Security: It's Good Business.” Brendon shared some of his thoughts regarding implementing privacy into business practices at Microsoft.

Question: What processes and structures enables you within the company to really make sure privacy and security issues are contemplated and addressed?

At a foundational level, Microsoft has well established and clearly articulated Privacy Principles that guide how all parts of the company approach matters involving the collection and use of personal data. The Principles stress concepts such as accountability, notice and consent.

We have several internal tools and processes that help embody the company’s Privacy Principles in Microsoft products and services.

For instance, Microsoft has more than 40 full-time privacy professionals and 400 other employees who help ensure that our privacy policies, standards, and procedures are applied across the board. This multidisciplinary team includes computer scientists, engineers, lawyers, corporate privacy strategists, business executives and marketing experts, 78 of whom have received their CIPP certification. We have dedicated privacy leads in 65 subsidiaries around the world that both extend corporate privacy policies, and keep the company informed of changing privacy trends and requirements in the markets where we do business.

In individual business groups such as Windows, Office and Xbox, we have a 3-tier system of privacy managers, privacy leads and privacy champs who help ensure that each of our products and services are complaint with our standards and all applicable privacy laws.

We also have a variety of internal governance processes and tools to help our privacy professionals work with our business groups. Privacy reviews are one of the central pieces of this governance, and they’re applied to any Microsoft products or services that may have privacy implications. We use a specialized tool to closely track the progress of each development team toward achieving its privacy goals, to deliver progress updates to the team, and to evaluate the level of privacy risk associated with each project.

To give you some idea of how common such reviews have become at Microsoft, between July and December of 2010, the tool was used to conduct over 1,000 privacy reviews of new products, services and features.

Question: What has been your biggest success within the company to better safeguard privacy and security?

I would say our biggest success to date is also our biggest ongoing challenge: Creating a company-wide culture that has a deep respect for privacy, and reflects that respect in the ways it designs, develops and operates its products and services.

I consider this our biggest success because we have made good headway over the past few years creating a privacy-centric culture. We developed a training course called Privacy 101 that has been taken by more than 50,000 people. We have 40 full-time privacy professionals and another 400 employees who support privacy as part of their day-to-day jobs. These people support all major product groups, and we have privacy leads in 65 subsidiaries around the world. We have over 1000 privacy reviews occurring in the past six months

These successes do not get much attention but they are extremely important.

Maintaining these successes is also our biggest ongoing challenge, because there are so many other things that people at Microsoft have to consider in their daily jobs – such as ensuring that the products they work on are making money.

Microsoft has also had “headline grabbing” successes in the privacy and security arena. The most notable recent achievement are the Tracking Protections that we are building into the next version of our Internet Explorer Broswer, IE9 . The technology will enable Web surfers to limit the amount of information that advertisers and Web sites can gather about their online activity.

The FTC hailed the IE9 features and they were followed by announcements of similar technologies in the Chrome and Firefox browsers.

Maybe the best thing about the IE9 Tracking Protections is that it was not mandated by myself or anyone else who focuses on privacy at Microsoft. Instead, the idea for the IE9 Tracking Protections came straight from the Internet Explorer business group, because they recognized that privacy was so valuable to our customers and to our company’s overall success.