Brad Smith, Executive Vice-President and General Counsel, Microsoft Corporation

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or

other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.

Security, Compliance, Privacy & Regulatory AspectsMyths and Reality about Risk and Compliance

Patrick Van Asch – Product Marketing Manager Office 365mailto: patrick.van.asch@microsoft.com

Thursday, 28th May 2015

Public Data Internal Data Confidential Data

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

Protect – Detect - Expand

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

Key ROLES in the processing of personal data

DATA SUBJECT DATA CONTROLLER DATA PROCESSOR

EMPLOYEE or CUSTOMER

o/t CLOUD CUSTOMER

Individual

who is the subject of PII

(Personal Identifiable Information)

• Determines purposes & means in which any PII is processed

• Legally responsible for compliance

• May require audit or similar rights from a processor

• Processes PII only on the Data Controller ’s instructions

• Not considered a 3rd party

• Must implement appropriate technical & security organizational measures

CUSTOMER MICROSOFT

Privacy by DesignThis means that Microsoft does not use YOUR information

for anything other than providing you services

Legal Obligation to Store Data

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

Generally NO specific legal framework for Cloud in Belgium

EU Data

Protection Directive

National Data

Protection Laws

Finance & Insurance

(Regulated Market)

& HealthCare

Additional

Regulations

Data Protection

Authorities

Recommendations

(Art. 29 Working Party)

Cloud Provider

& Cloud Customers

Contractual

Terms & Conditions

Belgian

Data Processing Act

• HealthCare: outsourcing directive for “medical” files

• FSI: no Law, NBB/BNB issues directive

MSFT DPA for O365

Reviewed + Endorsed

(EU Clauses, …)

Mutual Rights & Obligations in MSFT DPA

Customers as Data Controllers are legally responsible for the processing of their data,

even when a third party data processor is involved.

Why should this

be a concern

for customers?

What are

Microsoft’s

commitments?

Microsoft complies with the Safe Harbor principles & signs a Data Processing Agreement with EU Model Clauses, specifying how data is being processed.(Microsoft is the only cloud provider to meet strict EU standards for international data transfers -> “Art. 29 Working Party” endorsement letter – blog)

Does Microsoft Comply with Regulations?

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

DATA LOCATION & TRANSFER

“SAFE HARBOR”

SELF-CERTIFICATION

SUFFICIENT

CONTRACTUAL BASIS

e.g. EU MODEL CLAUSES

EU Data Protection Directive

The transfer of PII to any country outside the EU/EEA (European Economic Area)

is prohibited, unless it is “adequately protected”

ADEQUATE REGULATIONS IN RECEIVING COUNTRY RECOGNIZED BY EU

COMMISSION AS OFFERING SUFFICIENT PROTECTION

(e.g. CH, CAN, ISL)

Privacy in action

Responsibility On-Prem IaaS PaaS SaaS

Data classificationand accountability

Client & end-pointprotection

Identity & accessmanagement

Applicationlevel controls

Network controls

Host Security

Physical Security

Cloud Customer Cloud Provider

Risks a provider can help reduce

Physical | Networking

Shared risks

Identity & access management

Risk customers must manage

Data Classification | End Point Devices

Your Cloud Provider is Your Partner

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

We don’t : provide any government with

direct, unfettered access to your data;

We don’t: assist any government’s efforts to

break our encryption or provide any

government with encryption keys;

We don’t: engineer back doors into our

products & we take steps to ensure

governments can independently verify this. here

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and

represents the current view of Microsoft Corporation as of the date of this presentation.

Clearing the Air

If we receive a government demand for any enterprise

customer’s data: “In short, when governments seek

information from Microsoft

relating to customers, we strive to

be principled, limited in what we

disclose, and committed to

transparency.”

Our Commitment

PP

T R

EM

18Microsoft’s Commitment

to Data Privacy & Security

Microsoft’s Commitment to Data Privacy & Security

CUSTOMERS (= DATA CONTROLLER) REMAIN RESPONSIBLE

FOR DETERMINATION IF THE DATA MAY BE PROCESSED

The joint EU privacy regulators (Article 29 Working Group) have confirmed that the EU Model Clauses in Microsoft’s cloud contracts are implemented in line with EU laws and

regulations in the field of privacy and data exchange.

AS OF JULY 1, 2014 BUSINESS CUSTOMERS WILL GET STANDARD EU MODEL CLAUSES IN O365, WINDOWS AZURE, WINDOWS

INTUNE, DYNAMICS CRM ONLINE

Written validations today?Microsoft is the only cloud provider

to meet strict EU standards for international data transfers

“Art. 29 Working Party” endorsement letter – blog

Modernizing security and privacy in

the cloud

•

•

•

•

ISO/IEC 27018

Microsoft Certification StatusCERT MARKET REGION

Relevant Certification by Region

Certifications

Art. 29 Working Party – Validation Letter

Current Compliance Certifications & Attestations

2-sided ComplianceCommitment to industry standards and organizational compliance

Transparency in actionTransparency

Transparency in actionLaw Enforced Request Reports

Transparency

Perimeter security

Premises monitoring

Multi-factor authentication

Fire suppression

Transparency

24-hour security monitoring of data centers

TransparencyCenters

• Disclosing government

data requests

• Opposing gag orders

• Challenging egregious

demands for data

• Ability to review source code

• Assurance there are no back

doors

Security Process& Technology

• Secure Development (SDL)

• Secure Operations (OSA)

GovernmentData Requests

Transparency in actionTransparency

Public Data Internal Data Confidential Data

Customer Risk Management

Customer Risk Assessment

Comparative Risk Assessment is key

It starts with Data Classification and business impact

Start Early!

Customer Risk Management

Your Privacy Matters

Leadership in Transparency

Relentless on Security

Independently Verified

Service Continuity

We respect your privacy

You know ‘where’ data resides, ‘who’ can access it and ‘what’ we do with it

Excellence in cutting edge security practices

Compliance with Industry Standards verified by 3rd parties

We financially back our guarantee of 99.9% uptime.

Summary

http://trust.office365.com

Office 365 Trust Center

http://blogs.microsoft.com/cybertrust/

Cyber Trust Blog

http://azure.microsoft.com/en-us/support/trust-center/

Azure Trust Center

Resources 1/2

Latest innovations in Office 365 compliancehttp://blogs.office.com/2015/02/16/latest-innovations-office-365-compliance/

Office 365 offers greater privacy, security and regulatory compliancehttp://blogs.office.com/2014/11/20/office-365-offers-greater-privacy-security-regulatory-compliance/

Office 365—Our latest innovations in security and compliancehttp://blogs.office.com/2014/10/28/office-365-latest-innovations-security-compliance/

Cloud Services you can trust: Security, Compliance, and Privacy in Office 365http://blogs.office.com/2013/10/23/cloud-services-you-can-trust-security-compliance-and-privacy-in-office-365/

Resources 2/2

The Microsoft transparency reporthttp://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/

Article 29 Working Party letters to suppliers Compare Suppliers at:

http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/index_en.htm

02/04/2014

Letter from the Article 29 Working Party to Microsoft on a new version of the Enterprise Enrollment Addendum Microsoft Online Services Data Processing Agreement” and its Annex I

22/09/2014

Letter for the Article 29 Working Party to Microsoft on the Microsoft Service Agreement

ISO/IEC 27018:http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61498

Visit Microsoft.be/enterprise and

Enterprise newsletter.

Join the Conversation: aka.ms/CIOAB.

What’snext? Visit http://blogs.office.com and be

part of the Office innovation

Office 365 Pro Plus Workshop (free)”Executive Briefing Center, Brussels, 10th of June 2015)

Office 365 Community Day “Office 365 Club” (free)”Executive Briefing Center, Brussels, 11th+12th of June 2015)

- How to provide Quality of Service with premium networking options: do we really need a private connection to the Office 365 datacenter to support my SLA or would Internet connectivity be enough, how do I plan that ? (ExpressRoute for Office 365, Hermien Heveraet (Microsoft) and Annick Vanmeulder(BT)

- Roadmap & Vision: what Office365 announcements made at the Microsoft Ignite conference (Chicago) are relevant to me as a customer ? (Ilse Van Criekinge, Patrick Van Asch)

- Sway for Office 365, our newest member of Office – a hands-on experience (Koen Daems)- How to protect your data end-end when considering public cloud – data classification

o Legal aspect you should now - Van Gyseghem JM (laywer) in tandem with Sigrid Windmolders (LCA) o Data classification “why and how” with Bruno Schröder (CTO Microsoft BeLux) with Foletti Adèle (Trasys)o Field experiences by Devoteam (Arnold De Ploey, Olivier Potmans)o WHAT: capabilities are available in Office365 to use and enforce data classification based policies in mind

o Are you using the big data of your Office 365 environment (Miranda Felix)