superweek 2016 would you lie to your physician?

@aureliepols

Would you lie to your physician?

AuréliePols,SuperweekFebruary2016

@aureliepols

Monkey repor6ng on remote-controlled data cows?

AuréliePols,February2016

Superweek.hu

h-p://www.theguardian.com/technology/2016/jan/30/europe-google-facebook-technology-ethics-eu-marCn-schulz

@aureliepols

Let’s Play a Game: Are you willing to give & allow storage of this data about you?

1.  Myfirst-andlastname

2.  Mybirthdate

3.  Mycurrenthomeaddress

4.  Mybankaccountinfo

5.  Allofmyonlinesearches

6.  AllwebsitesIhaveevervisited7.  ThenamesofeveryoneIcommunicatewith(email,

Skype,app,chat,snap,call)

8.  Names,phonenumbersandphotosofeveryoneIknow

9.  WhereIamandwhereI’veeverbeen

10. ThecontentofallmycommunicaConwithothersatallCmes

Source:notmyquesCons!h-ps://www.youtube.com/watch?v=BVM]zKnSgs

@aureliepols

Would you lie to your physician?

AuréliePols,SuperweekFebruary2016

@aureliepols

I do! (lie to my doctor)

Whenitappliestome!

Notforwhat’smostdear…

@aureliepols

Risk averse for my children

Ø MymostpreciousassetsØ WesharecommongoalsØ Andspeakthesamelanguage

CouldyousaythesameofyourLegalCounsel?

@aureliepols

Consider before crucifying the Rule of law 1.  ThespecificsofdataasanEconomicAsset:

² Dataininfinitelytransferablewithoutdecay

2.  Oeenforgo-enLegislaCveChallenges² DefiningandrecognizingDataHarms

3.  RelatedtoevolvingPrivacyLegislaCon² ComplianceisaRiskExercise

4. MinimizingPrivacyrelatedRisks² YOURliabilitywithintheDataEcosystem

@aureliepols

I’m not here to define Privacy

AnalyCcs

Privacy(&DataProtecCon)

@aureliepols

Fact remains: RACI matrices

Ø Legalcounselwillbeheldaccountable

Ø Legalcouncilshouldbeconsulted

•  Responsible• Whois/willbedoingthistask?• Whoisassignedtoworkonthistask?R

•  Accountable• Who’sheadwillrollifthisgoeswrong?• Whohastheauthority?totakedecision?A

•  Consulted•  Anyonewhocantellmemoreaboutthistask?

•  AnystakeholdersalreadyidenCfied?C

•  Informed•  Anyonewhoseworkdependsonthistask?• Whohastobekeptupdatedabouttheprogress?

I

@aureliepols

In a world of dynamic regula6on

TwofundamentalDataPrivacyquesCons:1.  Howfaristoofar(fordatause&transparency)?2. Whowilldecide(whatisacceptable)?

@aureliepols

If I had 1 £ for every 6me I heard…

1.  Yesbutwedon’tcollectPII2.  InternaConaldatatransfers?SafeHarbour!

@aureliepols

So what to do? 1 rules them all

Transparency

Choice

Informa6on review &

correc6on

Informa6on protec6on

Accountabil ity

@aureliepols

There is no PII NOC list, get over it!

SensiCvedata?Awashlistofcontroversialvariables!

@aureliepols

PII vs. Risk Levels

DIGITALEXHAUSTLowRisk

OBAMediumRisk(profiling)

HIPAAHEALTHDATAHighRisk(sensiCve)

RiskLevel

DatatypeInformaConSecurityMeasures

GeongclosertouniquelyidenCfyinganindividual

FCRACREDITSCORINGExtremelyHighRisk(profilingofsensiCvedata)

US:if/thenexercisesPII

@aureliepols

Where to start? 1.   Defineyourself

•  Whoareyouinthedataecosystem?

•  WhatareyourobligaCons?

•  Whatisexpectedofyou?

•  (Whocanfindout?)

@aureliepols

Where to start?

2.   DocumentyourDigitalEntanglement

High-levelmock-upofexisCngclient.

Nextsteps:

ü Terms&sovereignCes

ü Datapoints&access/sharingü Purpose&Consentü DataretenConperiods

@aureliepols

Where to start?

3.   AlignyourliabiliVes:Ø Whatdothetermsallow?

Ø WhichdatapointsareyoucollecCng?

Ø Whichclausesarebeingused(InternaConaldatatransfermechanisms:SafeHarbour)?

Ø Whohasaccess?Datasharing

Ø …

@aureliepols

Where to start?

Purpose Consent4.   Don’tdroptheballonPurposeandConsent!

Whathappensifopt-outofemaillist,?h-ps://support.google.com/adwords/answer/6276125?hl=en

UK:OpCcalExpressbought“consented”datafromThomasCookSeeICOPECR:h-ps://ico.org.uk/for-organisaCons/guide-to-pecr/introducCon/what-are-pecr/

@aureliepols

Where to start?

5.   UnderstandyourriskØ Oflegalissues:fines,classacCons

Schleswig-HolsteinDPAconsidersSafeHarbourclausestodayunacceptable+can’tbereplacedbymodelclauseseither=>isthisariskforyourcompany?

Ø Ofcustomerbacklashes:unexpected/creepydatausesTarget:usingshoppingbehaviortodefinepregnancystate(sensiCvedata)=>consent!

@aureliepols

Where to start?

6.   Document,train&communicate

•  Ifasked,beabletoshowyou’vedoneyourhomework

•  Defineaccountability(datastewards)&escalaConprocedures

•  Explain&askforhelp:yourcompanyisthepaVent!

@aureliepols

We all hated the “cookie Direc6ve”, right?

@aureliepols

Find out where the next Data Privacy challenges lie Foryou:Piwikwebinar

h-ps://piwik.pro/c/privacy-webinar/Foryourcolleagues:IAPPwebinar

h-ps://my.iapp.org/nc__event?id=a0l1a000000nDWsAAM

@aureliepols

LET’S START THE DISCUSSION

Graciasporsuatención!

aurelie@mindyourprivacy.com

THANKYOUFORLISTENING!