Microsoft Privacy Processes
Rigorous technical development standards and thorough privacy reviews help to ensure that privacy and data protections are systematically incorporated into the development of Microsoft products and services.
Microsoft Privacy Standard for Development
The Microsoft Privacy Standard for Development (MPSD) governs the development and deployment of Microsoft consumer products, enterprise products, and Web services.
Because security is critical to privacy, the MPSD has been integrated into our baseline development guidelines known as the Security Development Lifecycle (SDL). This alignment of complementary privacy and security processes helps minimize vulnerabilities in software code, guard against data breaches, and ensure that developers factor privacy considerations into Microsoft products and services from the outset.
Each new Microsoft product or service undergoes a privacy review designed to identify privacy requirements and help product teams follow Microsoft privacy policies and standards.
- Privacy reviews identify privacy risks.
- Remediation actions are then identified and implemented.
- After a product or service is completed, a final privacy review determines whether all requirements were met.
- With cloud services, this process is repeated during annual privacy reviews.
Compliance and Incident Reporting
Each business group within Microsoft is responsible for ensuring compliance with corporate privacy requirements. Our Trustworthy Computing group provides training, tools, and other resources to help the business groups build effective compliance programs.
- The Microsoft Policy Approval Manager, a tool that helps teams identify privacy risks and then document specific privacy-impacting behavior in their product or feature.
- The Privacy Escalation Response Framework, which helps individuals and business groups manage events that could impact privacy across Microsoft products, services, marketing, or business practices.
The Trustworthy Computing group provides guidance to employees to recognize a privacy incident that has the potential to affect personal data. It provides instructions on how to respond in the event such an incident occurs. This includes disclosing problems to designated privacy experts, who then assess the problems and direct appropriate changes to address them.
To learn more, download The Role and Importance of Organizational Accountability in Managing and Protecting Users’ Data white paper.