data accountability & consumer trust
TRANSCRIPT
![Page 1: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/1.jpg)
@aureliepols © 2016
Data Accountability & Consumer Trust June 23rd 2016 Aurélie Pols
![Page 2: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/2.jpg)
@aureliepols
About me: MAD / BRU / SFO
1. Data Governance & Privacy Advocate for Krux Digital 2. EAG: Ethics Advisory Group for the European Data Protection
Supervisor (EDPS) 3. Chief Visionary Officer for Mind Your Privacy
• Training Advisory Board, International Association of Privacy Professionals (IAPP) • Ethics & Privacy professor in Big Data & Analytics Master, Instituto de Empresa (IE) • [Entrepreneur / Data Scientist? / Privacy Engineer? / Mother] • (Dutch nationality, French mother tongue, work mostly in English, live in Spain)
2
![Page 3: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/3.jpg)
@aureliepols
The European Data Protection Supervisor:
an independent institution responsible for ensuring the
protection of personal data by the EU institutions and bodies
The EDPS
Giovanni Buttarelli EDPS
Wojciech Wiewiórowski Assistant EDPS
3
![Page 4: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/4.jpg)
@aureliepols
[Entrepreneur / Data Scientist / Privacy Engineer / Mother]
4
![Page 5: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/5.jpg)
@aureliepols
The Internet grows up; enters Big (& ubiquity of) Data
5
The New Yorker - July 5, 1993 10 years later…
![Page 6: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/6.jpg)
@aureliepols
Digital Ads & Targeting Online Advertising surpasses TV to record annual spend of €36.2bn
DATA load 2.5 quintillion bytes of data are created everyday
Perpetually connected consumer } 3 connected devices used per person in 2014
} 9h53m is the average time spent by US adults on connected screens every day Sources : IAB (2016), IBM (2014), Statistica (US, 2014), eMarketer (US, 2015)
DATA PRIVACY THE NEW ERA
![Page 7: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/7.jpg)
@aureliepols
DATA PRIVACY THE PARADOX
65% of consumers do not have confidence in the security of their personal data.
67% are willing to share personal data in exchange for additional services.
Source: Accenture
![Page 8: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/8.jpg)
@aureliepols
Setting the Data Privacy stage
![Page 9: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/9.jpg)
@aureliepols
Privacy actors within the data ecosystem
9
DATA ECOSYSTEM
Citizens Consumers
Voters
Authorities law +
enforcement
Companies Businesses
DATA QUALITY CLASS ACTIONS AdBlocking
COMPLIANCE
GDPR Fines: 4% of Global Turn-Over
![Page 10: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/10.jpg)
@aureliepols
Framing digital data accountability
10
OUR CLIENTS
DATA FLOW
RESPONSIBLITY
DATA CONTROLLER
DATA PROCESSOR
THEIR CUSTOMERS
PRIVACY RIGHTS
DATA PROTECTION / SECURITY PRIVACY BY DESIGN (PbD)
DATA ETHICS
![Page 11: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/11.jpg)
@aureliepols
Foundations of Privacy Law
![Page 12: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/12.jpg)
@aureliepols
One legal concept to rule them all FTCs Fair Information Practice Principles (FIPPs)
Transparency
Choice
Information review &
correction Information protection
Accountability
12
![Page 13: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/13.jpg)
@aureliepols 13
Comparing global Privacy legislation
![Page 14: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/14.jpg)
@aureliepols
Purpose, Consent & Data Uses evolution
Purpose
Consent
FIPPs
Data for approved use
Before Big Data: Purpose
Consent
FIPPs Data analysis or merging
New business opportunity
Today’s challenge:
![Page 15: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/15.jpg)
@aureliepols
The devil in the details, for our clients Purpose = Reason for data collection, usually broad
• Website improvement, better UX • Marketing communication • Sharing data with 3rd parties
Consent • Types
• Implicit: Opt-in? Double opt-in?; Explicit: Opt-out? • Depends upon
• Type of data: PII, sensitive data, … • Type of sector: financial, health, … • Geography: US vs. EU, Singapore, …
15
![Page 16: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/16.jpg)
@aureliepols 16
Privacy legislation kicks in with PII / Personal Data (yet lines are blurring!)
![Page 17: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/17.jpg)
@aureliepols
General Data Protection Regulation (GPDR) - May 25 2018
GDPR Fines: 4% of Global Turn-Over !!!
Which variables or combination exactly?
Data types & the law: obligations vary
Hashing & encryption (by default) 17
![Page 18: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/18.jpg)
@aureliepols
Tension between US PII & EU Personal Data Personally Identifiable Information (PII) Personal Data
1. Name, such as full names, maiden name, mother’s maiden name, or alias;
2. Personal identification #: social security # (SSN), passport #, driver’s license #, account and credit card #;
3. Address information: street address or email; 4. Asset information: Internet Protocol (IP) or Media
Access Control (MAC); 5. Phone #, including mobile, business and personal.
Information identifying personally owned property such as vehicle registration # or title # and related information.
“Personal data shall mean any information relating to an individual or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular or by reference to an identification number or to one or more factors specific to his physical, mental, economic, cultural or social identity”
Based on the definition commonly used by most US States Directive 95/46/EC, the Data Protection Directive
![Page 19: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/19.jpg)
@aureliepols
De-identification is a compliance exercise
From Shades of Grey: Seeing the full spectrum of Practical Data De-Identification by Jules Polonetsky, Omer Tene & Kelsey Finch, April 1st 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2757709
19
![Page 20: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/20.jpg)
@aureliepols
Identification capabilities is a TRUST issue
From Data Privacy: Understanding Privacy principles and ensuring compliance of your digital activities by Aurélie Pols for AT Internet, May 2016
20
![Page 21: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/21.jpg)
@aureliepols
Moving beyond the divide: Digital Ethics • Layer approach for data driven companies:
Privacy Engineering by Krux • Promise to our clients’ clients: TRUST • Bare minimum: Compliance!
VALUE / ETHICS
Respect individuals Corporate Social Responsibility
RISK
Do not harm Standard Operating Procedure
COMPLIANCE
Don’t hit people! Legislation
ETHICS
PROCESS
LAW
![Page 22: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/22.jpg)
@aureliepols
For Krux, this means
22
ü Assuring compliance & limiting risk for Krux ü Assuring our clients’ data uses are compliant with
legislations they address + global platform !!! ü Leveraging the data to allow our clients to make
ethical decisions about their data uses
![Page 23: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/23.jpg)
@aureliepols 23
Evolving Privacy legislation (short term)
![Page 24: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/24.jpg)
@aureliepols
Old and new EU Privacy rules STABLE EU PRIVACY LEGISLATION
SafeHarbor for international transfers of personal data
EU Data Protection Directive (95/46/EC) regulates personal data within the EU
EU ePrivacy Directive* on Privacy & Electronic Communication – think cookies! * (2002/58/EC amended 2006/24/EC & 2009/136/EC)
FUTURE EU PRIVACY LEGISLATION
PrivacyShield strong enough?
EU General Data Protection Regulation (GDPR) strengthens & unifies data protection for EU citizens
Revision of the ePrivacy Directive à Regulation? Confidentiality for all communications (Skype, WhatsApp, …) + strengthen consent rules?
May 25 2018
Draft December 2016: EU DNT?
![Page 25: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/25.jpg)
@aureliepols
Data Privacy laws globally?
Blue = Strong Privacy legislation - Green = Moderate - Orange = Limited ??
25
Data Balkanization vs. UN Globalization effort
Joe Cannataci UN Special Rapporteur Privacy in the Digital Age
![Page 26: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/26.jpg)
@aureliepols 26
Challenges & Opportunities
![Page 27: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/27.jpg)
@aureliepols
Competing on Privacy?
• Increased non compliance risk for the data industry
• Clients will require: ü Guidance ü Documentation ü Features
Privacy Engineering by Krux
27
![Page 28: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/28.jpg)
@aureliepols
For Krux, this means
28
ü Assuring compliance & limiting risk for Krux ü Assuring our clients’ data uses are compliant with
legislations they address + global platform !!! ü Leveraging the data to allow our clients to make
ethical decisions about their data uses
![Page 29: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/29.jpg)
@aureliepols
![Page 30: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/30.jpg)
@aureliepols
DOs
1. Define your role with the Data Ecosystem 2. Keep metadata on Purpose and Consent* 3. Undergo Privacy Impact/Risk Assessments (PIAs) for
§ Product Launches § (new) Data Uses
4. Document Data Flows 5. Keep data clean & to a minimum: data retention & breach
notifications * Unless anonymization today, not tomorrow!!!
30
![Page 31: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/31.jpg)
@aureliepols
DON’Ts*
1. Break the Consent chain 2. Disrespect Customer Expectations 3. Sell personal data without Consent 4. Buy data without understanding Purpose 5. Enrich data without understanding previous rules • Unless anonymization today, not tomorrow
31
![Page 32: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/32.jpg)
@aureliepols
Ethics of the data analyst
32
I shall remember data are not only numbers but actual people, that could be harmed by my work;
I shall treat data that might identify individuals with the utmost care, which includes respect for their dignity, avoiding discrimination, as well as security best practices;
I will not do to personal data what I wouldn’t find acceptable for data related to my family, friends, loved ones or myself;
I understand personal data, PII &/or sensitive data is context based and often difficult to identify. In case of doubt, I will ask for help or escalate in order to take the appropriate measures;
I understand data about individuals needs to travel with initial purpose of the data – the reason why it exists - & their respective consent mechanisms;
a) I will never use data without knowing where it comes from, it’s purpose and consent mechanisms (see Quién es la Última Principle);
b) I will never sell non consented data about individuals;
c) If I sell consented data, it will be accompanied by purpose. Up to the buyer to define whether subsequent data uses are aligned.
I understand consent might be revoked and a Right to be Forgotten – i.e. deletion – could be requested, that might need to be applied;
I shall align security protocols with how personal &/or sensitive the data is;
I will keep trace and document the data used in order to minimize risk related to data uses.
![Page 33: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/33.jpg)
@aureliepols Digital Intelligence Solutions
DATA IS TRANSFORMING OUR VERY LIVES
PRESERVATION OF HUMAN DIGNITY IS AT STAKE
![Page 34: Data Accountability & Consumer Trust](https://reader036.vdocuments.us/reader036/viewer/2022081604/58a191291a28ab97118b4c09/html5/thumbnails/34.jpg)
@aureliepols
Gracias / Merci / Danke Schön / Bedankt / תודה /
ευχαριστίες krux.com