November 25 th 2014 Eye4Travel Amsterdam Aurélie Pols @aureliepols Data is the New Oil Privacy is the new Green
Jul 12, 2015
November 25th 2014Eye4Travel Amsterdam
Aurélie Pols@aureliepols
Data is the New OilPrivacy is the new Green
Presented by: Aurélie Pols
@AureliePols
The SUN went down on Privacy
“You have zero privacy anyway, get over it”, Scott McNealy, CEO of Sun Microsystems, January 1999
At eMetrics in Boston in 2006, this turned into
“Privacy is Dead Aurélie, get over it!”
Call me a bore, I’ve been listening to the helicopters coming, while humming Wagner’s Ride of the Valkyries
Presented by: Aurélie Pols
@AureliePols
From the rooftops of Amsterdam
Source: http://www.tripadvisor.nl/LocationPhotoDirectLink-g188590-d1740219-i104248061-Wyndham_Apollo-Amsterdam_North_Holland_Province.html
Presented by: Aurélie Pols
@AureliePols
The is one I do not Trust (my data with)
Source: http://www.cnet.com/news/ftc-sues-wyndham-hotels-over-data-breaches/
Presented by: Aurélie Pols
@AureliePols
The story?
Source: http://www.ftc.gov/enforcement/cases-proceedings/1023142/wyndham-worldwide-corporation
Reasonably protect the security of consumers’ personal data
Presented by: Aurélie Pols
@AureliePols
Outcome?
Source: http://www.phiprivacy.net/digging-in-their-heels-wyndham-and-labmd-challenge-ftcs-authority-in-data-security-cases/
Source :http://www.adweek.com/news/technology/ftcs-data-security-case-against-wyndham-worldwide-moves-forward-156847
Presented by: Aurélie Pols
@AureliePols
Courts writing Privacy history?
Source: http://www.economist.com/news/leaders/21602219-right-be-forgotten-sounds-attractive-it-creates-more-problems-it-solves-being
The Right to be Forgotten (RTBF)
EC J
Presented by: Aurélie Pols
@AureliePols
A Global Privacy Perspective
US & UK EU ASIA
Common Law Continental Law Partially continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Amended
New
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per US state
“Personal Data” => Risk levels: low, medium, high, extremelyhigh
Presented by: Aurélie Pols
@AureliePols
WYNDHAM LOST MY TRUST
For now, 0 €, no business
Presented by: Aurélie Pols
@AureliePols
I care about my data
Source: https://twitter.com/JavZamora/status/479233003710083072/photo/1
Presented by: Aurélie Pols
@AureliePols
About my online anonymity
Recent Pew Research: US citizens care about Privacy
Source: http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/
Presented by: Aurélie Pols
@AureliePols
Defining Privacy: do you need to?
Privacy & Business Ethics
vs
Data Protection & Responsible Uses of Data
Data
Legal ComplianceCustomer Trust
Balancing act =
Risk Management Exercise
Presented by: Aurélie Pols
@AureliePols
BUT WHO IS RESPONSIBLE?
Privacy is Important
Presented by: Aurélie Pols
@AureliePols
Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols
@AureliePols
Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for approved
use
From:
Purpose
Consent
FIPPsData analysis or merging
New business
opportunity
To:
Big Data is Killing the Privacy Framework
Presented by: Aurélie Pols
@AureliePols
Why is this bubbling up now?
D-I-G-I-T-A-L makes Data Global, replicable, …
The World Economic Forum – Personal Data: The
Emergence of a New Asset Class (2011)
The EU GDPR – General Data Protection Regulation
(2012- 2015?)
The OECD – Guidelines on the Protection of Privacy &
Transborder Flows of Personal Data (1980, reviewed in 2013)
The UN – The Right to Privacy in the Digital Age (2014)
Presented by: Aurélie Pols
@AureliePols
Total Privacy fines worldwide
6 weeks into 2014, the world total in Privacy damages had reached 50% of last year’s record: $74 million
Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3
Presented by: Aurélie Pols
@AureliePols
And of course data breaches
Target, JPMorgan, Home Depot,…But what happens After the breach?
Presented by: Aurélie Pols
@AureliePols
How many lawsuits is Target facing?
140totaling over $750 million
Presented by: Aurélie Pols
@AureliePols
THE QUESTION IS NOT IF, IT’S WHEN
Presented by: Aurélie Pols
@AureliePols
Privacy ABC
Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg
FIPPs:Fair Information Privacy Practices
Presented by: Aurélie Pols
@AureliePols
If you collect PII… thenUS & UK EU
Common Law Continental Law
Class actions Fines (by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per state Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols
@AureliePols
So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information
Source: information based on
current ongoing analysis (partial
results)
Presented by: Aurélie Pols
@AureliePols
PII vs. Risk levels: US vs. EU
Risk level
Data type & Information Security Measures
Extremely high(profiling of sensitive data: probability of being pregnant => Target?)
PII
Low risk data type(clickstream data)
High(sensitive data: health, financial, political views, sexual orientation, …)Medium
(profiling: typically retargeting through cookies)
Presented by: Aurélie Pols
@AureliePols
PERSONAL DATA
EU Directive 95/46/EC, Article 2ª.
Shall mean any information relating to an identified or identifiable natural person ('data subject');
an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Presented by: Aurélie Pols
@AureliePols
EVERY TIME YOU USE THE ACRONYM PII
A cat dies!
Presented by: Aurélie Pols
@AureliePols
Privacy Role Playing in the EU
Presented by: Aurélie Pols
@AureliePols
Controller vs. Processor
Web property: Big corporation, SME
Customer: visitor, voter, citizen, …
Intermediaries: tools, agencies, consultancies,
…
Data Flow
Responsibility
Privacy Rights
Presented by: Aurélie Pols
@AureliePols
12 Responsibilities of a Data Controller1. Inform participants
2. Obtain informed consent
3. Ensure the data held is accurate
4. Delete personal data when it is no longer needed => delete or anonymize
5. Protect against unauthorized destruction, loss, alteration and disclosure => security
6. Contract with Data Processors responsibly
7. Take care transferring data out of Europe
8. If you collect “special” categories of data, get specialist advice
9. Deal with any data subject access requests
10. If the assessment is high stakes, ensure there is review of any automated decision making
11. Appoint a Data Protection Officer (DPO) and train staff
12. Work with supervisory authorities and respond to complaints
Source: http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities
Presented by: Aurélie Pols
@AureliePols
Role playing example
Surveymonkey: https://www.surveymonkey.com/mp/policy/privacy-policy
Presented by: Aurélie Pols
@AureliePols
What about security?
Data Collection
Pro
cess
es R
eso
urce
s
DPO
Presented by: Aurélie Pols
@AureliePols
Implement Information Security Measures
Source: http://www.softbank.jp/en/corp/csr/management/info_security/efforts/
Presented by: Aurélie Pols
@AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
Quality AssuranceFeedback
Presented by: Aurélie Pols
@AureliePols
Yelp said that only about 0.02 percent of users who actually completed the registration process during the time period provided an underage birth rate, “and we have good reason to believe that many of them were actually adults.”
The company had an average of about 138 million unique visitors in Q2 of 2014.
Cost? above 16$/monthly unique …
Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html
Presented by: Aurélie Pols
@AureliePols
DATA IS A RISK BECAUSE IT EXISTS
Data has become a valuable asset
Presented by: Aurélie Pols
@AureliePols
CUSTOMER ON THE MOVE & AT REST IS NOT EQUAL
What about travel?
Presented by: Aurélie Pols
@AureliePols
National Security vs. Privacy
Data Retentionvs. Data Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK, passed), SOPA (US: Stop Online Piracy Act, similar to French HADOPI) & PIPA (US: Protect IP Act)
Presented by: Aurélie Pols
@AureliePols
Data Quality: if this is not me?
Presented by: Aurélie Pols
@AureliePols
If this was not me, what to do?
Presented by: Aurélie Pols
@AureliePols
Legislation & risk: win-win?
New headache- COPPA- ISO 14443
Presented by: Aurélie Pols
@AureliePols
Personalised pricing?
Don’t personalize on sensitive data
Source: http://privacytools.seas.harvard.edu/files/privacytools/files/p44-sweeney.pdf
Presented by: Aurélie Pols
@AureliePols
Who owns the customer?
• Who owns the data?
– Privacy policies
– Data sharing principles (& options => choice)
• Who is responsible for the relationship?
– Who gets the money?
– How does the customer know who to contact?
• Transparency & communication
• Core business & collaborative procedures with partners
Presented by: Aurélie Pols
@AureliePols
Where to start?
Compliance?
Privacy?
Security?
Moving targets
Presented by: Aurélie Pols
@AureliePols
The “Magnum” Plan• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures (data protection)
• Adopt global & sustainable Privacy best practices
Presented by: Aurélie Pols
@AureliePols
HQLOCAL SUBSIDIARY
1
Customer Terms & Conditions
Applicable Security Measures???
LOCAL SUBSIDIARY
1
LOCAL SUBSIDIARY
2
LOCAL SUBSIDIARY
3
LOCAL SUBSIDIARY
4
Where does it sit? Cloud/SaaS
Presented by: Aurélie Pols
@AureliePols
Example of data flow issuesQuantified self movement
Personal “health” data
Direction of flow is essential
Consequences on Privacy Policy
Presented by: Aurélie Pols
@AureliePols
5 ONLINE MARKETING RULES TO RESPECT CONSUMER’S PRIVACY
Presented by: Aurélie Pols
@AureliePols
5 Online Marketing rules to respect consumer's privacy
1. Say what you do and do what you say
2. Harness your data liability
3. Foster data frugality & documentation
Agile is the ‘mot du jour’
4. Cherish the human aspect of data protection
5. Dialogue and find common ground
Presented by: Aurélie Pols
@AureliePols
Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols
@AureliePols
Limiting Risk of holding data
Data Minimization PrincipleLimit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose
Data Retention PoliciesSet of guidelines that describes which data will be archived, how long it will be kept. Permanent deletion of the retained data is part of any effective data retention policy.
Presented by: Aurélie Pols
@AureliePols
Data Retention Policies
• Delete the data, everywhere!
• Anonymize or De-identify the data
By Ann Cavoukian and Khaled El Emam, June 2011,http://www.ipc.on.ca/images/Resources/anonymization.pdf
Presented by: Aurélie Pols
@AureliePols
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by ensuring that personal data are automatically protected in any given IT system or business practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated promises and objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice, and empowering user-friendly options
Privacy by Design (PbD) 7 Fundamental Principles
THANKSFor coming