Embed Size (px)
Citation preview
@aureliepols © 2016
Data Accountability & Consumer Trust June 23rd 2016 Aurélie Pols
@aureliepols
About me: MAD / BRU / SFO
1. Data Governance & Privacy Advocate for Krux Digital 2. EAG: Ethics Advisory Group for the European Data Protection
Supervisor (EDPS) 3. Chief Visionary Officer for Mind Your Privacy
• Training Advisory Board, International Association of Privacy Professionals (IAPP) • Ethics & Privacy professor in Big Data & Analytics Master, Instituto de Empresa (IE) • [Entrepreneur / Data Scientist? / Privacy Engineer? / Mother] • (Dutch nationality, French mother tongue, work mostly in English, live in Spain)
2
@aureliepols
The European Data Protection Supervisor:
an independent institution responsible for ensuring the
protection of personal data by the EU institutions and bodies
The EDPS
Giovanni Buttarelli EDPS
Wojciech Wiewiórowski Assistant EDPS
3
@aureliepols
[Entrepreneur / Data Scientist / Privacy Engineer / Mother]
4
@aureliepols
The Internet grows up; enters Big (& ubiquity of) Data
5
The New Yorker - July 5, 1993 10 years later…
@aureliepols
Digital Ads & Targeting Online Advertising surpasses TV to record annual spend of €36.2bn
DATA load 2.5 quintillion bytes of data are created everyday
Perpetually connected consumer } 3 connected devices used per person in 2014
} 9h53m is the average time spent by US adults on connected screens every day Sources : IAB (2016), IBM (2014), Statistica (US, 2014), eMarketer (US, 2015)
DATA PRIVACY THE NEW ERA
@aureliepols
DATA PRIVACY THE PARADOX
65% of consumers do not have confidence in the security of their personal data.
67% are willing to share personal data in exchange for additional services.
Source: Accenture
@aureliepols
Setting the Data Privacy stage
@aureliepols
Privacy actors within the data ecosystem
9
DATA ECOSYSTEM
Citizens Consumers
Voters
Authorities law +
enforcement
Companies Businesses
DATA QUALITY CLASS ACTIONS AdBlocking
COMPLIANCE
GDPR Fines: 4% of Global Turn-Over
@aureliepols
Framing digital data accountability
10
OUR CLIENTS
DATA FLOW
RESPONSIBLITY
DATA CONTROLLER
DATA PROCESSOR
THEIR CUSTOMERS
PRIVACY RIGHTS
DATA PROTECTION / SECURITY PRIVACY BY DESIGN (PbD)
DATA ETHICS
@aureliepols
Foundations of Privacy Law
@aureliepols
One legal concept to rule them all FTCs Fair Information Practice Principles (FIPPs)
Transparency
Choice
Information review &
correction Information protection
Accountability
12
@aureliepols 13
Comparing global Privacy legislation
@aureliepols
Purpose, Consent & Data Uses evolution
Purpose
Consent
FIPPs
Data for approved use
Before Big Data: Purpose
Consent
FIPPs Data analysis or merging
New business opportunity
Today’s challenge:
@aureliepols
The devil in the details, for our clients Purpose = Reason for data collection, usually broad
• Website improvement, better UX • Marketing communication • Sharing data with 3rd parties
Consent • Types
• Implicit: Opt-in? Double opt-in?; Explicit: Opt-out? • Depends upon
• Type of data: PII, sensitive data, … • Type of sector: financial, health, … • Geography: US vs. EU, Singapore, …
15
@aureliepols 16
Privacy legislation kicks in with PII / Personal Data (yet lines are blurring!)
@aureliepols
General Data Protection Regulation (GPDR) - May 25 2018
GDPR Fines: 4% of Global Turn-Over !!!
Which variables or combination exactly?
Data types & the law: obligations vary
Hashing & encryption (by default) 17
@aureliepols
Tension between US PII & EU Personal Data Personally Identifiable Information (PII) Personal Data
1. Name, such as full names, maiden name, mother’s maiden name, or alias;
2. Personal identification #: social security # (SSN), passport #, driver’s license #, account and credit card #;
3. Address information: street address or email; 4. Asset information: Internet Protocol (IP) or Media
Access Control (MAC); 5. Phone #, including mobile, business and personal.
Information identifying personally owned property such as vehicle registration # or title # and related information.
“Personal data shall mean any information relating to an individual or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular or by reference to an identification number or to one or more factors specific to his physical, mental, economic, cultural or social identity”
Based on the definition commonly used by most US States Directive 95/46/EC, the Data Protection Directive
@aureliepols
De-identification is a compliance exercise
From Shades of Grey: Seeing the full spectrum of Practical Data De-Identification by Jules Polonetsky, Omer Tene & Kelsey Finch, April 1st 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757709
19
@aureliepols
Identification capabilities is a TRUST issue
From Data Privacy: Understanding Privacy principles and ensuring compliance of your digital activities by Aurélie Pols for AT Internet, May 2016
20
@aureliepols
Moving beyond the divide: Digital Ethics • Layer approach for data driven companies:
Privacy Engineering by Krux • Promise to our clients’ clients: TRUST • Bare minimum: Compliance!
VALUE / ETHICS
Respect individuals Corporate Social Responsibility
RISK
Do not harm Standard Operating Procedure
COMPLIANCE
Don’t hit people! Legislation
ETHICS
PROCESS
LAW
@aureliepols
For Krux, this means
22
ü Assuring compliance & limiting risk for Krux ü Assuring our clients’ data uses are compliant with
legislations they address + global platform !!! ü Leveraging the data to allow our clients to make
ethical decisions about their data uses
@aureliepols 23
Evolving Privacy legislation (short term)
@aureliepols
Old and new EU Privacy rules STABLE EU PRIVACY LEGISLATION
SafeHarbor for international transfers of personal data
EU Data Protection Directive (95/46/EC) regulates personal data within the EU
EU ePrivacy Directive* on Privacy & Electronic Communication – think cookies! * (2002/58/EC amended 2006/24/EC & 2009/136/EC)
FUTURE EU PRIVACY LEGISLATION
PrivacyShield strong enough?
EU General Data Protection Regulation (GDPR) strengthens & unifies data protection for EU citizens
Revision of the ePrivacy Directive à Regulation? Confidentiality for all communications (Skype, WhatsApp, …) + strengthen consent rules?
May 25 2018
Draft December 2016: EU DNT?
@aureliepols
Data Privacy laws globally?
Blue = Strong Privacy legislation - Green = Moderate - Orange = Limited ??
25
Data Balkanization vs. UN Globalization effort
Joe Cannataci UN Special Rapporteur Privacy in the Digital Age
@aureliepols 26
Challenges & Opportunities
@aureliepols
Competing on Privacy?
• Increased non compliance risk for the data industry
• Clients will require: ü Guidance ü Documentation ü Features
Privacy Engineering by Krux
27
@aureliepols
For Krux, this means
28
ü Assuring compliance & limiting risk for Krux ü Assuring our clients’ data uses are compliant with
legislations they address + global platform !!! ü Leveraging the data to allow our clients to make
ethical decisions about their data uses
@aureliepols
@aureliepols
DOs
1. Define your role with the Data Ecosystem 2. Keep metadata on Purpose and Consent* 3. Undergo Privacy Impact/Risk Assessments (PIAs) for
§ Product Launches § (new) Data Uses
4. Document Data Flows 5. Keep data clean & to a minimum: data retention & breach
notifications * Unless anonymization today, not tomorrow!!!
30
@aureliepols
DON’Ts*
1. Break the Consent chain 2. Disrespect Customer Expectations 3. Sell personal data without Consent 4. Buy data without understanding Purpose 5. Enrich data without understanding previous rules • Unless anonymization today, not tomorrow
31
@aureliepols
Ethics of the data analyst
32
I shall remember data are not only numbers but actual people, that could be harmed by my work;
I shall treat data that might identify individuals with the utmost care, which includes respect for their dignity, avoiding discrimination, as well as security best practices;
I will not do to personal data what I wouldn’t find acceptable for data related to my family, friends, loved ones or myself;
I understand personal data, PII &/or sensitive data is context based and often difficult to identify. In case of doubt, I will ask for help or escalate in order to take the appropriate measures;
I understand data about individuals needs to travel with initial purpose of the data – the reason why it exists - & their respective consent mechanisms;
a) I will never use data without knowing where it comes from, it’s purpose and consent mechanisms (see Quién es la Última Principle);
b) I will never sell non consented data about individuals;
c) If I sell consented data, it will be accompanied by purpose. Up to the buyer to define whether subsequent data uses are aligned.
I understand consent might be revoked and a Right to be Forgotten – i.e. deletion – could be requested, that might need to be applied;
I shall align security protocols with how personal &/or sensitive the data is;
I will keep trace and document the data used in order to minimize risk related to data uses.
@aureliepols Digital Intelligence Solutions
DATA IS TRANSFORMING OUR VERY LIVES
PRESERVATION OF HUMAN DIGNITY IS AT STAKE
@aureliepols
Gracias / Merci / Danke Schön / Bedankt / תודה /
ευχαριστίες krux.com
