This week, we are thrilled to announce the expansion of the Microsoft Priva family of products. Microsoft Priva was introduced in 2021 to help organizations navigate the complex world of privacy operations. The expansion of Microsoft Priva brings automated capabilities to help organizations meet adapting privacy requirements related to personal data.

Microsoft Priva

Protect personal data, automate risk mitigation, and manage subject rights requests at scale.

Explore product family

“Understanding and managing privacy is crucial for our clients. Exponential flows of sensitive data and emerging technologies such as generative AI have amplified the need for a strong privacy solution; we are confident in Microsoft’s vision to take on this challenge with Microsoft Priva. The richness of data and activities in Microsoft 365 and Priva’s ability to monitor and action on related workflows allows for a proactive approach to privacy. This capability aligns with our commitment to privacy and data protection, reinforcing our partnership with Microsoft to serve our global clients with solutions that address their privacy management needs.”

—Jon Kessler, Vice President, Information Governance, Epiq Legal Solutions

What will the Priva family address?

In today’s digital landscape, people’s awareness of data privacy has surged to unprecedented levels. Individuals are increasingly aware of the intricate web of data points that define their online existence and how their data is collected and used. This has prompted a collective call for the safeguarding of personal information from unwarranted intrusions and establishing ways for people to take control of their personal data. The public has become more discerning about the need for stringent measures to protect their sensitive data and keep it private. The heightened awareness surrounding individual data privacy rights is not merely a fleeting trend—it’s a fundamental shift in the way society perceives and values the sanctity of personal information.

In response to this evolving landscape, the need to build and maintain customer trust has never been more pronounced. Privacy solutions have emerged to empower organizations to establish transparent and ethical data practices. Building customer trust is about a commitment to empowering individuals to have control over their own data.

Robust privacy solutions are essential for regulatory adherence and in cultivating a culture of transparency, accountability, and respect for user privacy. By embracing more robust privacy solutions, organizations not only fortify their defenses, but they also embark on a journey to forge enduring relationships with their customers—relationships based on mutual trust and data integrity. Beyond regulatory compliance, organizations should use transparent data practices to gain deeper insights into customer preferences, behaviors, and trends. This managed data can become a strategic asset—enabling more informed decision-making, delivering targeted marketing to customers who’ve consent to receive it, and developing personalized services. Prioritizing privacy is not just a legal necessity but a pathway to extracting meaningful and sustainable value from the wealth of data at an organization’s disposal.

Microsoft Priva is here to help your organization meet privacy and compliance requirements

Organizations must mitigate risk for privacy non-compliance and be ready for new and emerging regulations. They need an end-to-end solution that helps them oversee and establish privacy protocols across their entire organization. Microsoft Priva solutions support privacy operations across entire data estates—paving quick and cost-effective paths to meet privacy regulations and avoid the risks of non-compliance. With the Microsoft Priva family, organizations can automate the management, definition, and tracking of privacy procedures at scale to ensure personal data stays private, secure, and compliant with regulations. Let’s take a quick look at each member of the family.

Microsoft Priva Privacy Assessments

Build the foundation of your privacy posture with Microsoft Priva Privacy Assessments—a solution that automates the discovery, documentation, and evaluation of personal data use across your entire data estate. Automate privacy assessments and build a complete compliance record for the responsible use of personal data. Embed your custom privacy risk framework into each assessment to programmatically identify the factors contributing to privacy risk. Lower organizational risk and build trust with your data subjects. Priva Privacy Assessments help at any stage of the privacy journey, enabling you to fully utilize your company’s data while ensuring its proper use.

Key features

• Automate the creation of privacy assessments: Discover and document personal data usage across your data estate through easily created custom assessments.
• Monitor personal data usage: Automate monitoring for changes in data processing activities that require privacy compliance actions.
• Evaluate privacy risks: Design a personalized privacy risk framework and use automated risk analysis based on the data usage information obtained from a privacy assessment.

Microsoft Priva Privacy Risk Management

Microsoft Priva Privacy Risk Management is here to empower you to simplify the identification of unstructured personal data usage. Priva Privacy Risk Management enables you to automate risk mitigation through easily definable policies that conform to your specific needs. It can also help you build a privacy-resilient workplace by identifying personal data and critical privacy risks around it, automating risk mitigation to prevent privacy incidents, and empowering employees to make smart data handling decisions.

Key features

• Identify personal data and critical privacy risks: Gain visibility into your personal data and associated privacy risks arising from overexposure, hoarding, and transfers with automated data discovery, user mapping intelligence, and correlated signals.
• Automate risk mitigation and prevent privacy incidents: Effectively mitigate privacy risks and prevent privacy incidents with automated policies and recommended user actions.
• Empower employees to make smart data handling decisions: Foster a proactive privacy culture by increasing awareness of and accountability towards privacy risks without hindering employee productivity.

Microsoft Priva Tracker Scanning

With data privacy regulation laws surrounding tracking technologies continuously evolving—and fines for non-compliance exponentially increasing—organizations need a platform that enables them to avoid risk and standardize tracking compliance at scale. Microsoft Priva Tracker Scanning empowers organizations to automate the discovery and categorization of tracking technologies—including cookies, pixels, and beacons—across all their websites. With Priva Tracker Scanning, organizations can remediate risks for tracker non-compliance, effectively monitor website compliance, and easily address compliance issues. Priva Tracker Scanning enables your organization to embolden your privacy posture for maximum control and visibility.

Key features

• Register and scan web domains: Automate scans for various forms of trackers—empowering you to quickly identify and categorize all tracking technologies on your websites.
• Evaluate and manage web trackers: Use flexible scan configurations to easily identify missing compliance elements across your websites.
• Streamline compliance reporting: Scan for areas of non-compliance and monitor compliance issues throughout the lifecycle of websites.

Microsoft Priva Consent Management

Gain better value from your user-consented data and meet today’s most challenging data privacy regulations with an approach to streamlining consent management and consented data usage. Built by harnessing Microsoft’s extensive experience and expertise in privacy operations, Microsoft Priva Consent Management provides a solution for bolstering your organization’s personal data consent management and publishing capabilities in a simplified and streamlined manner.

Key features

• Create customizable and regulatory-compliant consent models: Quickly author dynamic consent models using prebuilt templates for easy deployment.
• Streamline the deployment of consent models: Use a centralized process to publish consent models at scale to multiple regions.
• Organization specific layouts: Create on-brand layouts for consent models that conform to changing business needs.

Microsoft Priva Subject Rights Requests

With personal data often distributed across multiple environments, organizations need a solution that enables them to fulfill and manage subject rights requests across their entire data estate for maximum visibility. Crafted from Microsoft’s extensive experience and expertise in data privacy operations, Microsoft Priva Subject Rights Requests is a next-generation privacy solution that enables organizations to automate the fulfillment of subject rights requests across their on-premises, hybrid, and multicloud environments. With Priva Subject Rights Request, organizations can manage the access, deletion, and export of subject rights requests across their entire data landscape. to help build trust with customers.

Key features

• Efficiently manage subject rights requests: Streamline the fulfillment of subject rights request tasks using configurable settings within your workflows, providing end-to-end oversight of subject rights request operations.
• Discover personal data across various data types and locations: Discover and manage subject rights requests across multicloud data estates, including Microsoft Azure, Microsoft 365, and third-party data sources like Amazon Web Services, Google Cloud Platform, and more.
• Create low-code data agents to automate task fulfillment: Create low-code agents to automatically find and fulfill personal data requests using Microsoft Power Automate.

Learn more about new Priva capabilities at the IAPP Global Privacy Summit

From April 2 to 5, 2024, the world’s largest forum for exploring privacy and data protection law, regulation, policy, management, and operations takes place in Washington, D.C. The International Association of Privacy Professionals (IAPP) Summit is a key event for information privacy professionals to learn about innovative solutions and expand your privacy and data protection network. Microsoft will have a strong presence with a spotlight feature, breakout sessions, and networking events. Check the agenda for times and locations for these events and more:

Spotlight stage: Microsoft Priva Privacy—Paul Brightmore, Head of Product for Microsoft Privacy, and Terrell Cox, Vice President (VP) of Privacy Engineering at Microsoft, will be featured on the spotlight stage sharing about Microsoft Priva privacy solutions.

Breakout session: Managing Privacy at Scale—Explore how large organizations keep pace with today’s privacy obligations, share strategies and tools available to manage privacy at scale, and share updates on the latest privacy governance tools. Get insight into the emerging role of AI in managing privacy.

Mainstage session: Regulator’s Agenda—Shifting Priorities and Practices—Julie Brill, Chief Privacy Officer, Corporate VP, Global Privacy, Safety and Regulatory Affairs at Microsoft, moderates this discussion where you’ll learn the top priorities of privacy authorities, understand how AI governance factors into the Data Protection Authorities’ 2024 plans, and review lessons learned from recent privacy enforcement actions.

VIP reception—Microsoft is hosting this event to bring privacy experts together on April 3, 2024. This event promises an engaging showcase of Priva demonstrations, enriching conversations, and valuable insights within the field of privacy. 

CDT Spring Fling—Microsoft is the lead sponsor of this reception organized in partnership with the Center for Democracy in Technology. The event includes a panel discussion on AI as a catalyst for ushering in the next era of data governance. Julie Brill, Chief Privacy Officer, Corporate VP, Global Privacy, Safety and Regulatory Affairs at Microsoft, will be speaking on this panel.

LGBTQ+ Allies After Party—Registration and tickets are required in advance for this Wednesday, April 3, 2024, afterparty at Pitchers. We hope to see you there.

Optimize your privacy operations today, and streamline compliance adherence

Thanks for taking the time to get to know the members of the Microsoft Priva suite of products. We’re so excited to continue to be your trusted partner in helping you meet your privacy and compliance regulations. Please check in on the Priva family from time to time to stay informed about our products.

Interested in learning more now? Head over to the Microsoft Priva homepage. To get a deeper dive into our product capabilities, read our Tech Community post or watch our video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Priva announces new solutions to help modernize your privacy program appeared first on Microsoft Security Blog.

NIS2 key features 

As we take a closer look at the key features of NIS2, we see the new directive includes risk assessments, multifactor authentication, security procedures for employees with access to sensitive data, and more. NIS2 also includes requirements around supply chain security, incident management, and business recovery plans. In total, the comprehensive framework ups the bar from previous requirements to bring: 

• Stronger requirements and more affected sectors.
• A focus on securing business continuity—including supply chain security.
• Improved and streamlined reporting obligations.
• More serious repercussions—including fines and legal liability for management.
• Localized enforcement in all EU Member States. 

Preparing for NIS2 may take considerable effort for organizations still working through digital transformation. But it doesn’t have to be overwhelming. 

NIS2 guiding principles guide

Get started on your transformation with three guiding principles for preparing for NIS2.

Download the guide today

Proactive defense: The future of cloud security

At Microsoft, our approach to NIS2 readiness is a blend of technical insight, innovative strategies, and deep legal understanding. We’re dedicated to nurturing a security-first mindset—one that’s ingrained in every aspect of our operations and resonates with the tech community’s ethos. Our strategy for NIS2 compliance addresses the full range of risks associated with cloud technology. And we’re committed to ensuring that Microsoft’s cloud services set the benchmark for regulatory compliance and cybersecurity excellence in the tech world. Now more than ever, cloud technology is integral to business operations. With NIS2, organizations are facing a fresh set of security protocols, risk management strategies, and incident response tactics. Microsoft cloud security management tools are designed to tackle these challenges head-on, helping to ensure a secure digital environment for our community.  

NIS2 compliance aligns to the same Zero Trust principles addressed by Microsoft Security solutions, which can help provide a solid wall of protection against cyberthreats across any organization’s entire attack surface. If your security posture is aligned with Zero Trust, you’re well positioned to assess and help assure your organization’s compliance with NIS2. 

For effective cybersecurity, it takes a fully integrated approach to protection and streamlined threat investigation and response. Microsoft Security solutions provide just that, with: 

• Microsoft Sentinel – Gain visibility and manage threats across your entire digital estate with a modern security information and event management (SIEM). 
• Microsoft XDR – Stop attacks and coordinate response across assets with extended detection and response (XDR) built into Microsoft 365 and Azure. 
• Microsoft Defender Threat Intelligence – Expose and eliminate modern threats using dynamic cyberthreat intelligence. 

Next steps for navigating new regulatory terrain 

The introduction of NIS2 is reshaping the cybersecurity landscape. We’re at the forefront of this transformation, equipping tech professionals—especially Chief Information Security Officers and their teams—with the knowledge and tools to excel in this new regulatory environment. To take the next step for NIS2 in your organization, download our NIS2 guiding principles guide or reach out to your Microsoft account team to learn more. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Explore data security resources and trends

Gain insights into the latest data security advancements, including expert guidance, best practices, trends, and solutions.

Get started

The post Navigating NIS2 requirements with Microsoft Security solutions appeared first on Microsoft Security Blog.

Microsoft respects the vital role that privacy plays with customers. We provide solutions that help organizations meet their privacy obligations, and today we are excited to announce enhancements to Microsoft Priva.

Microsoft Priva

Protect personal data, automate risk mitigation, and manage subject rights requests at scale.

Learn more

How can Microsoft Priva help?

Microsoft Priva brings automated functionality to help organizations meet adapting privacy requirements related to personal data. Today, Microsoft Priva offers two solutions:

Microsoft Priva Privacy Risk Management

Microsoft Priva Privacy Risk Management helps organizations manage privacy risks related to data hoarding, data overexposure, and data transfers, and empowers employees to make better data-handling decisions. Priva Privacy Risk Management supports organizations by:

• Identifying personal data and privacy risks: It allows organizations to leverage auto-classification technology to identify more than 308 personal data types in the Microsoft 365 environment, with no configuration needed. Admins can see personal data by location, geography, and types. In addition to helping organizations know their personal data landscape, Microsoft Priva also detects the associated risks around personal data and gives admins actionable insights.

• Automating mitigation and preventing privacy incidents: Organizations can create policies from pre-configured templates to automate privacy risk mitigation:
  • Data minimization: Helps detect unused personal data, send users email digests to review and delete obsolete items, and provides privacy training to reduce data hoarding.
  • Data transfer: Helps detect personal data movements between customizable boundaries, such as geography or departments, and blocks risky transfers in near real time.
  • Data overexposure: Helps detect personal data overshare, informs file owners to review and adjust access, and provides privacy training to reduce overexposure incidents.

• Empowering employees to make smart data-handling decisions: Admins can configure Priva to help employees make better data-handling decisions, as no one knows the value of their files more than the data owner. Microsoft Priva can trigger a system-generated email or Microsoft Teams message to a data owner with recommended actions and privacy best practices—right in their flow of work.  

Microsoft Priva Subject Rights Requests

Depending on where you are in the world today, there will be varying privacy regulations that impact your business, and even if you’re not impacted much today, chances are that it’s a matter of time before they are enabled. Many of these privacy regulations empower people to exercise their rights over their data, requesting that the organizations they do business with or work for provide a log of all personal data collected. For organizations, the process of completing subject rights requests can be a manual, complex, time-consuming, and expensive process, that is also time bound. Microsoft Priva Subject Rights Requests help organizations manage requests at scale and with confidence by:

• Automating discovery: Gathers the requestor’s personal information and detects data conflicts such as sensitive information or data pertaining to other users.
• In-place review and secure collaboration: Review and redact files located in the live system in their native views without creating duplicate copies and bring collaboration to a protected platform.
• Ecosystem integration: Plugs into organizations existing processes to manage requests in a unified way across digital estate. Microsoft Graph subject rights requests API integrates Priva Subject Rights Requests with in-house or partner-built privacy solutions.

Enhancements to Microsoft Priva

Updates to Microsoft Priva include added customization, better insights, easier collaboration, powerful review options, and so much more.

What’s new with Microsoft Priva Privacy Risk Management?

Deeper data viewpoints

The data minimization policy in Privacy Risk Management has been a highly resonating privacy scenario. With this update of day zero insights, admins will be able to view data minimization policy insights 72 hours after starting Priva, with a view of data up to the past 90 days. Previously, customers would have waited at least 30 days to catch policy matches. With a better history of data, privacy admins can understand privacy trends better, and use these data points to strategize the best approach for their organizations.

Better together integration

Microsoft Purview Compliance Manager offers data protection and privacy assessment templates that correspond to compliance regulations and industry standards around the world. Now available is Microsoft Priva working hand-in-hand with Compliance Manager. With this update, admins can take specific actions within Microsoft Priva that achieve points that count toward assessment completion and increase the overall compliance score. Examples of actions that can detect and provide credit include admins setting up a Privacy Risk Management policy, or enabling data retention limits for a subject rights request—prompting collaboration that yields better together productivity. 

Figure 1. Visual of Compliance Manager recognizing actions taken within the Priva solution in the “improvement actions” section of Compliance Manager. 

Additionally, insights from Compliance Manager will now populate within Priva itself. This update brings recommendations on actions that will help admins align to regulations and improve their score in Compliance Manager. 

What’s new with Microsoft Priva Subject Rights Requests?

Fulfill more request types

Many regulations, including General Data Protection Regulation and California Consumer Privacy Act include the right to be forgotten, giving people the ability to request the deletion of all the information an organization has collected about them, with a few outlined exceptions that allow data retention. Today, we are excited to share that Priva Subject Rights Requests delete is now generally available—admins can now select delete as a request type, or get started with the delete template and get purpose-built flows that help surface conflicts and streamline deletion (leveraging the Microsoft retention and deletion platform and working better together with teams already using data lifecycle management and records management). This feature will also enable admins to have the flexibility to select different approvers for any given request and, once the workflow is complete, access the reports tab where they can view their summary report and review results.

Figure 2. Stage three of five of a delete subject rights requests in progress within the Priva Subject Rights Request solution.

Watch this short video to see Priva Subject Rights Requests delete in action.

Learn more

As the data protection landscape continues to shift, many organizations are working to prioritize the privacy needs of a data-driven world. We welcome you to learn more about how Microsoft Priva can help and invite you to try Microsoft Priva free today. 

Visit our latest Tech Community Priva blog for additional Microsoft Priva updates and details.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹From Privacy Vulnerability to Privacy Resilience, Microsoft. August 2022.

²Gartner®State of Privacy: The Privacy Tech Driving a New Age of Data Wealth. August 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Navigating privacy in a data-driven world with Microsoft Priva appeared first on Microsoft Security Blog.

To help our customers navigate this complex data landscape, we are focused on delivering secure, intelligent, and user-centric solutions that provide visibility, reduce complexity, and mitigate risk. Over the past few years, we significantly increased our investment in building our Microsoft Purview data security capabilities across our information protection, data loss prevention (DLP), and insider risk management solutions, as well as our privacy solution: Microsoft Priva. A few recent capabilities are advanced ready-to-use machine learning-enabled classifiers, Adaptive Protection, a DLP migration assistant tool (on-premises DLP to cloud-native DLP), and right to be forgotten for Microsoft Priva Subject Rights Requests.

I am delighted to announce that Forrester listed Microsoft as a Leader in its  2023 Wave™ for Data Security Platforms. The Forrester Wave™ report evaluates the data security platform market and provides a detailed overview of the current offering, strategy, and market presence of these vendors. Microsoft received the highest possible score in the current offering category for data classification, data threat and risk visibility, data masking or redaction, encryption, rights management, privacy use cases, and integrations for Zero Trust criteria; and in the strategy category for the product vision, execution roadmap, and community engagement criteria.  

We believe our investments in advanced classification technology, data threats and risk visibility, rights management, and privacy resulted in this recognition.

The Forrester report also acknowledges: “Microsoft shines with its ecosystem approach—if you go all in,” wrote Heidi Shey, Forrester Principal Analyst, in the report. “Microsoft Purview brings together capabilities to 1. understand and govern data; 2. safeguard data; and 3. improve risk and compliance posture. But Microsoft’s security capabilities go beyond Microsoft Purview. By design, the entire Microsoft ecosystem working together multiplies its value via telemetry from across the environment.” She added, “The power of Microsoft’s telemetry is evident in its capabilities for identifying data threats and risk visibility. These offer strong controls for data masking, encryption, and rights management.”

Our work isn’t stopping there, however. We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to create solutions to help you on your data security journey.

Learn more

Read this complimentary copy of The Forrester Wave™: Data Security Platforms, Q1 2023 for the analysis behind Microsoft’s position as a Leader.

Read more about Microsoft’s recognition as a leader in cloud security, email security, security analytics, and more:

• Forrester names Microsoft a Leader in 2022 Enterprise Detection and Response Wave™ report.
• Forrester names Microsoft a Leader in Q4 2022 Security Analytics Platforms Wave report
• Microsoft achieves a Leader placement in Forrester Wave for XDR, Q4 2021.
• Forrester names Microsoft a Leader in The Forrester Wave™: Cloud Security Gateways, Q2 2021.
• Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave.
• Microsoft is a Leader in the 2021 Forrester Endpoint Security Software as a Service Wave.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Cost of a Data Breach Report 2022, IBM. 2022.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The post Microsoft recognized as a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023 appeared first on Microsoft Security Blog.

When organizations respond to subject rights requests, they are both meeting their regulatory requirements and providing people with control over their personal data. Although responding to requests can be quite complex, Microsoft Priva Subject Rights Requests can help ease the process—and with the preview arrival of Right to be Forgotten, Priva Subject Rights Requests can further support how organizations respect the privacy of their customers and employees.

Understanding how people think about privacy

As many businesses around the world adapt their privacy practices, having both the tools that help address privacy requirements and a good understanding of how consumers perceive and feel about privacy are key to enabling trust with customers. Microsoft Priva, the brand category for Microsoft Security, was announced at Microsoft Ignite in 2021 by Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, and Identity.² Priva solidified our commitment to supporting organizations in their privacy journey with products that help safeguard personal data and manage subject rights requests at scale. For organizations, having processes that help manage their privacy is critical, but it is also valuable to have a deep understanding of how people really think about privacy to guide their practices. We recently commissioned privacy research that explores the emotional textures of privacy and what triggers privacy vulnerability. We learned that when businesses empathize with the privacy concerns people have and transparently address them, they foster trust and differentiate themselves from competitors.

It’s important for organizations to assess the varying causes that spark privacy vulnerability for both their consumers and their business. For example, a consumer may feel anxious or helpless because they don’t know how their personal data is being used. However, if they are provided with transparency of how their data is being used and given clear options that enable the control of their data, their insecurities could be eased and trust in the process earned. For a business, privacy vulnerability could present itself through limited transparency or basic compliance—leaving room for privacy risk to potentially unfold. For instance, a business that might fulfill a data subject request unconvincingly, or with basic effort, could be managing its privacy at a vulnerable level. If that business were to practice a “beyond-compliance,” human-centered privacy approach, they could yield practices that help them build privacy resilience—helping them stand apart from their competitors while they earn trust from their customers.

Figure 1. The differing perspectives of consumers and businesses regarding privacy vulnerability versus privacy resilience.

The above figure demonstrates a privacy scale ranging from vulnerable to resilient and includes both consumer and business perspectives. On the consumer side, it ranges from feeling anxious, helpless, and lacking knowledge or motivation in protective coverage to secure, being in control, trusting the process, and being skilled in protective coverage. On the business side, it ranges from basic compliance, limited transparency, minimal control, and reactive approaches to beyond compliance, authentic privacy care, reciprocating data for value, and a proactive approach to consumer protection.

Microsoft Priva Subject Rights Requests can help

Many times, even though an organization may be focused on a proactive privacy approach, managing and responding to subject rights requests can be a tedious and cumbersome process. It can be extremely time-consuming and taxing as they are also time-bound, bringing extra complexity to the organization. Responding to these requests often requires a tremendous amount of collaboration and manual review, and producing just a single request can be quite expensive. Nonetheless, completing these requests is not just an obligatory requirement, but also a tangible way that expresses respect for customer and employee privacy.

Priva helps organizations more efficiently manage requests at scale—Priva Subject Rights Requests automates the search and collection of content relevant to the data subject and facilitates tasks such as in-line review, redaction, and collaboration, all from an easy-to-use dashboard. Admins can easily get started by leveraging request templates that help them create requests with recommended default configurations and use Microsoft Power Automate integration, as well as API support to better fit into their existing processes.

Figure 2. Priva Subject Rights Requests overview dashboard showing insights.

Priva Subject Rights Requests help admins meet the strict deadlines associated with regulations like GDPR and ease the administrative burden of tedious tasks related to collection, review, and redaction. Completing a request also often requires teamwork from various departments within the organization. Priva provides secure collaboration through Microsoft Teams and keeps a history tab, highlighting actions taken from all collaborators for easy auditing—streamlining the complexity of requests from beginning to post-completion.

Microsoft Priva Subject Rights Requests highlights:

• Automates discovery: Gathers the requestor’s personal information and detects data conflicts such as sensitive information or data pertaining to other users.
• In-place review and secure collaboration: Review files in place in their native views, perform redactions in-line with built-in tools, and consolidate collaboration within a protected platform.
• Ecosystem integration: Plugs into an organization’s existing process to manage requests in a unified way across the digital estate. Microsoft Graph subject rights requests API integrates Priva Subject Rights Requests with in-house or partner-built privacy solutions.

The newest Priva Subject Rights Requests update, Right to be Forgotten, is here

Video 1. Microsoft Priva Subject Rights Requests (SRRs) new feature Right to be Forgotten is now in preview. See how we demonstrate going through a delete request using Microsoft Priva.

Both GDPR and CCPA include the Right to be Forgotten, giving people the ability to request the deletion of all the information an organization has collected about them, with a few outlined exceptions that allow data retention. For example, a former employee in an EU-based company believes she left documents containing her personal data in SharePoint. The employee can exercise her right to her personal data and make a subject rights request for deletion with that organization. As Priva Subject Rights Requests continues to evolve, we are excited to share the preview release of Right to be Forgotten, helping organizations meet requests such as the employee’s request for deletion.

This marks a significant update for Priva Subject Rights Requests as with this new feature, admins can now select delete as a request type, or get started with the delete template and get purpose-built flows that help surface conflicts and streamline deletion—leveraging the Microsoft retention and deletion platform and working better together with teams already using data lifecycle management and records management. This feature will also enable admins to have the flexibility to select different approvers for any given request and, once the workflow is complete, access to the reports tab where they can view their summary report and review results.

Figure 4. Delete request in the approval stage, showcasing approver details and the complete approval button.

Learn more

Although completing subject rights requests can be complex, Microsoft Priva Subject Rights Requests can help ease the process. As organizations continue to adapt to the privacy changes that impact their customers and their business, we are reminded that although changes to the privacy landscape are inevitable, there are resources to support these shifts. We invite you to learn more about Priva Subject Rights Requests by downloading our free eBook and encourage you to try Microsoft Priva Subject Rights Requests free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹State of Privacy: The Privacy Tech Driving a New Age of Data Wealth, Gartner®. August 2022.

²Protect your business with Microsoft Security’s comprehensive protection, Vasu Jakkal, Microsoft Security. November 2, 2021.

The post Simplify privacy protection with Microsoft Priva Subject Rights Requests appeared first on Microsoft Security Blog.

Brooke: What are the seven foundational principles of Privacy by Design?

Ann: When I joined the Commission, I had to train my lawyers on the need to be proactive relating to privacy and security. I wanted something that would ideally prevent privacy harms from arising.  

I created Privacy by Design at my kitchen table over three nights. Privacy by Design was unanimously passed as an international standard in 2010. In 2018, a new law in the European Union, the General Data Protection Regulation (GDPR), included Privacy by Design. It’s been translated into 40 languages and not a week goes by when I don’t hear from some jurisdiction around the world. Brazil also included Privacy by Design in their new privacy law. 

There are seven foundational principles to Privacy by Design. The first one is you’ve got to be proactive to prevent the harms from arising. Be preventative, not remedial.  

The second one is privacy as the default setting. You don’t have to wade through all the terms of service and legalese referenced in your privacy policy to find the opt-out box saying do not use my personal information for any purpose other than for the intended primary purpose of the data collection. We give you privacy automatically!  

The third principle is privacy embedded into design. I always say bake it into the code and into all of your operations. Make it one of those essential features that is always present.  

The fourth principle is to reject zero-sum models—privacy versus security or privacy versus data utility. It’s one interest over another. It’s win-lose: reject this! Positive sum releases better outcomes, with privacy and security going hand-in-hand.  

The fifth principle is end-to-end security. You must have full lifecycle protection, from end to end, in this day and age of daily hacking. 

The sixth principle is visibility and transparency. If you keep what you’re doing open to your clients and citizens, they will assist you by increasing the accuracy and quality of the information.  

The seventh principle is respect for user privacy. If you focus on users, all of this will work to your advantage again and again. 

Brooke: With new privacy issues, how can governments and people protect identity data?

Ann: The growth of surveillance has been massive and digital identities are being explored. This terrifies me, because if your identity is digital, it’s not in your hands. Someone, usually in government, is controlling it. I read an article about the push for mobile drivers licenses. The second half was about identity theft. They’re pushing the Biden government for funding because of the identity theft that’s going to arise. Are you kidding me?  

Instead of focusing on identity theft, focus on protections you can engage in digitally. End-to-end encryption is huge. There’s biometric encryption, which encrypts your biometric—your fingerprints, your facial image, your iris scans—in such a way that no one can gain access to it. If someone successfully hacks into it, they don’t get your biometric identity but whatever was biometrically encrypted.  

It should be the obligation of the government that is demanding data from you to protect it. To expect individuals to know how to protect their data is expecting too much. I want everyone to put the brakes on digital identity and have conferences on how we can protect this data with biometric encryption and why that’s better than regular encryption. We must explore all of this, and we must do it now. 

Brooke: Have there been any unique threats to privacy in the past two or three years?

Ann: Because of the pandemic, people are being forced to reveal their private health status. If you were required to reveal vaccine information, that’s a huge infringement of your privacy. Medical data is the most sensitive personal information in existence, and it belongs to no one other than you and your physician. To require members of the public to reveal their vaccine status is appalling and that’s been one of the things I’ve been fighting. Fortunately, the pandemic is lifting, and the restrictions are lifting but the worst thing is that you’ll be compelled to reveal your health data.  

Brooke: What are the biggest barriers facing organizations today regarding privacy?

Ann: Often, there’s a chief privacy officer but they’re not part of the higher-level management team. When I talk to boards of directors and chief executive officers, I say, “You have to bring the privacy operation as an essential component of working with security and reporting to the CEO or to someone just underneath the CEO.”   

The other thing I ask is, “Do you have a data map at your organization?” When data first comes into your organization, people consent to the primary purpose of the data collection. But then the data flows throughout your organization in a variety of ways, where secondary uses are often made of the data. If you have a privacy map, you see how the data flows from one department to another. Are additional consents required because a use is secondary or are these uses intertwined with the primary purpose?  

Brooke: Will governments around the world be able to keep up with emerging technology?

Ann: Absolutely not. They need to rely on private sector companies advancing in these areas. I searched for “biometric encryption” and 10 companies are leading on this globally so there are a lot out there that governments can access, but they’ve got to do that.  

The Germans developed a term called “informational self-determination” that means it should be the individual who determines the fate of their personal information. It’s no accident that Germany is the leading privacy and data protection country in the world. They had to endure the abuses of the Third Reich and when that ended, they said never again will we subject our population to those kinds of abuses. They have enormous privacy laws at the state level. All these privacy commissioners at the state and federal levels get together for conferences twice a year. They’re amazing.

Brooke: What are the biggest privacy vulnerabilities?

Ann: A lot of times, it’s law enforcement. The police say there’s been this problem and we need access to your data. Companies generally just readily give it. I urge them not to do that. At first, they’re shocked when I say that. If law enforcement has a legitimate need for the data, namely probable cause, they can then make their case to a judge. The judge will give them a warrant and then you know it’s legitimate and have total authority to give it to them. You can’t be taken to court by customers because you had to do this. That’s the same with other departments that might come knocking at your door, like companies you’re doing work with or third parties. Any data collection and data disclosure must be authorized. 

Brooke: Is there any good reason to infringe upon privacy to do surveillance on someone?

Ann: I don’t think there is any great reason. Law enforcement understandably requires information at times, but they should always go to court to get a warrant.  

A facial recognition company was collecting 3.3 billion facial images scrubbed from the web and selling it to law enforcement agencies all over the world. The police were buying this up. When the chief of police in Toronto learned that his police officers were buying this data, he stopped it immediately. The company has been stopped now in Canada. I want other governments to do the same. 

You can’t have this underhanded, quiet surveillance taking place by the government or by private sector entities. When people in government collect information, it’s supposed to be for a particular purpose and not for whatever purposes they want. Surveillance is abounding now, and surveillance is the antithesis of privacy. We must get it under control.  

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why strong security solutions are critical to privacy protection appeared first on Microsoft Security Blog.

As the number and scope of privacy standards have proliferated, privacy becomes an expectation of customers and stakeholders to enable a trusted business. Many of the large organizations I work with are mature in their privacy compliance processes. Some have had to be GDPR compliant since 2018. Even those without GDPR compliance obligations saw GDPR as a watershed event, recognizing that broader privacy regulation was coming. Organizations have now shifted their focus from privacy compliance to privacy leadership in order to provide value to their customers and their brands. To assist organizations on their privacy journey, we introduced Microsoft Priva in October 2021 to help customers safeguard personal data and respect privacy rights.

The concept of respecting an individual’s privacy rights has been emphasized by the Organization for Economic Cooperation and Development (OECD) as “The Individual Participation Principle” in the Fair Information Practice Principles (FIPPs) since 1980.² The principle includes an individual’s right to access and control their own data. In some cases, they have the right to have this data corrected or deleted. Since GDPR went into effect, the concept has become more mainstream, known as data subject requests or subject rights requests. In the United States, 12 states have laws passed or active bills that mandate a subject’s right to data access.³

Subject rights requests (SRRs) management is time-consuming and costly

Responding to subject rights requests (SRRs) can be resource-intensive, costly, and difficult to manage. There are challenging time frames for a response, with GDPR mandating a response time of 30 days and California Privacy Rights Act (CPRA) allowing 45 days. More than half of organizations handle SRRs manually, while one in three has automated the process.⁴ According to Gartner®, most organizations process between 51 and 100 SRRs per month at a cost of more than USD1,500 per request.⁵ As more privacy regulations come into force and the public becomes more informed about their rights, the volume of SRRs is expected to grow substantially, impacting organizations’ resources even further.

Figure 1. Approximately one in three organizations have partially automated subject rights requests.

Scaling SRR management is challenging

To process an SRR, an organization must verify the data subject to make sure that the individual is who they say they are and has the rights to the information, then collect the information, review, redact where appropriate, and provide the response to the requester in an auditable manner.

Most organizations have processes in place for SRR responses but rely on email for collaboration, eDiscovery tools for search, and manual reviews to identify data conflicts like a file containing multiple people’s privacy relevant data. These processes can work but they don’t scale. They also create data sprawl and additional security and compliance risk.

Manage at scale and respond with confidence with Microsoft Priva

To help organizations deal with these challenges, Microsoft has created Microsoft Priva, a privacy management solution that helps safeguard and respect privacy while streamlining the process for responding to SRRs.

Microsoft Priva SRRs helps gather a subject’s data from the Microsoft 365 environment automatically, including emails, messages, documents, spreadsheets, and more that contain the requestor’s personal data. It then detects and flags conflicts like the personal data of others or confidential information included in the collected files. Automated data collection and detection can help you capture conflicts more accurately to avoid any data leakage.

Additionally, the solution allows collaboration in a protected platform for stakeholders to review, triage, and redact collected files in their native views. Unlike other solutions that might only provide you with a report of file paths, Microsoft Priva can bring the files to you and save you time and effort manually copying and pasting the file paths in your browser, or emailing and messaging files to others to review.

Figure 2. Review, triage, and redact collected files in their native views when multiple people’s data is detected.

Privacy admins can also leverage Microsoft Teams and Power Automate, integrated with the Microsoft Priva solution, to work with HR, legal, and other departments in an efficient, compliant, and auditable way. All your collaboration data is centralized in one platform that ensures security and compliance along the way. Microsoft Priva SRRs helps organizations manage SRRs at scale with confidence while avoiding personal data sprawl.

Figure 3. Microsoft Priva SRRs helps manage requests at scale and with confidence.

The solution dashboard provides visualization of SRR metrics and the ability to filter and manage requests to completion. This establishes to internal stakeholders and regulators that SRR responses were made with compliant processes in the required timeframe. 

Figure 4: Microsoft Priva SRRs helps provide insights on SRR progress and show trends over time.

Integrate with your privacy solutions

Many organizations are using other tools to manage SRRs. We want to bring the value of Microsoft Priva and its native integration with Microsoft 365 to them as well to provide a better-together solution. Part of this is to integrate Microsoft Priva with the solutions of other software vendors and customers’ homegrown solutions through our Microsoft Graph subject rights request API. The API allows integration with privacy independent software vendors (ISVs), like OneTrust, Securiti.ai, and WireWheel, to automate the SRR handling process and provide a response that encompasses the organization’s entire data estate.

For example, an organization can use the API to send a request they received in their homegrown application to Microsoft Priva, which then collects the subject’s personal data automatically, enables collaboration to review and redact files, creates a link to the data package, and sends it back to the homegrown application through the API. The organization then can combine all the reports and data from various environments together to respond to the requestor.

Figure 5. Microsoft Graph API enables organizations to leverage Microsoft Priva along with their existing privacy tools.

Learn more

We are excited to help ease the complexity of SRR management. To learn more about how to manage SRRs at scale, download the e-book Five tips from Microsoft to automate your SRRs or join our webinar on April 19, 2022.

Microsoft Priva solutions are generally available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. You can try out Microsoft Priva SRRs for 90 days or create up to 50 subject rights requests (whichever limit expires first) at no cost.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹UNCTAD Data Protection and Privacy Legislation Worldwide

²OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD. 2013.

³US State Privacy Legislation Tracker, Taylor Kay Lively, iapp. March 3, 2022.

⁴IAPP-EY Consulting and Annual Privacy Governance Report for 2021, iapp, EY. 2021.

⁵Market Guide for Subject Rights Request Automation, Gartner. November 2021.

The post Manage subject rights requests at scale with Microsoft Priva appeared first on Microsoft Security Blog.

However, annual reminders are insufficient to drive material change, which can be seen in the effectiveness rates of one-off trainings. According to the forgetting curve theory, employees forget about 75 percent of training after just six days.¹ Imagine the lack of knowledge retention for employees of organizations that only do annual privacy training.

To help you with this challenge, we are excited to re-emphasize our commitment to helping organizations build a privacy-resilient workplace with Microsoft Priva, which was announced by Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, and Identity, last year at Ignite. Microsoft Priva is the new brand of privacy solutions provided by Microsoft moving forward. Currently, the Microsoft Priva solution offers two products:

1. Priva Privacy Risk Management: Proactively identify and remediate privacy risks arising from data transfers, overexposure, and hoarding, and empower information workers to make smart data handling decisions.

2. Priva Subject Rights Requests: Manage subject rights requests at scale with automated data discovery and privacy issues detection, built-in review and redact capabilities, and secure collaboration workflows.

Managing privacy data requires understanding the context around the data, including why information workers collect the data and the intent of use. The integration of Microsoft Priva with your day-to-day productivity tools and business applications gives organizations the power to effectively influence employees to make positive decisions on personal data handling. The in-the-moment nudges drive fundamental behavioral changes, helping people make good data handling decisions in the context of their daily activities.

For example, when a user collects personal data but hasn’t used it for more than 180 days, it may no longer have business value but can increase the risk surface area. To adhere to a principle of data minimization, Microsoft Priva can send a system-generated reminder to the data owner to review the file and make a decision to delete or provide a business justification to keep it. Users can easily take action within the Outlook interface, safeguarding personal data without impeding productivity.

Figure 1. Help identify unused personal data and empower users to make smart data handling decisions.

Privacy administrators can also set up policies to detect personal data overexposure and notify data owners to review access to the file, with similar experience in the abovementioned example. This feature can help companies who audit file or site access manually, which could be time-consuming and overlook risks between audits.

Microsoft Priva can also help govern communication to support organizations meeting data transfer requirements. In Microsoft Teams, the most commonly used communication platform, users can receive near-real-time notifications and guidance when sending personal data across regions or departments. Privacy administrators can customize the transfer boundaries to adhere to the company’s privacy policies.

Figure 2. Detect cross-border or cross-department data transfer in Teams and provide just-in-time guidance.

In addition to the user experience, Microsoft Priva also provides an aggregated view of privacy posture showing key insights of detected privacy risks. Admins can easily spot privacy issues and fine-tune policies to engage with users. Microsoft Priva solutions are designed with the concept of privacy by default. User information is pseudonymized by default in the admin interface.

Figure 3. Provide an aggregated view to admins to gain visibility into privacy issues.

Since launching Microsoft Priva, we heard great feedback from customers, including Novartis, the world’s leading pharmaceutical company, which is currently in a trial with Microsoft Priva solutions.

“Microsoft Priva will help us identify and prevent critical privacy risks that arise from transferring private data across borders and oversharing. We’ll empower our employees to mitigate risks themselves, freeing our IT resources to focus on more urgent high-severity risks.”—Beni Gelzer, Head of Data Privacy (Switzerland), Novartis

Read more about how Novartis uses Microsoft Priva to enable its employees with a solution that works with them.

Learn more

Microsoft Priva solutions are generally available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. If you are interested in learning more about Microsoft Priva solutions, we encourage you to start the 90-day free trial today to experience the product directly. If you can’t see the “start trial” button on the page, contact your Global Admin to gain permission for the solution. Learn more about the trial program in this trial playbook.

We hope that Microsoft Priva can help increase your employees’ awareness of data privacy continuously throughout the year so that you can build a privacy resilient workplace. Happy international Data Privacy Day!

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

¹The Forgetting Curve, Data & Visuals, Harvard Business Review. October 2019.

The post Build a privacy-resilient workplace with Microsoft Priva appeared first on Microsoft Security Blog.

But this work is critical—to safeguarding people and the tools they use to stay connected, get work done, and thrive in today’s hybrid environment.

We have been working closely with our customers to help. Today, I’m excited to share with you some of the new investments we’re making to attempt to bring some simplicity to the complex topic of data privacy regulations.

Introducing Privacy Management for Microsoft 365

With the latest regulation going into effect soon in China, most of the world’s population will soon have its personal data covered under modern privacy regulations. But how organizations manage their regulatory responsibilities with all those laws in mind is often manual, time-consuming, and expensive.

Today, I’m excited to announce that Privacy Management for Microsoft 365 is generally available to help customers safeguard personal data and build a privacy-resilient workplace. With role-based access controls and data de-identified by default, Privacy Management for Microsoft 365 helps organizations to have end-to-end visibility of privacy risks at scale in an automated way.

1. Identify critical privacy risks and conflicts: One of the biggest challenges in managing privacy is finding where personal data is stored, especially in an unstructured environment. Most companies still use manual processes to maintain data inventory and mapping, primarily through email, spreadsheets, and in-person communication, which is costly and ineffective. Privacy Management automatically and continuously helps to discover where and how much private data is stored in customers’ Microsoft 365 environments by leveraging data classification and user mapping intelligence. Organizations can see an aggregated view of their privacy posture, including the amount, category, and location of private data, and associated privacy risks and trends over time.
2. Automate privacy operations and response to subject rights requests: Privacy Management correlates data signals across the Microsoft 365 suite of solutions to deliver actionable insights that allow privacy administrators to automate privacy policies by using an out-of-box template—data transfers, data minimization, data overexposure, and subject-rights request management—or create a custom policy to meet an organization’s specific needs.
3. Empower employees to make smart data handling decisions: To build a privacy-resilient culture, you need to educate your employees, so they know how to handle data properly. Privacy Management provides insights and contexts to administrators, enabling them to automate privacy policies and protect sensitive data. Additionally, data owners are given recommended actions, training, and tips to make smart data-handling decisions, eliminating the need to choose between privacy and productivity.

Figure 1: Overview dashboard showcasing privacy risks and trends.

“Privacy Management for Microsoft 365 will help us identify and prevent critical privacy risks that arise from transferring private data across borders and oversharing,” said Beni Gelzer, Head of Data Privacy (Switzerland), Novartis. “We’ll empower our employees to mitigate risks themselves, freeing our IT resources to focus on more urgent, high-severity risks.”

You can learn more about Novartis’ experience with Privacy Management for Microsoft 365 in their case study.

Partnering to give customers greater visibility beyond Microsoft 365

Because data lives across so many clouds, systems, and applications, solving the challenge of data privacy requires great insight—and partnership.

To meet you where you are in your privacy journey, we have built APIs that allow you to integrate with your existing processes and solutions to automatically create and manage subject rights requests in Privacy Management.

We’re also excited today to partner with leading privacy software companies—OneTrust, Securiti.ai, and WireWheel—to extend subject rights management capabilities to personal data stored outside of the Microsoft 365 environment, enabling customers to have a unified and streamlined response to subject requests.

“Our mission at OneTrust is to empower businesses to build trust into the fabric of their organization and our collaboration with Microsoft supports this,” noted Adam Rykowski, OneTrust Vice President of Product Management. “By automating and syncing the fulfillment of Data Subject Access Requests (DSAR) from OneTrust’s Privacy Management Solution with Privacy Management for Microsoft 365, available within the Microsoft 365 compliance center, we can seamlessly incorporate IT admins into privacy operations from the OneTrust platform.”

You can learn more about these partnerships in today’s Tech Community blog.

New regulation assessments in Microsoft Compliance Manager

Staying ahead of data privacy regulations and understanding the technical actions you can take to address compliance can be daunting. To help, Microsoft Compliance Manager today has more than 200 regulatory assessment templates covering global, industrial, and regional Data Protection and Privacy regulations, making it easier for customers to interpret, assess, and improve their compliance with regulatory requirements. We recently added three privacy-specific assessments for Colorado Privacy Act, Virginia Consumer Data Protection Act (CDPA), and Egypt Privacy Law.

Additionally, we have mapped privacy-specific controls across these assessment templates to the new Privacy Management solution to help you scale your compliance efforts.

You can learn more about Compliance Manager, our list of available assessments, and how to use the assessment in our documentation. You can also try the Compliance Manager 90-day trial, which gives you access to 25 assessments.

Privacy is a journey

We recognize that navigating the complexity of data privacy regulations is a journey, and we are excited to partner with you, our customers, and others in the ecosystem to help to ease some of the complexity, making the world a safer place for all.

Privacy Management for Microsoft 365 is generally available to customers as an add-on to a Microsoft 365 or Office 365 subscription. To get started with Privacy Management, you can leverage the free 90-day trial. You can learn a lot more about Privacy Management in today’s Tech Community blog or watch the new Microsoft Mechanics video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplifying the complex: Introducing Privacy Management for Microsoft 365 appeared first on Microsoft Security Blog.

Natalia: How do security, privacy, and regulatory compliance intersect?

Whitney: Security and privacy are closely related but not the same. Privacy is not possible without security. In the last 5 to 10 years, regulations in privacy and security have taken very different paths. Most regulations across the world fall to a standard of reasonable security, whereas privacy is much more prescriptive about the types of behaviors or rights that individuals can exercise from a compliance perspective. Companies look to common security frameworks like ISO 27001 or SOC 2, but privacy doesn’t really have that. That’s born from the fact that security feels very black and white. You can secure something, or you can’t.

In privacy, however, there’s a spectrum of beliefs about how data can be used. It’s much more grey. There were attempts in the early 2010s with Do Not Track, the proposed HTTP header field that let internet users opt-out of website tracking. That fell apart. Privacy and regulatory compliance have diverged, and much of it is because of fundamental disagreements between the ad industry and privacy professionals. You see this with cookie banners in the European Union (EU). They’re not a great user experience, and people don’t love interacting with them. They exist because there have been enough regulations like the Electronic Privacy Directive and General Data Protection Regulation (GDPR) that essentially require those types of banners.

Natalia: Who should be involved in privacy, and what role should they play?

Whitney: It’s very important to get privacy buy-in from the highest levels of the company. Not only do you have an obligation under GDPR to have a Data Protection Officer that reports to the highest levels of a company if you’re processing European data, but an open dialogue with leadership about privacy will help establish company cultural values around the processing of data. Are you a company that sells data? How much control will your users and customers have over their data? How granular should those controls be? Do you collect sensitive data (like health or financial data), or is that something that you want to ban on your platform?

The sooner you get buy-in from leadership and the sooner you build privacy into your tools, the easier it’s going to be in the long run. It doesn’t have to be perfect, but a good foundation will be easier to build upon in the future. I’d also love to see the venture capital community incentivizing startups and smaller companies to care about privacy and security as opposed to just focusing on growth. It’s apparent that startups aren’t implementing the privacy lessons learned by other companies that have already seen privacy enforcement from a privacy regulator. As a result, the same privacy issues pop up over and over. Obviously, regulators will play a role. In addition to enforcement, education and guidance from regulators are vital to helping companies build privacy by design into their platforms.

Natalia: What does a privacy attack look like, and which attacks should companies pay attention to?

Whitney: A privacy attack can look very similar to a security attack. A data breach, for instance, is a privacy attack: it leaks confidential information. A European regulator recently called a privacy bug a breach. In this particular case, a bug in the software caused the information to be made public that the user had marked as private. Folks generally associate data breaches with an attacker, but often accidental disclosures or privacy bugs can cause data breaches. I’ve talked with folks who say, “Wow, I never thought of that as a security breach,” which is why it’s important to engage your legal team when major privacy or security issues pop up. You might have regulatory reporting obligations that aren’t immediately apparent. Other privacy attacks aren’t necessarily data breaches. Privacy attacks can also include attempts to deanonymize data sets, or they might be privacy bugs that use or collect data in a way that is unanticipated by the user. You might design a feature to only collect a certain type of data when in reality, it’s collecting much more data than was intended or disclosed in a privacy notice.

On the more adversarial side of privacy attacks, an attacker could try to leverage weaknesses and processes around privacy rights to access personal information or erase somebody’s account. An attacker could use the information they find out about an individual online to try to get more information about that individual via a data subject rights process (like the right to get access to your data under global privacy laws). There were a few cases of this after the GDPR went into effect. An attacker used leaked credentials to a user’s account to download all of the data that the service had about that individual. As such, it’s important to properly verify the individual making the request, and if necessary, build in additional checks to prevent accidental disclosure.

Natalia: How should a company track accidental misuse of someone’s information or preferences?

Whitney: It’s very hard. This is where training, culture, and communication are really important and valuable. Misuse of data is unfortunately common. If a company is collecting personal data for a security feature like multifactor authentication, they should not also use that phone number for marketing and advertising purposes. That goes beyond the original scope and is a misuse of that phone number. To prevent this, you need to think about security controls. Who has access to the data? When do they have access to the data? How do you document and track access to the data? How do you audit those behaviors? That’s where security and privacy deeply overlap because if you get alignment there, it’s going to be a lot easier to manage the misuse of data.

It’s also a good idea to be transparent about incidents when they occur because it builds trust. Of course, companies should work closely with their legal and PR teams when deciding to publicly discuss incidents, but when I see a news article about a company disclosing that they had an incident and then see a detailed breakdown of that incident from the company (how they investigated and fixed the issue), I usually think, “Thanks for telling me. I know you were not necessarily legally required to disclose that. But I trust you more now because I now know that you’re going to let me know the next time something happens, especially something that could be perceived as worse.” Privacy isn’t just about complying with the law. It’s about building trust with your users so they understand what’s happening with their data.

Natalia: What are best practices for implementing a privacy program?

Whitney: When you build a privacy program, look at the culture of the company. What are its values, and how do you link privacy to those values? It’s going to vary from company to company. The values of a company with a business model based on the use or sale of data are going to be different than a company that sells hardware and doesn’t need to collect data as its main source of revenue.

It’s easy for companies to look at new privacy laws–like GDPR and the California Consumer Privacy Act (CCPA)–and say, “Let’s just do that,” without thinking through the broader implications. That’s the wrong approach. Yes, you want to comply with privacy laws, but compliance does not equal security or privacy. If you’re constantly reactive to only what privacy law requires, you’ll tire out quickly because it’s changing and growing rapidly. Privacy is the future. Instead, think more holistically and proactively when it comes to privacy. Instead of rolling out a process to comply with only one region and one law, consider rolling it out for all users in all regions, so when a new region implements a similar law or regulation, you’ll be most of the way there. Just because you’re compliant with GDPR doesn’t mean you’re a privacy-focused company or that you process information in the most privacy-centric way. But you’re moving in that direction, and you can build on that foundation. Another best practice is to find campaigners across the company who support privacy efforts. If you don’t have a dedicated privacy resource, that doesn’t mean you can’t build a culture of privacy within your company. Work with privacy-minded employees to seek out the easy privacy wins, such as making sure your privacy policy is up to date and reflective of your practices. Focus on those to build support around privacy within the company.

Putting my former regulator hat on, privacy culture is important. When the Federal Trade Commission (FTC) comes knocking at your door, they’re looking to see if you have the right intentions and are trying to do your best, not just whether you prescriptively failed to do this one thing that you should have done. They look at the size of the company, and its maturity, resources, and business model in determining how they’ll enforce against that company. Showing that you care, isn’t going to necessarily fix your problems, but it will definitely help.

Natalia: How should companies train employees on privacy issues?

Whitney: Training should happen regularly. However, not all training needs to be really detailed or cover the same material—shake it up. The aim of training employees on privacy issues is to cultivate a culture of privacy. For example, when employees onboard, they’re new and excited about joining a new company. They’re not going to remember everything so keep privacy training high-level. Focus on the cultural side of privacy so they get an idea of how to think about privacy in their role. From there, give them the resources to empower themselves to learn more about privacy (like articles and additional training). Annual training is a good way to remind people of the basics, but there are many people who are going to tune those out, so make them funny and engaging if you can. I love using memes, funny themes, or recent events to help draw the audience in.

As the privacy program matures, I recommend creating a training program that fits each team and their level of data access or most commonly used tools. For example, some customer service teams have access to user data and the ability to help users in a way that other teams may not, so training should be tailored to address their specific personal data access and tooling abilities. They may also be more likely to record calls for quality and training purposes, so training around global call recording laws and requirements may be relevant. The more you target training toward specific tools and use cases, the better it’s going to be because the employee can better understand how that training relates to their everyday work.

Natalia: What encryption strategies can companies implement to strengthen privacy?

Whitney: Encrypt your databases at rest. Encrypt data in transit. It is no longer acceptable to have an S3 bucket or a database that is not encrypted at rest, especially if that system stores personal data. At the moment, enterprise key management (EKM) is a popular data protection feature involving encryption. EKM gives a company the ability to manage the encryption key for the service that they are using. For instance, a company using Microsoft services may want to control that key so that they have ownership over who can access the data, rotate the key, or delete the key so no one can access the data ever again.

The popularity of EKM is driven by trends in security and Schrems II, which was a major decision from the Court of Justice of the European Union last summer. This decision ruled Privacy Shield, the safe harbor for data transfers from the EU to the United States, invalid for not adequately protecting personal data. Subsequently, the European Data Protection Board (EDPB) issued guidance advising data be encrypted before being transferred to help secure personal data when transferred to a region that might present risks. Encryption is vital when talking about and implementing data protection and will continue to be in the future.

Learn more

The post How to build a privacy program the right way appeared first on Microsoft Security Blog.