gdpr stakeholder involvement...we get it, you want to hide the data requests because these are often...
TRANSCRIPT
GDPR STAKEHOLDER INVOLVEMENT
H O W T O E L E V A T E Y O U R P R I V A C Y P R A C T I C E S
DATA PRIVACY SURVEILL
ANCE CLIENTS GDPR
COVID19 EMPLOYEES FACEBOO
T O P I C S
MATTHIASDOBBELAERE-
WELVAERT
W H O I S T H I S G U Y ?
T W I T T E R @ D O B B E L A E R E W
P R I V A C Y- E X P E R T & A C T I V I S T Director ‘the Ministry of Privacy’
G H E N T L E G A L H A C K E R S Co-founder.
T R I U M P H A M B A S S A D O R Official Triumph Mobilty Ambassador.
L E G A L S T O R Y T E L L E R Legal Stories
D O C E N T Erasmus Hogeschool Brussel
A DIVE INTO HISTORY01.
WHAT IS PRIVACY?I T ’ S M O R E T H A N L E G I S L A T I O N
Privacy is a human right, as stated in Article 8 of
the ECHR. However, the legislation is not absolute,
restrictions are possible. Governments can impose
restrictions to ensure the safety of their citizens.
Private companies are also allowed to process
personal data if you give your permission for this,
or if they have a "legitimate" interest in doing so.
IT’S MORE.It’s essential to point out that privacy is way more than legislation. In the past months a very narrow focus
has arisen in media discussions concerning privacy. Issues are constantly being evaluated trough a very narrow
lens of articles within the GDPR, and while important legislation, privacy as a concept has to be understood
from an ethical, philosophical, sociological and even historical point of view.
While most of you are privacy experts and DPO’s, you have undoubtedly a very good understanding of the
GDPR, and the rights and obligations that are contained in the text. While essential to avoid costly fines - since
the Belgian DPA is apparently waking up from a wintersleep -, a better and deeper understanding of privacy is
important when establishing a privacy practice trough the lens of the data subject itself (whether that is an
employee, a client, an app user, a supplier, and so on).
HISTORY OF PRIVACY
“ P R I V A C Y M A Y A C T U A L L Y B E A N A N O M A L Y ” ~ V I N T O N C E R F , C O - C R E A T O R O F T H E E A R L Y I N T E R N E T P R O T O T Y P E A N D G O O G L E E X E C U T I V E .
Privacy, as it is conventionally understood, is only
about 150 years old. Most humans living
throughout history had little concept of privacy in
their tiny communities. Humans invariably choose
money, prestige or convenience when it has
conflicted with a desire for solitude. Excellent source: https://medium.com/the-ferenstein-wire/the-birth-and-
death-of-privacy-3-000-years-of-history-in-50-images-614c26059e
THE GREEKSThe Greeks displayed some preference for privacy. And, unlike their primitive ancestors, the Greeks had the
means to do something about it. University research found that the Greeks used their sophisticated
understanding of geometry to create housing with the mathematically minimum exposure to public view while
maximizing available light. However, Athenian philosophy proved far more popular than their architecture. “For
where men conceal their ways from one another in darkness rather than light, there no man will ever rightly
gain either his due honour or office or the justice that is befitting” ~ Socrates
MIDDLE AGESEarly Christian saints pioneered the modern concept of privacy: seclusion. The Bible popularized the idea
that morality was not just the outcome of an evil deed, but the intent to cause harm; this novel coupling of
intent and morality led the most devout followers (monks) to remove themselves from society and focus
obsessively on battling their inner demons free from the distractions of civilization.
EARLY RENAISSANCEThanks to the printing presses invention after the Great Counsel’s decree, personal reading supercharged
European individualism. Poets, artists, and theologians were encouraged in their pursuits of “abandoning the
world in order to turn one’s heart with greater intensity toward God”. To be sure, up until the 18th century,
public readings were still commonplace, a tradition that extended until universal book ownership. Quiet study
was an elite luxury for many centuries.
BEDS WERE… EXPENSIVE.Individual beds are a modern invention. As one of the most expensive items in the house, a single large bed
became a place for social gatherings, where guests were invited to sleep with the entire family and some
servants. However, The Black Death, alone, killed over 100 million people and this profoundly changed hygiene
attitudes, especially in hospitals, where it was once common for patients to sleep as close together as
houseguests were accustomed to.
INDUSTRIAL REVOLUTIONIn this early handwritten note on August 20th, 1770, revolutionist and future President of the United
States, John Adams, voiced his support for the concept of privacy. Privacy-conscious citizens did find more
traction with what would become perhaps America’s first privacy law, the 1710 Post Office Act, which
banned sorting through the mail by postal employees.
GILDED AGEBy the time the industrial revolution began serving up material wealth to the masses, officials began
recognizing privacy as the default setting of human life. For the poor, however, life was still very much on
display. It was during the Gilded Age that privacy was officially acknowledged as a political right.
LATE 20TH CENTURYBy the 60's, individualized phones, rooms, and homes became the norm. 100 years earlier, when Lincoln tapped
all telegraph lines, few raised any questions. In the new century, invasive surveillance would bring down
Lincoln’s distant successor, even though his spying was far less pervasive. Upon entering office, the former Vice-
President assured the American people that their privacy was safe.
NOW.Young consumers were willing to purchase a location tracking feature that was once the stuff of 1984
nightmares. Increased urban density and skyrocketing rents in the major cities have put pressure on communal
living. At the more extreme ends, a new crop of so-called “life bloggers” publicize intimate details about their
days.
Excellent source for the history of
privacy, read more via
https://medium.com/the-ferenstein-wire/the-birth-and-death-of-privacy-3-000-years-of-history-in-50-images-614c26059e
WHAT IS IT’S FUTURE?
W I L L P R I V A C Y F A D E A G A I N ?
Will privacy fade? Most people seem perfectly
willing to trade off privacy for safety, health
(COVID-19, anyone) or simple convenience. Others
are saying that the cost of privacy is too high, an
argument repeatedly heard in the Corona
pandemic over the last few weeks.
TRACKERS, INSURERS, ETCMany of us carry around portable trackers, whether that is in the form of smart watches, smartphones, or other
accessories. Cyclists are keen to share their adventures on Strava (“Facebook post or it didn’t happen).
Some insurers are already suggesting lower fees in exchange for insights in customers health data. Or take
Carrefour Brussels as an example: they’re implementing a payment method with the fingerprints of their
customers. Immediately, customers signed up without any noticeable advantage (no coupon or cost savings).
So. Is privacy dying?
THE QUESTIOND O D A T A S U B J E C T S R E A L L Y C A R E ?
All your investments made, processes
implemented, education included, do data subjects
really care? Ask yourself: how many data requests
have you received since 25 May 2018? How many
data removals? And is that because people simply
don’t care, or they don’t know about their many
rights and possibilities within the GDPR?
ACTIVATING DATA SUBJECTSMake them care.
02.
G R R R
“I HAVE NOTHING TO HIDE”
IS IT YOUR JOB TO MAKE DATA SUBJECTS CARE?M A N Y W O U L D A R G U E , N O .
As DPO or privacy expert within your organisation,
many have experienced a certain restraint from
management or other departments. After all, data
is an incredible valuable source, and no longer
restricted to pure data companies. Every sector
and every company can thrive on data analysis.
That perhaps, is the reason for long, non-
transparent legal texts and procedures.
WHICH ROLE DO YOU WANT TO PLAY?A S K Y O U R S E L F : W H A T D O Y O U W A N T ?
An important thing to ask yourself, is how you
want your data to be handled by other companies.
As DPO’s, you have an incredible advantage over
‘regular people’, since you have extended
knowledge of privacy legislation. However, most
data subjects have no to very limited experience
when handling data rights.
HOW TO ACTIVATE?
A F E W I D E A S T O A C T I V A T E D A T A S U B J E C T S
Most amongst us are inherently ‘lazy’. This is a
simple survival instinct: the more work we need to
lay down for a result, the less interesting it will
become. Therefore, it is critical - if you care at all
about data subject involvement - that you make
steps and processes as easy and accessible as
possible. Here a few ideas:
DO YOU EVEN READ THOSE?
N O D O B YDeloitte conducted a survey of
2,000 people in the US. 91%
agreed to T & Cs without even
reading them. … A N D O N LY 3 %
The legal text of those aged
between 18 and 34 was read.
97% simply agreed.
E S S E N T I E
AVERAGE: 10 MINUTE READ.THIS WAS BEFORE THE GDPR.
E S S E N T I E
E S S E N T I E
E S S E N T I E
PEOPLE DON’T CARE ABOUT
THEIR PRIVACY! OR DO THEY?
V O X P O P U L I
TERMS OF SERVICE; DIDN’T READ
G E R M A N B A S E D I D E A
“I have read and agree to the
Terms” is the biggest lie on the
web. We aim to fix that.
O L D
Since 2012: mixed results.
As long as we persist to write privacy policies in this manner, we can forget about data subject involvement. Yes, legal is important, but it’s time to reconsider privacy as just a legal burden: make it part of your customer journey.
T O O M U C H I N F O
“
STOP NAGGING. SHOW ME THE WAY.
S O L U T I O N S , N O T P R O B L E M S
Legal design is the application of human-centered design to the world of law, to make legal systems and services more human-centered, usable, and satisfying.
L E G A L D E S I G N
“
E S S E N T I E
Source: https://www.lawbydesign.co/
LEGAL DESIGN.
I T ’ S T E A M W O R K
Legal design is not just making something very
unattractive, attractive. It’s more than simple
graphic design: it demands a cooperation between
copywriters, marketeers, graphic artists and
lawyers or DPO’s. Legal design is a spinoff of the
‘service design’-hype which stresses the
importance of teamwork across disciplines.
INVITE THE USER
R O U N D T A B L E Y O U R D A T A S U B J E C T S
Organise round tables with a selection of your
clients, suppliers and employees (separate,
though). Ask not: “how is our privacy policy?” but
rather: “do you feel your data is safe with us, and
what can we do to improve this?”.
It goes without saying a perk should be included.
S E C O N D I D E A
MAKE EVERYTHING SIMPLERE X A M P L E : D A T A R E Q U E S T S
We get it, you want to hide the data requests
because these are often a load of extra work for the
DPO’s involved. Yet, it’s an important tool for the
data subject, wether they just want a quick look or
a complete ‘deletion’ of the data involved.
Let me show you something.
T H I R D I D E A
E S S E N T I E
WHY DID WE MAKE THIS?
B E C A U S E T H E E X P E R I E N C E S U C K E D .
Yes, we did find the email address from every DPO
in *almost* every privacy policy. Hospitals were by
far the sector that scored very poorly on this, many
were not up to date with the GDPR requirements or
had “[email protected]" as address. Almost no-one
had a form (except some operators), and certainly
no-one had a model or an example to show to data
subjects. That could be improved greatly.
KISS: KEEP IT SIMPLE, STUPID
Y O U W A N T D A T A S U B J E C T I N V O L V E M E N T ?
Make it simple. Period.
COVID-19: HOW TO BUILD TRUSTTrust will be the key component in everything you do, post COVID-19
03.
WHICH CORPORATE REALITY WE WANT?It will be exciting to take back our normal lives. Perhaps
one day we will do keynotes again in real-life, and not
like this. I would prefer it so.
Yet, are temperature scanners being implemented in
every conference room? Will cameras with software be
tracking us? Will an app or a bracelet being made
mandotory by business owners or CEO’s?
HELLThe debate concerning the COVID19 Application proves one thing: consumers and citizens are highly
unpredictable. When the government is planting our streets full with surveillance cameras and high tech
hardware, the majority couldn’t care less. When the government wants your fingerprints - even if it doesn’t do
anything for your safety - and believe me, although I might be biased, it doesn’t! - they still don’t care.
But when the government wants to put forward a relatively anonymous app (for example, with the DP3T
framework), all hell breaks loose. How is this to be explained? Why?
It’s too early to give definitive answers, but the most probable one: we are used to being afraid. For terrorists or
crime. We are not used to feel threatened by viruses or diseases. We don’t have a mask culture like China or
other Asian countries. So this is very new, smart cameras just aren’t.
COMMUNICATIONCommunication is key, certainly in moments of crisis. By far, the most heard complaint about Wilmès I, was the
lack of clear communication (remember the weird Powerpoint presentation). Communication isn’t just key if
you are a Prime Minister, but also if you’re the CEO or DPO at a company who will introduce back their
employees, customers and suppliers.
Your company will want to take measures. I expect they have already taken them, or at least have a roadmap
ready. Many will involve the processing of personal data. There is no issue with providing sanitary gel at your
entrance. There is - according to the Belgian DPA - no issue with temperature scanning - the Dutch DPA is much
more careful in her point of view, and has decided against the private use of temperature scanning -, as long as
no personal data is being stored. However, many of you have multiple cameras and surveillance implemented
at entrances. It will key to wipe that footage or disable cameras, so that positive tested visitors, employees or
suppliers cannot be linked to their result.
TEMPERATURE SCANNINGDe GBA beschouwt de loutere opname van de lichaamstemperatuur niet als een verwerking van
persoonsgegevens. Voor zover dergelijke temperatuuropname dus niet gepaard gaat met een bijkomende
registratie of verwerking van persoonsgegevens, is de AVG niet van toepassing. In het algemeen geldt hier dat
een werkgever geen maatregelen kan nemen die het bestaande arbeidsrechtelijk regelgevend kader of
instructies van bevoegde overheden te buiten gaan.
L’APD ne considère pas la simple prise de température comme un traitement de données personnelles. Si ces prises
de température ne s’accompagnent pas d’un enregistrement ou d’un traitement de données personnelles, le RGPD
n’est donc pas d’application. De manière générale, un employeur ne peut pas prendre des mesures qui sortent du
cadre du droit du travail existant ou des instructions des autorités compétentes.
WEARABLESCompanies have rushed to market with prototypes of bluetooth wearables. These - depending on their
configuration and (de)central storage of data - can be privacy-friendly or a privacy nightmare. The most privacy-
friendly one is of course the basic variant of the wearable: the bracelet checks every 20 -30 seconds via
Bluetooth signal if no other bracelet is too close-by. Others are providing employers with a bracelet
dashboard, so employers or management can intervene and step in, when an employee clearly isn’t too keen
of the social distancing measures.
My only advice: think before you buy. I understand procurement is not the DPO-departement, but I need you all
to step in. Surveilling your employees through bluetooth-wearables (when the data is centralized, at least) is an
Orwellian nightmare for your colleagues. Might as well combine them with toilet and cigarette breaks trackers
(yes, this has been suggested).
MANUAL TRACINGManual tracing seems to become a disaster. While the procedures are already in place, and positive tested
patients already receiving phone calls from tracers, the legislative framework is lagging behind - and worse,
being completely demolished by the Belgian DPA.
Criticism concerns around the centralization of data by Sciensano (the database), storage of data (up to 30
years), collection of data (too much data that isn’t strictly relevant), and so on. This is an additional concern for
building trust amongst citizens - trust, which is essential.
APPSI almost don’t dare to talk about this subject anymore. The debate is intense, with abundant levels of emotion
- I’m no different, at least in the early weeks of the debate. Sufficient to say, the Corona-apps are incredibly
sensitive in almost every country where it’s either introduced or plans to introduce.
Belgian has been lagging behind. The ‘Data Against Corona’-taskforce of Philippe De Backer investigated
multiple scenarios and applications. None seem to pass the famous ‘privacy-test’, which was more than simple
GDPR requirements. In first instance, the idea was to have multiple apps that consumers could freely install.
However, since Apple & Google have made their API available to only one official government app, this idea
was abandoned. Most likely, it will be an app from the UGent, in cooperation with several other academic
bodies and private companies.
In the legislative proposal, it’s clear that the Belgian app will have to make use of DP3T framework, of which
there is an agreement amongst most privacy specialists and activists, that this is the framework that delivers
most protection for users’ privacy.
What is also very clear in the current proposal, is that employers can never make the installation of the app
mandatory. Yet, as we all know, there are different levels of explicit or implicit coercion. We have to remain
vigilant, as DPO’s and privacy activists or specialists, that free choice does indeed mean: free. Just like the much
debated free consent in the GDPR, this is only to be assured by vigilance.
WHAT THE FUTURE WILL BRING IS HIGHLY UNCERTAIN.
U N C E R T A I N
IT’S YOU. THE DPO.You have a special job to do the coming months and weeks ahead. You will have to find ways to align safety,
health, hygiene and privacy, both in relationship to your customers, employees and suppliers. And while many
of them will agree to just about anything your company proposes, a lot of them will also be hesitant to trust
their employer or client with sensitive medical data.
Basic GDPR-hygiene is recommended (such as data minimisation). Yet, we have to realize one important thing:
the GDPR is not a holy grail in this pandemic. At the contrary, the GDPR explicitly foresees the possibility for
governments to process enormous amounts of personal sensitive data, when this is necessary to combat health
crises ( (46) and article 9, (i). So while government will have an easy job to implement COVID-19 measures,
corporate taken measures will have a much harder time to find itself in line with the GDPR (however, take a
good look at article 9, (h).
Hey you…
Thank you for having me. Any questions?
“