Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Ichec & ESC gdpr feb 2020

580 vues

Publié le

Class given in February 2020 at Ichec Brussels Management School and at ESC Rennes

Publié dans : Formation
  • One of the best ressources about Data Privacy that I received. Thanks Mister Folon for your classes
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

Ichec & ESC gdpr feb 2020

  1. 1. Data privacy & GDPR Jacques Folon, Ph.D. CEO GDPRfolder GDPR DirectorEdge Consulting Professor ICHEC Maître de conférences Université de Liège Visiting professor ESC Rennes School of Business Université Saint Louis
  2. 2. GDPR : The Context
  3. 3. https://gdprfolder.eu © 2018 GDPRFOLDER.EU SPRL All Rights Reserved. Every company & self employed is concerned Non profit
  4. 4. https://gdprfolder.eu © 2018 GDPRFOLDER.EU SPRL All Rights Reserved. employees Prospects ContactsUsers & clients Which Data ?
  5. 5. Privacy VS Social media 7
  6. 6. http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg
  7. 7. Average number of Facebook « friends » 338 in 2020 30
  8. 8. 4 By giving people the power to share, we're making the world more transparent. The question isn't, 'What do we want to know about people?', It's, 'What do people want to tell about themselves?' Data privacy is outdated ! Mark Zuckerberg If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. Eric Schmidt
  9. 9. 1
  10. 10. 16SOURCE: http://mattmckeon.com/facebook-privacy/
  11. 11. 17
  12. 12. 18
  13. 13. 19
  14. 14. 20
  15. 15. 21
  16. 16. 22
  17. 17. 23 IN 2018
  18. 18. 25 http://1.bp.blogspot.com/-NqwjuQRm3Co/UCauELKozrI/AAAAAAAACuQ/MoBpRZVrZj4/s1600/Party-Raccoon-Get-Friends-Drunk-Upload-Facebook.jpg
  19. 19. The person who took the photo is a real friend 26 http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg
  20. 20. Facebook dating…. Privacy?
  21. 21. 28
  22. 22. 29
  23. 23. 30
  24. 24. 31
  25. 25. From Big Brother to Big Other
  26. 26. http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def Antonio Casili • Importance of T&C • Everybody speaks • mutual surveillance • Lateral surveillance
  27. 27. geolocalisation http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png
  28. 28. data collection 1
  29. 29. 40
  30. 30. Interactions controlled by citizens in the Information Society http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm
  31. 31. Interactions NOT controlled by citizens in the Information Society http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm
  32. 32. GDPR
  33. 33. Is GDPR a worldwide regulation?
  34. 34. Codes of conducts and certifications 48
  35. 35. May 25, 2018 GDPR !!!
  36. 36. 58 A.CONTEXT B.SOME DEFINITIONS C.THE PRINCIPLES D.GDPR CONSEQUENCES E.METHODOLOGY
  37. 37. A : CONTEXT 59
  38. 38. IN 3 WORDS 60 • GDPR IS A "REGULATION" >< "DIRECTIVE" • WORLDWIDE INFLUENCE • CONSEQUENCES FOR COMPANIES AND PUBLIC SECTOR
  39. 39. 61 MAY 2018 ENTRY INTO FORCE MAY 25,2018 DISCUSSED SINCE 2014 VOTED IN 2016 RISKS PENALTIES 4% ANNUAL TO 20 M € COMPENSATION IN COURT REPUTATION IMPACT CONTRACT PROCESSES MARKETING ORGANISATION
  40. 40. B : SOME DEFINITIONS… 62
  41. 41. PERSONAL DATA 63 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  42. 42. PROCESSING 64 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  43. 43. CONTROLLER 65 controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  44. 44. processor or sub-contractor 66 processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  45. 45. 67 The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor
  46. 46. data breach 68 personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
  47. 47. C : 12 MAIN PRINCIPLES OF GDPR 69 1. Accountability 2. Consumer / citizen rights 3. Privacy by design 4. Information security 5. Data breach 6. Penalties 7. identity access management 8. lawfulness for processing 9. Register 10.Risk analysis and PIA 11.Training 12.Data privacy officer
  48. 48. 1/ ACCOUNTABILITY 70
  49. 49. DO-CU-MEN-TA-TION
  50. 50. PRIVACY POLICY OR REGULATION OR …
  51. 51. 2/ Consumer/citizen's right 75 TRANSPARENCY SENSITIVE INFORMATIONS INFORMATION COLLECTED RIGHT OF ACCESS RIGHT TO RECTIFICATION RIGHT TO ERASE RIGHT OF PROCESSING LIMITATION PORTABILITY RIGHT OF OPPOSITION TO PROFILING
  52. 52. RIGHT TO ACCESS
  53. 53. right to be forgotten ?
  54. 54. 3/ PRIVACY BY DESIGN 78
  55. 55. INFORMATION LIFECYCLE
  56. 56. Look at the entire data lifecycle
  57. 57. 1.CREATE OR
  58. 58. BALANCE TEST NEEDED
  59. 59. PRIVACY POLICY OR REGULATION OR …
  60. 60. CONSENT & EVIDENCES
  61. 61. SENSITIVE DATA IF THENOR
  62. 62. 2.STORE • SECURITY • ENCRYPTION • AUTHENTICATION • AVAILABILITY • CONFIDENTIALITY • IAM
  63. 63. 3. USE
  64. 64. 4. SHARE
  65. 65. 4. SHARE
  66. 66. 5.ARCHIVE
  67. 67. 6. DESTROY
  68. 68. 4/INFORMATION SECURITY 92
  69. 69. The weakest link
  70. 70. SECURITY SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about- security-2/
  71. 71. Source : https://www.britestream.com/difference.html.
  72. 72. Threats
  73. 73. Who knows … now?
  74. 74. certifications
  75. 75. Control by the employer 161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/
  76. 76. What your boss thinks...
  77. 77. Employees share (too) many information and also with third parties
  78. 78. Where do one steal data? •Banks •Hospitals •Ministries •Police •Newspapers •Telecoms •... Which devices are stolen? •USB •Laptops •Hard disks •Papers •Binders •Cars
  79. 79. 63 RESTITUTIONS
  80. 80. DATA PRIVACY & THE EMPLOYER 45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg
  81. 81. SO CALLED HIDDEN COSTS 46 http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
  82. 82. May the employer control everything?
  83. 83. Who controls what?
  84. 84. Could my employer open my emails? 169
  85. 85. IAM
  86. 86. 112 CODE OF CONDUCTS
  87. 87. TELEWORKING
  88. 88. Employer’s control 177 http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux
  89. 89. 119
  90. 90. 48
  91. 91. 86 SECURITY IS A LEGAL OBLIGATION
  92. 92. 5/ DATA BREACH 122
  93. 93. Data breaches
  94. 94. Disastrous data breaches
  95. 95. So it is a real threat !
  96. 96. 6/ PENALTIES 126
  97. 97. 7/ IDENTITY ACCESS MANAGEMENT 127
  98. 98. 8/ LAWFULNESS OF PROCESSING 128 CONSENT MUST BE EXPLICIT
  99. 99. 129 the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed
  100. 100. 130
  101. 101. OPT IN
  102. 102. 132 Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectifie (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
  103. 103. 133 Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life
  104. 104. 9/ RECORD OF PROCESSING ACTIVITIES 138
  105. 105. 10/ RISK ANALYSIS AND PIA 139
  106. 106. 11/ TRAINING 140
  107. 107. INTERNAL TRAININGS
  108. 108. 12/ DATA PRIVACY OFFICER 142
  109. 109. D : CONSEQUENCES 144
  110. 110. E : METHODOLOGY 145
  111. 111. METHODOLOGY 146 1. PRELIMINARY AUDIT 2. RISK ANALYSIS 3. LIST OF SERVICES 4. RECORD OF PROCESSING ACTIVITIES 5. ACTION PLAN 6. SERACH FOR COMPLIANCE 7. SOLUTION FOR NON COMPLIANCE 8. CONTINUOUS PROCESSES 9. TRAINING Préparation Implémentation Pérennisation
  112. 112. 154 Source de l’image : http://ediscoverytimes.com/?p=46
  113. 113. RISKS SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html
  114. 114. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend Chief Information Security Officer Kansas State University
  115. 115. The new head of MI6 has been left exposed by a major personal security breach after his wife published intimate photographs and family details on the Facebook website. Sir John Sawers is due to take over as chief of the Secret Intelligence Service in November, putting him in charge of all Britain's spying operations abroad. But his wife's entries on the social networking site have exposed potentially compromising details about where they live and work, who their friends are and where they spend their holidays. http://www.dailymail.co.uk
  116. 116. Social Media Spam Compromised Facebook account. Victim is now promoting a shady pharmaceutical Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education
  117. 117. Social Media Phishing To: T V V I T T E R.com Now they will have your username and password Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education
  118. 118. Social Media Malware Clicking on the links takes you to sites that will infect your computer with malware Source: Social Media: Manage the Security to Manage Your Experience; Ross C. Hughes, U.S. Department of Education
  119. 119. Phishing Sources/ Luc Pooters, Triforensic, 2011
  120. 120. DATA THEFT
  121. 121. Social engineering Sources/ Luc Pooters, Triforensic, 2011
  122. 122. Take my stuff, please! Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend Chief Information Security Officer Kansas State University
  123. 123. 3rd Party Applications •Games, quizzes, cutesie stuff •Untested by Facebook – anyone can write one •No Terms and Conditions – you either allow or you don’t •Installation gives the developers rights to look at your profile and overrides your privacy settings! Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend Chief Information Security Officer Kansas State University
  124. 124. Big data 182
  125. 125. Biometry 186
  126. 126. facial recognition 187
  127. 127. RFID & internet of things 188 http://www.ibmbigdatahub.com/sites/default/files/public_images/IoT.jpg
  128. 128. SECURITY ???
  129. 129. 87 “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” C. Darwin
  130. 130. ANY QUESTIONS ?

×