Dr. Rula Sayaf

Algebraic Approach to Data

Protection by Design

for

Data Subjects

Data Subjects

The Context:

Data Protection by Design and Default (DPbD2)

Upon determining processing

meansDuring the processing

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and Organisational

Measures

Data Protection by

Design

Data Controller Data Subjects

The Context:

Data Protection by Design and Default (DPbD2)

Upon determining processing

meansDuring the processing

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and Organisational

Measures

Data Protection by

Design

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy vs

Data Protection by Design and Default (DPbD2)

Upon determining processing

meansDuring the processing

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and

Organisational Measures

Privacy by Design

PETs

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy vs

Data Protection by Design and Default (DPbD2)

Data Controller

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

Privacy Engineering

Privacy as PracticePrivacy as Control

Privacy as Confidentiality

Data Protection by Design and Default (DPbD2)

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and

Organisational Measures

Data Protection/ Privacy by Design

PETs

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy Engineering

Privacy as PracticePrivacy as Control

Privacy as Confidentiality

Status quo

Data Protection by Design and Default (DPbD2)

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and

Organisational Measures

Data Protection/ Privacy by Design

PETs

Data Controller Data Subjects

Privacy Engineering

Privacy as PracticePrivacy as Control

Privacy as ConfidentialityFocus:

Data Register

DPIAs

Transfer

Policies

Data Subject Rights Management

Compliance Management

Data Protection by Design and Default (DPbD2)

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and

Organisational Measures

Data Protection/ Privacy by Design

PETs

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy Engineering

Privacy as PracticePrivacy as Control

Privacy as ConfidentialityFocus:

Data Register

DPIAs

Transfer

Policies

Data Subject Rights Management

Compliance Management

Algebraic Approach

Data Protection by Design and Default (DPbD2)

Sedicii

Identity Management

Mizen Group

GDPR Compliance Management Audits for Data Controllers and Data

Subjects

Privacy Algebra

Data Protection/ Privacy by Design

PETs

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy Engineering

Focus:

Data Register

DPIAs

Transfer

Policies

Data Subject Rights Management

Compliance Management

Zero Knowledge Proof (ZKP)

Real-Time Verifications

Interactive zero knowledge proof using graph isomorphism (US Patent: 8,411,854 B2)

Zero Knowledge Proof (ZKP)

Graph Isomorphism

Passport Number

Surname

First Name

Date of Birth

Place of Birth

Nationality

Expiry Date

Email address

Emily’s

Golden

Record

Match

Consent

Report340020013

Smith

Emily

01/01/1980

Dublin

Ireland

05/05/2019

happy@traveler.com

Passport

Office

Database

Emily’s

Bank

Passport Number

Surname

First Name

Date of Birth

Place of Birth

Nationality

Expiry Date

Email address

340020013

Smith

Emily

01/01/1980

Dublin

Ireland

05/05/2019

happy@traveler.com

Passport Matching in Real-Time against Authoritative Source for ID Proofing

Report

COPYRIGHT © 2018 SEDICII INNOVATIONS LIMITED. ALL RIGHTS RESERVED..

Zero Knowledge Proof

How it Works - PassportsZero Knowledge Proof (ZKP)

How it Works - Passports

Zero Knowledge Proof (ZKP)

Scenarios

Zero Knowledge Proof (ZKP)

Network of Identity Providers

Zero Knowledge Proofs (ZKP)

+

DPbD2

Data collection is transparent to

subjects

Data is abstracted, not encrypted

in the traditional sense.

Privacy-preserving, minimised

personal data collection, unless

the subject consents.

The subject controls data, and is

involved by running a mobile app

“I know something you know.

I can prove it without telling

you what I know.”

ZKP

Data Protection by Design and Default (DPbD2)

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and

Organisational Measures

Data Protection/ Privacy by Design

PETs

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy Engineering

Privacy as PracticePrivacy as Control

Privacy as ConfidentialityFocus:

Data Register

DPIAs

Transfer

Policies

Data Subject Rights Management

Compliance Management

Algebraic Approach

Compliance Management

Mizen Group

GDPR Compliance Mangement Audits:

- Focus on PETs

- Evidence-based compliance

- Cross-regulatory compliance management

Data Controller

Algebraic Approach

Compliance Management

Mizen Group

GDPR Feedback Assessments for Data Subjects:

- What PETs

- Data controller response

- Amount of personal data

- Degree of transparency

- …

Data Subjects

Data Subject Rights Automation

PersonalData.io (adversarial position)

• Data Controller

• Collected personal data

• The type of processing

Global Data Controllers

Govt. Utilities.

Telcos. Banks.

Companies. Exchanges

Banks.

Various Controllers

Type of Data

Type of Right

Data Subject Right Process

Govt.

Global Data Controllers

• Access to data

• Information about processing

• Algorithmic accountability

Data Subject Rights Automation

Mizen Group PersonalData.io

Various Controllers

Type of Data

Type of Right

Data Subject Right Process

Data Subjects

Identification + Insights about Data Controllers

and the collected

data

Data Protection by Design and Default (DPbD2)

Scope

Risks

SOTA

Nature

Cost Purpose

Context

Technical and

Organisational Measures

Data Protection/ Privacy by Design

PETs

Data Controller

• GDPR requirements

• Protect the rights of data subjects

Data Subjects

• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….

Privacy Engineering

Privacy as PracticePrivacy as Control

Privacy as ConfidentialityFocus:

Data Register

DPIAs

Transfer

Policies

Data Subject Rights Management

Compliance Management

Algebraic Approach

Data Protection by Design and Default (DPbD2)

Sedicii

Identity Management

Mizen Group

GDPR Compliance Management Audits for Data Controllers and Data

Subjects

Privacy Algebra

Data Protection/ Privacy by Design

PETs

Privacy Engineering

PersonalData.io

Data Subject Rights Automation

Capco

Deployment Support

References

Berendt, Bettina, Sören Preibusch, and Maximilian Teltzrow. "A privacy-protecting business-analytics service for

on-line transactions." International Journal of Electronic Commerce 12.3 (2008): 115-150.

GÜRSES, S. Multilateral privacy requirements analysis in online social network services. PhD thesis, KU Leuven,

2010. pages 3, 17, 86

GÜRSES, S., AND BERENDT, B. PETS in the surveillance society: A critical review of the potentials and

limitations of the privacy as confidentiality paradigm. In Data Protection in a Profiled World. Springer, 2010, pp.

301–321. pages 7, 8, 18, 121

Veale, Michael, Reuben Binns, and Jef Ausloos. "When data protection by design and data subject rights clash."

International Data Privacy Law 8.2 (2018): 105-123.

Morton, Anthony, et al. "" Tool Clinics"–Embracing multiple perspectives in privacy research and privacy-sensitive

design." Dagstuhl Reports 3.7 (2013): 96-104.

Hoepman, Jaap-Henk. "Privacy design strategies." IFIP International Information Security Conference. Springer,

Berlin, Heidelberg, 2014.

Thank You!

rula@privacyalgebra.com