2. Today‟s Speakers
Aurelie Pols
Chief Visionary Officer, Mind Your Privacy
@AureliePols
Blair Reeves
Product Manager, IBM Digital Analytics
@BlairReeves
@IBMEMM
1
3. Please note
IBM‟s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s
sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied
on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver
any material, code or functionality. Information about potential future products may not be incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The
actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve
results similar to those stated here.
@IBMEMM
@BlairReeves
2
4. Privacy in Context
IBM Customer
Experience Suite
(content management)
@BlairReeves
@IBMEMM
3
6. Expectations: no legislation, promised!
Source: http://www.jms-group.com/wp-content/uploads/2011/10/boring-conference.jpg
@IBMEMM
@aureliepols
5
7. My kids in the cloud, perfectly load balanced
@IBMEMM
@aureliepols
6
8. Confessions of a EU digital analyst (& Privacy geek)
Grew up in the Netherlands, Dutch passport
French mother tongue
Most of my friends are bilingual at least
Have Polish & Russian origins
Set-up my 1st start-up in Belgium in 2003
Sold it to Digitas LBi (Publicis), in 2008
Moved to Spain in 2009
Created 2 other start-ups in Spain in 2012
– Mind Your Group, Putting Your Data to Work
– Mind Your Privacy, Data Science Protected
– Yes, a “law firm” but we prefer to say
a bunch of Data Scientists working with a bunch of lawyers
@IBMEMM
@aureliepols
7
10. Privacy, a fundamental right in the EU
European Convention of Human Rights (1953)
– Section I, Rights & Freedoms, Article 8: Right to respect for private
and family life
1. Everyone has the right to respect for his private and family life, his
home and his correspondence.
2. There shall be no interference by a public authority with the exercise
of this right except such as is in accordance with the law and is
necessary in a democratic society in the interests of national
security, public safety or the economic well-being of the country, for
the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.
Note the national security reference, we’ll get back to it!
US: Samuel Warren and Louis Brandeis talk “the right to be left
alone” in Harvard Law Review in 1890!
@IBMEMM
@aureliepols
9
11. Privacy, a Human Right? Global level
The Right to Privacy in the
Digital Age
Draft resolution, crafted by
Germany & Brazil
Adopted without a vote
December 18th 2013
Next steps
UN High Commissioner Navi
Pillay to submit a report on the
Source: http://rt.com/news/germany-brazil-un-spying-resolution-394/
protection & promotion of the right
to Privacy in the context of
domestic & extraterritorial
surveillance and/or interception of
digital communications & the
collection of personal data
August 25th 2014
@IBMEMM
@aureliepols
10
12. The Rule of Law is the basis for Democracy
US & UK
Common Law
EU
Continental Law
Class actions
Fines
(by DPAs: Data Protection Agencies)
Personal Data Protection
Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Over-arching EU Directives &
Regulations
Privacy
Business focused
Patchwork of sector based
legislations:
HIPPA, COPPA, VPPA, …
PII varies per state
APEC
Continental
law
influenced
Risk levels: low, medium (profiling),
high (sensitive data), extremely high
(profiling with sensitive data)
@IBMEMM
@aureliepols
11
13. PII list of variables & US states I
Personal Information (based on the definition commonly used by most states)
i
Name, such as full name, maiden name, mother„s maiden name, or alias
ii
Personal identification number, such as social security number (SSN),
passport number, driver„s license number, account and credit card number
iii
Address information, such as street address or email address
iv
Asset information, such as Internet Protocol (IP) or Media Access Control
(MAC)
v
Telephone numbers, including mobile, business, and personal numbers.
Information identifying personally owned property, such as vehicle registration
number or title number and related information
Source: information based on current ongoing analysis (partial results)
@IBMEMM
@aureliepols
12
14. PII list of variables & US states II
Medical information as PII
Financial information as PII
California
Alaska
North Carolina
Arkansas
Iowa
North Dakota
Missouri
Kansas
Oregon
New Hampshire
Massachusetts
South Carolina
North Dakota
Missouri
Vermont
Texas
Nevada
Wisconsin
Virginia
New York*
Wyoming
Passwords information as PII
Biometric information as PII
Georgia
Iowa
Maine
Nebraska
Nebraska
North Carolina
Wisconsin
Source: information based on current ongoing analysis (partial results)
@IBMEMM
@aureliepols
13
15. PII vs. Risk levels
PII
Risk
level
Extremely high
(profiling of sensitive data)
High
(sensitive)
Low
Medium
(profiling)
Data type
Information Security Measures
@IBMEMM
@aureliepols
14
16. Fines?
Spain: responsible for 80% of data protection fines in the EU
Source:
http://www.mindyourpriva
cy.com/download/privacyinfographic.pdf
@IBMEMM
@aureliepols
15
17. Total Privacy fines, penalties & settlements worldwide
Just 6 weeks into 2014, the world total in Privacy damages has
already reached half the level of last year‟s record: $74 million
Source:
http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_priv
acy_fines?taxonomyId=84&pageNumber=3
@IBMEMM
@aureliepols
16
18. Data ownership? Dutch mobile, more B2B
KPN is a
Dutch Telco
Operations
are in the
Netherlands,
Belgium &
Germany
Brands: Hi,
Simyo,
Telfort &
KPN,
XS4ALL, EPlus & Base
(sold to
Telefonica)
@IBMEMM
@aureliepols
17
19. What are we working on in Europe?
Exists today
– EU Data Protection Directive (95/46/EC)
– ePrivacy Directive 2002/58/EC (as revised by 2009/136/EC)
Coming up
#EUDataP
Source:
www.iabeurope.e
u/files/8813/7882
/1681/IAB_Tuesd
ay_Webinar_Dat
a_Protection_FI
NAL.pdf
@IBMEMM
@aureliepols
18
20. Consolidating: from national DPAs to WP29
Each country has it‟s own Data Protection Agency (DPA)
– The French CNIL, the UK ICO, the Spanish AGPD, the 16 German
länder, the Italians, the Dutch, …
– And they all work differently, with different budgets and different
rules
The Article 29 Data Protection Working Party
– Gives recommendations
– Has no effective power but everybody listens: “an independent
European advisory body on data protection and privacy”.
– Opinion 05/2012 on Cloud Computing, adopted July 1st 2012
(p 20: Guidelines for clients & providers of cloud computing services)
– Influences the current debate about the upcoming Personal Data
Protection Regulation (horizon 2016)
@IBMEMM
@aureliepols
19
22. #EUDataP related to Cloud
Article 4.3. of the EU Personal Data Protection Regulation
distinguished between:
– Service in the cloud
– Storage in the cloud
Recurrent Question: Does it apply to back-ups?
– Yes, this has been specifically specified in the Regulation, following
the WP29‟s 2012 recommendation
Types of cloud computing:
– Private, Public, Hybrid, Community
Service types: IAAS, PAAS, SAAS
@IBMEMM
@aureliepols
21
23. Legal status of participants: controller vs. processor
The customer as data controller
– Determines whether to choose cloud computing (total or partial)
– Determines the type of cloud computing (especially regarding
International Data Transfers)
– Determines the cloud computing service types
Responsible for the processing of personal data
– This can not be delegated
The Cloud Certified Professional (CCP) as data processor
– IBM data centers ISO-27001 & SSAE-16 certified + ITCS104 IBM
security policy
Consequences of the participants‟ legal status:
– Applicable law: national law of controller/customer
– Except national security
@IBMEMM
@aureliepols
22
26. Typical personal data misconceptions
Very often present in technology companies
– We do not identify the user while using the data, so we have no
issues with Privacy law
– We only use the serial # of the users device, so the data is
anonymous and we have no issues with Privacy laws
– We encrypt the data so we are no longer using/sending/receiving
personal data
– We use hashes to replace all serial #, so the data is now
anonymous and we have no issues with Privacy laws
– We anonymize the data, so we are not using personal data
– We can use the user‟s data for anything we want, as long as we
keep the data to ourselves
– Look: big name companies are doing the same, so we are ok
Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November
2013
@IBMEMM
@aureliepols
25
27. Connected cars? TomTom profiles roads, not people
Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November
2013
@IBMEMM
@aureliepols
26
28. Consent in Telcos, some go for very granular
Slide borrowed from Stephen John Deadman from Vodafone Group Services Limited,
IAPP congress Brussels, November 2013
@IBMEMM
@aureliepols
27
29. Cloud: So where to start?
Suggested line of thought: WP29‟s Security & Data Protection
Goals
Transparency
Intervenability
Availability
Integrity
Portability
Confidentiality
Isolation
Source: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2012/wp196_en.pdf
@IBMEMM
@aureliepols
28
30. Data protection requirements in the clientprovider relationship(s) – WP29
1. Compliance with basic principles
– Transparency
– Purpose specification & limitation => consent, opt-in, opt-out
– Erasure of data => anonymization, re-qualification
1. Contractual safeguards of the “controller-processor”
relationship
1. Technical & organizational measures of data protection & data
security
– Isolation (purpose limitation)
– Availability
– Intervenability
– Integrity
– Portability
– Confidentiality
– Accountability
@IBMEMM
@aureliepols
29
31. Compliance with basic principles
Transparency
– Who is controller (data collector) & purpose of data collection (what
are you using the data for exactly?)
– This includes sub-contractors
Purpose specification & limitation
– Data collected for specified, explicit and legitimate purposes & not
not further processed in a way incompatible with those purposes
– Prior to data collection
– Consent: opt-in, opt-out, don‟t ask
Erasure of data
– Legal data retention periods => customer re-qualification (average
30%)
@IBMEMM
@aureliepols
30
32. Trust & creepiness
Consent is about a reasonable expectation of the use of data
– There‟s a fine line
between
feeling charmed
vs.
feeling invaded
– Create win-win situations:
• Customers give company information
• Customers get better service/value for money
@IBMEMM
@aureliepols
31
33. Information Security Measures
Technical & organizational measures of data protection & security
– Availability:
• Timely & reliable access to personal data
• Cloud provider: reasonable measures to cope with risk of disruption
– Integrity:
• No malicious or accidental alteration of the data during
processing, storage or transmission
– Confidentiality:
• Encryption between transit, always & secure remote connections
– Isolation:
• Data storage, memory & networks is often shared => risk!
– Intervenability:
• No obstacles to data subject‟s right to access, rectification, erasure, ..
– Portability
@IBMEMM
@aureliepols
32
34. Techno security is just one piece of the puzzle
Technological security
Processes
Resources
Data Collection
@IBMEMM
@aureliepols
33
36. Balancing Risks & Benefits in the Cloud
Benefits
– Price
– Transfer of
responsibility?
– Availability
(BYOD, strike, natural
disaster, …)
Risks
– Cloud Provider
PIA, (Privacy Impact
Assessment)
– Security evaluation of
your own information
– Nature of your own data
Source:
http://www.labeshops.com/image/cache/data/summitcollection/7918llady-justice-3-feet-statue-800x800.jpg
@IBMEMM
@aureliepols
35
37. From Compliance to Risk Assessment
Achieving 100% compliance is chimera
– Compliance is a journey, not a destination
– Level of required compliance linked to
• Sector
• Personal internal management
• Company risk profile
Risk is a moving target
– Risk of being fined
– Risk of being breached
– Brand perception => subjective
@IBMEMM
@aureliepols
36
38. Leading global reinsurer example
Note: slides blurred for confidentiality reasons
@IBMEMM
@aureliepols
37
39. Metrics & KPIs to follow evolution
Note: slides blurred for confidentiality reasons
@IBMEMM
@aureliepols
38
40. Typical set-up example, International Co
Local
subsidiary
1
Local
subsidiary
1
Local
subsidiary
2
Local
subsidiary
3
Local
subsidiary
4
Terms &
Conditions
Applicable Security Measures???
@aureliepols
@IBMEMM
39
41. What to do? This is your check-list I
1. Know your information structure (cloud)
– Can you exactly draw the previous slide?
2. Cloud inventory (PIA)
– Provider (& sub-contractors)
– Location
• Cloud service HQ
• Servers
– Applicable law: our friend Snowden
– Physical location: earthquakes?
• Any incidents to report?
• In-house control access (risk)
• Terms & Conditions
– Information Security measures
– Related to Privacy
@IBMEMM
@aureliepols
40
42. What to do? This is your check-list II
3. Know your Data structure: data inventory (cloud)
– (Do you know which data can be found where)?
– Have you reviewed your information security measures?
– What happens in case of a breach?
4. Authorization required?
– Approval International Data Transfers (IDT)
– Safe Harbor
– Binding Corporate Rules (BCR)
– User consent
@IBMEMM
@aureliepols
41
43. MYP Information Security Framework
Organizational Data Security measures
Risk classification
Low/medium/high/extreme
Data Lifecycle
Integrity
Availability
Confidentiality
Security
@aureliepols
Authentication
Privacy
@IBMEMM
42
44. Human errors cause most data breaches
Source:
http://www.cooldaily
infographics.com/p
ost/data-andsecurity-breaches
@IBMEMM
@aureliepols
43
45. Harmonizing Security & Privacy cultures
Effective Privacy management depends upon a Risk driven
approach that surpasses compliance needs
– Prepare for legislative changes
– Recognize that just because something is legal, it doesn’t mean
it is a good idea
– Consider how Privacy drives strategic advantage => USP?
Skill requirements & interfaces between professionals
– Identifying intersection and tackling conflict
– Finding a common language
– Developing a Privacy culture
Source:
http://www.rsaconference.com/writable
/presentations/file_upload/grc-w07when-worlds-collide-harmonisinggovernance-between-security-andprivacy.pdf
@IBMEMM
@aureliepols
44