A tale of caution about lack of transparency and rolling heads. Pragmatic Data Privacy take-aways for an era of Digital Entanglement and fluid Privacy legislation. See superweek.hu
2. @aureliepols
Monkey repor6ng on
remote-controlled data cows?
Aurélie Pols, February 2016
Superweek.hu
h-p://www.theguardian.com/technology/2016/jan/30/europe-google-facebook-technology-ethics-eu-marCn-schulz
3. @aureliepols
Let’s Play a Game:
Are you willing to give & allow storage of this data
about you?
1. My first- and last name
2. My birthdate
3. My current home address
4. My bank account info
5. All of my online searches
6. All websites I have ever visited
7. The names of everyone I communicate with (email,
Skype, app, chat, snap, call)
8. Names, phone numbers and photos of everyone I know
9. Where I am and where I’ve ever been
10. The content of all my communicaCon with others at all
Cmes
Source: not my quesCons! h-ps://www.youtube.com/watch?v=BVM]zKnSgs
6. @aureliepols
Risk averse for my children
Ø My most precious assets
Ø We share common goals
Ø And speak the same language
Could you say the same of your
Legal Counsel?
7. @aureliepols
Consider before crucifying the Rule of law
1. The specifics of data as an Economic Asset:
² Data in infinitely transferable without decay
2. Oeen forgo-en LegislaCve Challenges
² Defining and recognizing Data Harms
3. Related to evolving Privacy LegislaCon
² Compliance is a Risk Exercise
4. Minimizing Privacy related Risks
² YOUR liability within the Data Ecosystem
9. @aureliepols
Fact remains: RACI matrices
Ø Legal counsel will be
held accountable
Ø Legal council should
be consulted
• Responsible
• Who is/will be doing this task?
• Who is assigned to work on this task? R
• Accountable
• Who’s head will roll if this goes wrong?
• Who has the authority? to take decision? A
• Consulted
• Anyone who can tell me more about this
task?
• Any stakeholders already idenCfied?
C
• Informed
• Anyone whose work depends on this task?
• Who has to be kept updated about the
progress?
I
10. @aureliepols
In a world of dynamic regula6on
Two fundamental Data Privacy quesCons:
1. How far is too far (for data use & transparency)?
2. Who will decide (what is acceptable)?
11. @aureliepols
If I had 1 £ for every 6me I heard…
1. Yes but we don’t collect PII
2. InternaConal data transfers? Safe Harbour!
12. @aureliepols
So what to do? 1 rules them all
Transparency
Choice
Informa6on
review &
correc6on
Informa6on
protec6on
Accountability
13. @aureliepols
There is no PII NOC list, get over it!
SensiCve
data?
A wash list of
controversial
variables!
14. @aureliepols
PII vs. Risk Levels
DIGITAL EXHAUST
Low Risk
OBA
Medium Risk
(profiling)
HIPAA
HEALTH DATA
High Risk
(sensiCve)
Risk Level
Data type
InformaCon Security Measures
Geong closer to uniquely idenCfying an individual
FCRA
CREDIT SCORING
Extremely High Risk
(profiling of sensiCve data)
US: if/then exercises
PII
15. @aureliepols
Where to start?
1. Define yourself
• Who are you in the data ecosystem?
• What are your obligaCons?
• What is expected of you?
• (Who can find out?)
16. @aureliepols
Where to start?
2. Document your Digital Entanglement
High-level mock-up of exisCng client.
Next steps:
ü Terms & sovereignCes
ü Data points & access/sharing
ü Purpose & Consent
ü Data retenCon periods
17. @aureliepols
Where to start?
3. Align your liabiliVes:
Ø What do the terms allow?
Ø Which data points are you collecCng?
Ø Which clauses are being used
(InternaConal data transfer
mechanisms: SafeHarbour)?
Ø Who has access? Data sharing
Ø …
18. @aureliepols
Where to start?
Purpose Consent
4. Don’t drop the ball on Purpose and Consent!
What happens if opt-out of email list, ?
h-ps://support.google.com/adwords/answer/
6276125?hl=en
UK: OpCcal Express bought “consented” data
from Thomas Cook
See ICO PECR: h-ps://ico.org.uk/for-
organisaCons/guide-to-pecr/introducCon/
what-are-pecr/
19. @aureliepols
Where to start?
5. Understand your risk
Ø Of legal issues: fines, class acCons
Schleswig-Holstein DPA considers SafeHarbour clauses today unacceptable +
can’t be replaced by model clauses either => is this a risk for your company?
Ø Of customer backlashes: unexpected/creepy
data uses
Target: using shopping behavior to define
pregnancy state (sensiCve data) => consent!
20. @aureliepols
Where to start?
6. Document, train & communicate
• If asked, be able to show
you’ve done your homework
• Define accountability
(data stewards) & escalaCon
procedures
• Explain & ask for help:
your company is the paVent!
22. @aureliepols
Find out where the next Data Privacy challenges lie
For you: Piwik webinar
h-ps://piwik.pro/c/privacy-webinar/
For your colleagues: IAPP webinar
h-ps://my.iapp.org/nc__event?
id=a0l1a000000nDWsAAM
23. @aureliepols
LET’S START THE DISCUSSION
Gracias por su
atención!
aurelie@mindyourprivacy.com
THANK YOU FOR LISTENING!