12.5.2017

1

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

Information session at Helsinki Think Company / 18.4.2017

THREE ESSENTIAL THOUGHTS

ON DESIGNING PRIVACY INTO YOUR BUSINESS

12/05/2017Presentation Name / Firstname Lastname 1

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

1) PRIVCY BASICS

2) PRIVACY BY DESIGN

3) OPERATING WITH PRIVACY

12/05/2017Presentation Name / Firstname Lastname 2

12.5.2017

2

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

PRIVACY BASICS:

RELEVANT LAW: FINNISH PERSONAL DATA ACT

12/05/2017Presentation Name / Firstname Lastname 3

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

• The Act regulates processing of personal data.

• The Act defines personal data as any information on a private individual and any information on his/her personal characteristics or personal circumstances, where these are identifiable as concerning him/her or the members of his/her family or household

12/05/2017Presentation Name / Firstname Lastname 4

12.5.2017

3

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

EXAMPLES OF PERSONAL DATA

• Your name

• Telephone number

• Home address

• Credit card details

• Health information

• Personal identity code

• Email address

• Password(s), etc

12/05/2017Presentation Name / Firstname Lastname 5

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

PROCESSING OF DATA

• Processing of personal data means the collection, recording, organisation, use, transfer, disclosure, storage, manipulation, combination, protection, deletion and erasure of personal data, as well as other measures directed at personal data;

12/05/2017Presentation Name / Firstname Lastname 6

12.5.2017

4

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

OTHER KEY TERMS

• Controller:

A person, corporation, institution or foundation, or a number of them, for the use of whom a personal data file is set up and who is entitled to determine the use of the file, or who has been designated as a controller by an Act

• Data subject:

A person to whom the personal data pertains.

12/05/2017Presentation Name / Firstname Lastname 7

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

• Third party:

A person, corporation, institution or foundation other than the data subject, the controller, the processor of personal data or someone processing personal data on the behalf of the controller or the processor

12/05/2017Presentation Name / Firstname Lastname 8

12.5.2017

5

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

APPLICATION OF THE FINNISH PERSONAL

DATA ACT• (1) The Act applies to processing of personal data where the

controller is established in the territory of Finland or otherwise subject to Finnish law.

• (2) The Act also applies if the controller is not established in the territory of a Member State of the European Union but uses equipment located in Finland in the processing of personal data.

• An exception is where the equipment is used solely for the transfer of data through the territory In which case the controller shall designate a representative established in Finland.

12/05/2017Presentation Name / Firstname Lastname 9

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

REGULATION (EU) 2016/679

• The protection of natural persons with regard to the processing of personal data and on the free movement of such data

• The regulation aims to harmonize the level of protection in all member states of the European Union.

• The regulation shall apply from 25 May 2018.

12/05/2017Presentation Name / Firstname Lastname 10

12.5.2017

6

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

PRIVACY BY DESIGN

12/05/2017Presentation Name / Firstname Lastname 11

privacy protection becoming more 'design-driven'

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

WHAT IS PBD?

• The realisation of privacy values in the physical/digital design of the end product or service

• = technology and design-based solutions coming to the heart of bolstering privacy laws

12/05/2017Presentation Name / Firstname Lastname 12

12.5.2017

7

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

DESIGN ≠ AESTHETICS

12/05/2017Presentation Name / Firstname Lastname 13

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

DESIGN = UTILITY AND FUNCTIONALITY

12/05/2017Presentation Name / Firstname Lastname 14

12.5.2017

8

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

• PBD is shifting the burden to implement privacy laws from data controllers to the manufacturers and developers of the technology concerned.

12/05/2017Presentation Name / Firstname Lastname 15

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

WHICH IS MORE EFFECTIVE?

• Rules regulating behaviour

• OR

• code/physical architecture regulating behaviour

12/05/2017Presentation Name / Firstname Lastname 16

12.5.2017

9

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

DESIGN PROCESS

1. Privacy legislation

2. Privacy risk assessment of your business

3. Realisation of a design solution minimising the privacy-intrusive capabilities of your business

12/05/2017Presentation Name / Firstname Lastname 17

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

LEGAL RELEVANCE OF PBD

• Check Article 25 of REGULATION (EU) 2016/679

• --> PBD legally required from anyone processing personal data!

• --> is a glued-on privacy policy sufficient after the implementation of the GDPR?

12/05/2017Presentation Name / Firstname Lastname 18

12.5.2017

10

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

HOW DOES PBD BENEFIT YOUR

STARTUP?• More effective ensuring of compliance

• Minimisation of privacy-intrusive measures

• Unique selling point

• Source of value creation

• Enhances trust

12/05/2017Presentation Name / Firstname Lastname 19

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

OPERATING WITH PRIVACY

12/05/2017Presentation Name / Firstname Lastname 20

12.5.2017

11

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

SO, YOU'RE UP AND RUNNING...

12/05/2017Presentation Name / Firstname Lastname 21

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

NOT QUITE THAT EASY...

• .. shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

12/05/2017Presentation Name / Firstname Lastname 22

12.5.2017

12

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

ALONG COMES AN IDEA:CAN I DO X WITH THE

DATA?

X = Something you did notspecify originally in yourprivacy policy

12/05/2017Presentation Name / Firstname Lastname 23

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

NOT QUITE THAT EASY...

• Is the new purpose compatible with the original?

• If in doubt, ask the Data Protection Ombudsman (http://www.tietosuoja.fi/fi/)

• If still unsure, ask for consent

12/05/2017Presentation Name / Firstname Lastname 24

12.5.2017

13

HELSINKI LAW CLINIC

FACULTY OF LAW

UNIVERSITY OF HELSINKI

WHAT DO YOU DO WHEN THERE'S A BREACH?

1. Stay calm !

2.

• Contain → stop further leaks

• Notify

→ the authorities, always (72 h)

→ the data subjects, possibly

• Recover → has the data been altered?

• Fortify → stop from happening again

12/05/2017Presentation Name / Firstname Lastname 25