Privacy and Data Protection III Annual Latin American Telecommunications, Technology, and Internet Public Policy Forum Geff Brown, Assistant General Counsel.

Privacy and Data ProtectionIII Annual Latin American Telecommunications, Technology, and Internet Public Policy ForumGeff Brown, Assistant General CounselMicrosoft CorporationMay 16, 2013

Privacy and Data Protection

Regulatory Infrastructure

Transparency

Privacy by Design

No Privacy w/o Security

Security

DATAAPPLICATIONNETWORK HOST

SECURITY

IDENTITYAND

ACCESS MANAGEME

NT

Privacy by design

Context: Personal data should be used only in the context of the relationship with the individual.

Individual Choice and Control: Users should have choices about how their personal data is used.

Data Portability: Customers should have the right to freely access and move their personal data.

Compliance management framework

Policy

Control Framework

Standards

Operating Procedures

Business rules for protecting information and systems which store and process information

A process or system to assure the implementation of policy

System or procedural specific requirements that must be met

Step-by-step procedures

5

Transparency

What personal data goes where.

Who can access the personal data and why.

Privacy statements and other documentation.

Regulatory Infrastructure

Defining bases for processing personal data: Consent; legitimate interests; contract.

Implementing rights: Access, correction and deletion; data breach notification; redress.Consistent and effective enforcement: Oversight and guidance; risk-based approaches; penalties.