October 30 th 2014 eMetrics Summit London Aurélie Pols @aureliepols From Über Creepy to Over Compliant Managing your (Digital) Analy:cs Assets
Jul 14, 2015
October 30th 2014 eMetrics Summit London
Aurélie Pols @aureliepols
From Über Creepy to Over Compliant Managing your (Digital) Analy:cs Assets
Presented by: Aurélie Pols @AureliePols
Aurélie Pols Chief Visionary Officer & co-‐founder Mind Your Privacy @aureliepols
• Grew up in the Netherlands, Dutch passport • French mother tongue • Most of my friends are bilingual at least • Have Polish & Russian origins • Co-‐founded 1st start-‐up in Belgium in 2003 • Sold it to Digitas LBi (Publicis) UK in 2008 • Moved to Spain in 2009 • Created 2 other start-‐ups in Spain in 2012
Mind Your Group, Pu#ng Your Data to Work Mind Your Privacy, Data Science Protected
Yes, a “law firm” but we prefer to say a bunch of Data Scien/sts working with a bunch of Lawyers
Call me a bore, I’ve been listening to the helicopters coming, while humming Wagner’s Ride of the Valkyries
Presented by: Aurélie Pols @AureliePols
Meet Beth and Greg
December 19 2013: 40 million credit & debit card accounts breached January 10 2014: personal data of 70 million customers hacked
March 05 2014: Beth Jacobs, Target CIO since 2008, RESIGNS
May 05 2014: Gregg Steinhafel, Target CEO, 35-‐year company veteran, RESIGNS
Presented by: Aurélie Pols @AureliePols
140 29 from banks & credit unions Totaling $761 million And then I stopped coun:ng
Presented by: Aurélie Pols @AureliePols
How about creepiness vs. analyTcs? Cloud tools fines & warnings
Oi, Brazilian Telco & Phorm
France Telecom & email campaign tool
Presented by: Aurélie Pols @AureliePols
So what is considered PII? Personal InformaTon (based on the definiTon commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias ii Personal iden:fica:on number, such as social security number (SSN), passport
number, driver‘s license number, account and credit card number
iii Address informa:on, such as street address or email address iv Asset informa:on, such as Internet Protocol (IP) or Media Access Control (MAC) v Telephone numbers, including mobile, business, and personal numbers.
Informa:on iden:fying personally owned property, such as vehicle registra:on number or :tle number and related informa:on
Source: information based on current ongoing analysis (partial results)
Presented by: Aurélie Pols @AureliePols
If you collect PII… then US & UK EU APEC
Common Law Con:nental Law Con:nental law influenced
Class ac:ons Fines (by DPAs: Data Protec:on Agencies)
Privacy Personal Data Protec:on (PDP) Business focused Ci:zen focused
Patchwork of sector based legislaTons: HIPPA, COPPA, VPPA, …
Over-‐arching EU Direc:ves & Regula:ons
PII: varies per state Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols @AureliePols
DATA IS A RISK BECAUSE IT EXISTS Data has become a valuable asset
Presented by: Aurélie Pols @AureliePols
Where to start?
Compliance? Privacy? Security?
Moving targets
Presented by: Aurélie Pols @AureliePols
The “Magnum” Plan • Document your data set-‐up • Set-‐up a compliance check-‐list: – Applicable legisla:ons to your sector – Territorial scope
• Evaluate your risk • Follow-‐up with informa:on security measures (data protec:on)
• Adopt global & sustainable Privacy best prac:ces
Presented by: Aurélie Pols @AureliePols
5 Online MarkeTng rules to respect consumer's privacy 1. Say what you do and do what you say 2. Harness your data liability 3. Foster data frugality & documenta:on
Agile is the ‘mot du jour’
4. Cherish the human aspect of data protec:on 5. Dialogue and find common ground
Presented by: Aurélie Pols @AureliePols
1. Say what you Do & Do what you Say Privacy policies statements: • Publicly available documents • Date stamp: less than 1 year old • Implies processes: – Eg. “we don’t collect data of minors” => COPPA – Dele:on & anonymiza:on – Bankruptcy or M&A data transfers
• Apributes responsibility: [email protected]
Presented by: Aurélie Pols @AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
Quality Assurance Feedback
Presented by: Aurélie Pols @AureliePols
Yelp said that only about 0.02 percent of users who actually completed the registra:on process during the :me period provided an underage birth rate, “and we have good reason to believe that many of them were actually adults.” The company had an average of about 138 million unique visitors in Q2 of 2014. Cost? above 16$/monthly unique … Source: hpp://www.pcworld.com/ar:cle/2684752/yelp-‐seples-‐us-‐uc-‐charges-‐of-‐viola:ng-‐child-‐privacy.html
Presented by: Aurélie Pols @AureliePols
2. Harness data liability
Across data plavorms & flows – Understand Terms & Condi:ons – Sovereign:es/legal jurisdic:ons: Safe Harbor and Binding Corporate Rules (BCRs) – Access!
Ø Tool vexng Ø Agency vexng
Presented by: Aurélie Pols @AureliePols
Responsibility of analyTcs agency? Informa:on Security & Compliance: Follow the Data ü Define the tools ü Grant accesses ü Data collec:on & data lifecycle ü Data sharing & data flows Ø Ouen a weak link
Presented by: Aurélie Pols @AureliePols
Who has access?
Source: Privacy Green seal, specific audit for analy:cs tools & data agencies
Presented by: Aurélie Pols @AureliePols
3. Foster data frugality & documentaTon
Old adage: “let’s collect everything, just in case”
New adage: cherry pick the data for which the following must be held true:
1. Without X data apribute, I cannot do Y legi:mate task and need no less than X to do Y
2. Addi:onally collec:ng data point Z will not jeopardize my ini:al data collec:on purpose
Agile is the mot du jour, also for data collecTon
Presented by: Aurélie Pols @AureliePols
Agile ways of working with Purpose and Consent Use meta-‐data to classify data fields and groups to – Iden:fy data fields containing PII/personal data, (ad) collec:on source, use and disclosure/sharing;
– Iden:fy data fields/groups and their storage that need consent;
– Iden:fy data fields that may need correc:on by individuals;
– Iden:fy data fields that may need de-‐iden:fica:on, anonymiza:on or dele:on.
Presented by: Aurélie Pols @AureliePols
4. Cherish HR in Data ProtecTon
Human error causes most data breaches
Presented by: Aurélie Pols @AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
And escalaTon procedures to akribute responsibility Should we do this analysis?
Presented by: Aurélie Pols @AureliePols
Security (technical)
Data CollecTon
Processes Resources
security
Presented by: Aurélie Pols @AureliePols
Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for approved
use
From:
Purpose
Consent
FIPPs Data analysis or merging
New business
opportunity
To:
Presented by: Aurélie Pols @AureliePols
5. Dialogue & common ground Trust and Creepiness: Consent is about a reasonable expectaTon of the use of data There’s a fine line between: – Feeling charmed – Feeling invaded
Create win-‐win situa:ons: – Customers give company informa:on – Customers get beper service/value for money
Presented by: Aurélie Pols @AureliePols
Discussion topics
• The context: which kind of applica:on? sector?
• The actors: end client, analy:cs agency/ies, tools
• The customer expecta:on: mainly focusing on why a customer logs out
• The risk and poten:al liability • Minimum requirements to lower risk