A presentation at FirstMark's CodeDriven event in AWS Loft in New York on how to think about Data Privacy Compliance if you work in engineering, data or product teams.
3. E T H I C S D A T A
Ethyca
A Technology Platform Built To Make It Easy for Engineers, Product and Data
Teams To Do the 'Right Thing’ With Data Without Adding Friction To CI/CD.
4. Overview
1. Data Privacy & Compliance
2. Abstract Compliance Model
3. Data Mapping & Inventory
4. Data Subject Requests
7. Consent & Objection
8. Data Minimization
9. Data Protection Impact Assessments
10.Summary
6. Data Privacy
Putting in place appropriate technical and organizational measures or
‘baking in’ data protection to your processing and business practices,
from the design stage throughout the product lifecycle.
The Determination of What Data in a System May Be Shared With Third Parties.
Data Privacy Compliance
»
7. Active & Pending Privacy Regulations
in Nearly all Major Markets
Majority of Large Tech Markets Will Be Regulated Within 3 Years
CCPA
PIPEDA
FED GDPR
APPI
PPB
LGPD
POPI
APP
8. Data Privacy Compliance Principles
1. Lawfulness, fairness and transparency - Process personal data lawfully, fairly and in a transparent
manner in relation to the data subject.
2. Purpose limitation - Only collect personal data for a specific, explicit and legitimate purpose. You must
clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
3. Data minimization - you must ensure that personal data you process is adequate, relevant and limited to
what is necessary in relation to your processing purpose.
4. Accuracy - you must take every reasonable step to update or remove data that is inaccurate or
incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to
them, and you must do so within a month.
5. Storage limitation - You must delete personal data when you no longer need it. The timescales in most
cases aren't set. They will depend on your business’ circumstances and the reasons why you collect this
data.
6. Integrity and confidentiality - You must keep personal data safe and protected against unauthorized or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or
organizational measures.
10. Simple Privacy Compliance Model
Abstraction of Global Regulations for Data Privacy Compliance *
* Note: There are substantive differences between definitions and obligations for Data Privacy
but in seeking a blueprint for strong data privacy we believe these can be applied across markets.
Inventory of personal
information processed,
including activities,
access and storage.
Ability to execute Data
Subject Requests, incl.
access, rectify, erase
and portability.
Strong and clear consent
for every processing
activity conducted with
a users personal data.
Minimize access to data
based on approved
activities to reduce data
exposure and risks.
Continuous evaluation of
product for impact to
your users in relation to
data use/processing.
Inventory
& Mapping
DSR
Consent &
Objection
Data
Minimization
DPIA
12. Data Inventory & Flow Mapping
A continuously updated inventory of personal information held based on:
• Categories of personal information
• Categories of subjects for whom data is held
• Who has access (users/systems)
• Related business activities
• Basis for processing
• Duration data is held (ttl)
13. Data Inventory & Flow Mapping
Manual Mapping Data Discovery Active Data Lineage
»
Aggregate schema, audit
unstructured stores,
document processes and
map data rights for all
personal information.
Establish cadence for
regular review.
Automate with data
discovery tools to identify
personal information and
generate 'map' of areas of
risk.
Ensure manual review as
automation is imperfect.
Connect rights
management, transaction
analysis and system
metadata to generate map
of personal information.
Significant infrastructure &
ops refactoring to achieve.
»
1 2 3
15. Data Subject Requests (DSR)
Your systems should have the ability to:
• Access: retrieve, categorize and provide to requesting user all of their data.
• Rectify: edit an attribute of personal information that may be deemed incorrect.
• Delete: delete an attribute of personal information.
• Erase: completely erase a users personal information.
• Portability: retrieve, categorize and provide users data in interoperable format.
16. Scripts & Runbook
Write scripts for data
retrieval against identity for
each data store and prepare
runbook of steps to execute
regularly.
Not scalable, prone to error
and not readily audit-able.
»
1 2
Data Subject Requests (DSR)
Build SR Service
Build service for data
retrieval based on provided
identity types and expose
across application layer for
subject requests.
Significant cycles to design,
implement & maintain.
18. Consent & Objection Management
You must provide the ability for your user to:
• opt-in: opt-in with clear understanding of what you're doing with their data.
• opt-out: modify consents for each activity you undertake with their data.
• object: object to having their data processed in any way.
• manage data sales: opt out of having their data sold to third parties.
• Ensure users are notified of changes to data processes so they can manage their consent.
• Ensure that a users change to consent flows through all your business processes.
19. Manual Management Consent Manager Map Consent & Rights
»
Capture consent upfront
and manually map flags
across 3rd party systems
with data residency for
given identities.
Difficult to maintain parity
across systems.
Implement (buy or build)
consent manager to unify
consent across data
processing systems.
Best solution for 3rd party
systems, less suitable for
owned infrastructure.
Treat rights management,
processing activities and
consent as graph of
relationships for data
privacy compliance.
Significant infrastructure &
ops refactoring to achieve.
»
1 2 3
Consent & Objection Management
21. Data Minimization
Employ strong data rights management by:
• encryption of all data in flight and at rest.
• ensure access to data is only provided for a given business activity.
• limit access to data for the duration of a given business activity.
• comprehensively log data access across business users and systems.
22. Fine Grained RBAC Map Consent & Rights
Institute fine grained access
control based on specific
business activities which
reflect permitted data
processing activities.
Easiest to initiate, labor
intensive to enforce at scale.
Map activities, consent and
rights together to manage
data access controls for
systems and users across
organization.
Significant infrastructure &
ops refactoring to achieve.
»
1 2
Data Minimization
24. Data Protection Impact Assessments (DPIA)
Conduct impact assessments as part of product design and development:
• Assess risk threshold of intended data process to your users.
• Reduce unnecessary risk wherever possible when identified.
• Provide clear documentation of ongoing assessment for any product or service
development process.
25. Data Protection Impact Assessments (DPIA)
Workflow for DPIA:
• Create template assessment form for product, eng. and data teams.
• Privacy specialist to review impact of product or services data activities.
• Low impact features can proceed.
• High impact/risk proposals should be de-risked where possible and that process
of remediation documented.
• No new product/service or process should proceed without a DPIA
27. Simple Privacy Compliance Model
Abstraction of Global Regulations for Data Privacy Compliance *
Inventory
& Mapping
DSR
Consent &
Objection
Data
Minimization
DPIA
Ensure your team and stack have implemented a scalable solution for each.