Dr. Rula Sayaf
Algebraic Approach to Data
Protection by Design
for
Data Subjects
Data Subjects
The Context:
Data Protection by Design and Default (DPbD2)
Upon determining processing
meansDuring the processing
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and Organisational
Measures
Data Protection by
Design
Data Controller Data Subjects
The Context:
Data Protection by Design and Default (DPbD2)
Upon determining processing
meansDuring the processing
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and Organisational
Measures
Data Protection by
Design
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy vs
Data Protection by Design and Default (DPbD2)
Upon determining processing
meansDuring the processing
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy vs
Data Protection by Design and Default (DPbD2)
Data Controller
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as Confidentiality
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as Confidentiality
Status quo
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller Data Subjects
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
Algebraic Approach
Data Protection by Design and Default (DPbD2)
Sedicii
Identity Management
Mizen Group
GDPR Compliance Management Audits for Data Controllers and Data
Subjects
Privacy Algebra
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Focus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
Zero Knowledge Proof (ZKP)
Real-Time Verifications
Interactive zero knowledge proof using graph isomorphism (US Patent: 8,411,854 B2)
Zero Knowledge Proof (ZKP)
Graph Isomorphism
Passport Number
Surname
First Name
Date of Birth
Place of Birth
Nationality
Expiry Date
Email address
Emily’s
Golden
Record
Match
Consent
Report340020013
Smith
Emily
01/01/1980
Dublin
Ireland
05/05/2019
Passport
Office
Database
Emily’s
Bank
Passport Number
Surname
First Name
Date of Birth
Place of Birth
Nationality
Expiry Date
Email address
340020013
Smith
Emily
01/01/1980
Dublin
Ireland
05/05/2019
Passport Matching in Real-Time against Authoritative Source for ID Proofing
Report
COPYRIGHT © 2018 SEDICII INNOVATIONS LIMITED. ALL RIGHTS RESERVED..
Zero Knowledge Proof
How it Works - PassportsZero Knowledge Proof (ZKP)
How it Works - Passports
Zero Knowledge Proof (ZKP)
Scenarios
Zero Knowledge Proof (ZKP)
Network of Identity Providers
Zero Knowledge Proofs (ZKP)
+
DPbD2
Data collection is transparent to
subjects
Data is abstracted, not encrypted
in the traditional sense.
Privacy-preserving, minimised
personal data collection, unless
the subject consents.
The subject controls data, and is
involved by running a mobile app
“I know something you know.
I can prove it without telling
you what I know.”
ZKP
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
Algebraic Approach
Compliance Management
Mizen Group
GDPR Compliance Mangement Audits:
- Focus on PETs
- Evidence-based compliance
- Cross-regulatory compliance management
Data Controller
Algebraic Approach
Compliance Management
Mizen Group
GDPR Feedback Assessments for Data Subjects:
- What PETs
- Data controller response
- Amount of personal data
- Degree of transparency
- …
Data Subjects
Data Subject Rights Automation
PersonalData.io (adversarial position)
• Data Controller
• Collected personal data
• The type of processing
Global Data Controllers
Govt. Utilities.
Telcos. Banks.
Companies. Exchanges
Banks.
Various Controllers
Type of Data
Type of Right
Data Subject Right Process
Govt.
Global Data Controllers
• Access to data
• Information about processing
• Algorithmic accountability
Data Subject Rights Automation
Mizen Group PersonalData.io
Various Controllers
Type of Data
Type of Right
Data Subject Right Process
Data Subjects
Identification + Insights about Data Controllers
and the collected
data
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
Algebraic Approach
Data Protection by Design and Default (DPbD2)
Sedicii
Identity Management
Mizen Group
GDPR Compliance Management Audits for Data Controllers and Data
Subjects
Privacy Algebra
Data Protection/ Privacy by Design
PETs
Privacy Engineering
PersonalData.io
Data Subject Rights Automation
Capco
Deployment Support
References
Berendt, Bettina, Sören Preibusch, and Maximilian Teltzrow. "A privacy-protecting business-analytics service for
on-line transactions." International Journal of Electronic Commerce 12.3 (2008): 115-150.
GÜRSES, S. Multilateral privacy requirements analysis in online social network services. PhD thesis, KU Leuven,
2010. pages 3, 17, 86
GÜRSES, S., AND BERENDT, B. PETS in the surveillance society: A critical review of the potentials and
limitations of the privacy as confidentiality paradigm. In Data Protection in a Profiled World. Springer, 2010, pp.
301–321. pages 7, 8, 18, 121
Veale, Michael, Reuben Binns, and Jef Ausloos. "When data protection by design and data subject rights clash."
International Data Privacy Law 8.2 (2018): 105-123.
Morton, Anthony, et al. "" Tool Clinics"–Embracing multiple perspectives in privacy research and privacy-sensitive
design." Dagstuhl Reports 3.7 (2013): 96-104.
Hoepman, Jaap-Henk. "Privacy design strategies." IFIP International Information Security Conference. Springer,
Berlin, Heidelberg, 2014.
Thank You!