storm on the horizon: data governance & security vs. employee privacy
TRANSCRIPT
October 21 2014SAM Summit London
Aurélie Pols@aureliepols
Data Governance and Security vs. Employee PrivacyStorm on the Horizon
Presented by: Aurélie Pols
@AureliePols
Aurélie PolsChief Visionary Officer & co-founderMind Your Privacy@aureliepols
• Grew up in the Netherlands, Dutch passport
• French mother tongue
• Most of my friends are bilingual at least
• Have Polish & Russian origins
• Co-founded 1st start-up in Belgium in 2003
• Sold it to Digitas LBi (Publicis) UK in 2008
• Moved to Spain in 2009
• Created 2 other start-ups in Spain in 2012
Mind Your Group, Putting Your Data to Work
Mind Your Privacy, Data Science Protected
Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with
a bunch of Lawyers
Presented by: Aurélie Pols
@AureliePols
SUN on Privacy: Get over It!
“You have zero privacy anyway, get over it”,
Scott McNealy, CEO of Sun Microsystems, January 1999
At eMetrics in Boston in 2006, this turned into “Privacy is Dead Aurélie, get over it!”
Presented by: Aurélie Pols
@AureliePols
EU fines?Spain: responsible for 80% of data protection fines in the EU
Source: http://i0.kym-
cdn.com/photos/images/newsfeed/00
0/242/381/63a.jpg
Source:
http://www.mindyourprivacy.com/downlo
ad/privacy-infographic.pdf
Presented by: Aurélie Pols
@AureliePols
Data: 3 types vs. Privacy
1. Customer data
Visitor, prospect, citizen, voter, …
2. Competitive data
Market share, IP, …
3. Employee data
Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg
(mere)Server access control
- $ / € / £- License compliance
SERVERSoft.
Licenc.Mang.
Corporate use only COPE BYOD
(multi) device controluser profiling ↵
CLOUD[SaaS]
A B C
Presented by: Aurélie Pols
@AureliePols
Summary
• How to reconcile Privacy viewpoints on a Global Level (US, EU, APEC)
• Key Legal concepts to collaborate with Legal Council
• The current challenge for SAM & employee data
• 7 Rules to collect employees’ data without invading their privacy
• Q&A
Presented by: Aurélie Pols
@AureliePols
National Security vs. Privacy
Data Retentionvs. Data Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK, passed), SOPA (US: Stop Online Piracy Act, similar to French HADOPI) & PIPA (US: Protect IP Act)
Presented by: Aurélie Pols
@AureliePols
Complicated?
Source: https://www.forrestertools.com/heatmap/
Presented by: Aurélie Pols
@AureliePols
Regulatory Law“Every country is a little different.
You run into different regulatory regimes and you need to make sure you have the right tools so that people can implement the right policies they are required to by law…
They aren’t that different”
Source: Bloomberg Singapore SessionsApril 23rd 2014http://www.bloomberg.com/video/big-data-big-results-singapore-sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html
Presented by: Aurélie Pols
@AureliePols
A Global Perspective
US & UK EU APEC
Common Law Continental Law Continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per state Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols
@AureliePols
If you collect PII… thenUS & UK EU APEC
Common Law Continental Law Continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per state Risk levels: low, medium, high, extremely high
Presented by: Aurélie Pols
@AureliePols
PII vs. Risk levels
Low
Medium(profiling)
High(sensitive)
Risk level
Data typeInformation Security Measures
Extremely high(profiling of sensitive data)
PII
Presented by: Aurélie Pols
@AureliePols
Where to start?
Compliance?
Privacy?
Security?
Moving targets
Presented by: Aurélie Pols
@AureliePols
The “Magnum” Plan• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures (data protection)
• Risk Management: Adopt global & sustainable Privacy best practices
Presented by: Aurélie Pols
@AureliePols
Or in a nutshell: steps 1-2-3
Which legislation(s)
does your company need
to respect? Region/country,
sector, type/groups of
data
What are the risks?
Fines, class actions, customer
complaints, security breaches
What is the trade off?
Compliance vs. data, business
needs and technology
1 32
Competences:Legal/Compliance(matrix)
Competences:Risk management
Competences:Business, understanding risks vs. rewards, for data and technology
Presented by: Aurélie Pols
@AureliePols
Employee Privacy legislation?
Source: http://4.bp.blogspot.com/_DhwcCqGFPe4/TH46NxsIYqI/AAAAAAAAAKY/mU5osFaYQII/s1600/WWbuffalobillP.jpg
Presented by: Aurélie Pols
@AureliePols
What an employer should tell an employee – UK legislation
An employee has the right to be told:
• What records are being kept and how they’re used
• The confidentiality of the records
• How these records can help with their training and development at work
If an employee asks to find out what data is kept on them, the employer will have 40 days to provide a copy of the information.
An employer shouldn’t keep data any longer than is necessary and they must follow the rules on data protection.
Source: https://www.gov.uk/personal-data-my-employer-can-keep-about-me
Presented by: Aurélie Pols
@AureliePols
LEGAL CONCEPTS TO EFFICIENTLY COLLABORATE WITH LEGAL COUNCIL
Privacy cheat sheet
Presented by: Aurélie Pols
@AureliePols
Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols
@AureliePols
Fair Information Privacy Practices (FIPPs)
Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg
Presented by: Aurélie Pols
@AureliePols
FIPPs: Fair Information Practice PrinciplesThese principles are not laws, they form the backbone of privacy law and provide guidance in the collection, use and protection of personal information
Transparency ensures no secrete data collection; provides information about the
collection of personal data to allow users to make an informed choice
Choice gives individuals a choice as to how their information will be used
Information review & correction allows individuals the right to review and
correct personal information
Information protection requires organizations to protect the quality and
integrity of personal information
Accountability holds organizations accountable for complying with FIPPs
Presented by: Aurélie Pols
@AureliePols
Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for approved
use
From:
Purpose
Consent
FIPPs
Data analysis or merging
New business
opportunity
To:
Big Data is Killing the Privacy Framework
Presented by: Aurélie Pols
@AureliePols
Entreprise goal User goals
Privacy Policy
Requirements
Privacy Mechanisms
Procedures & Processes
Privacy Awareness Training
Quality Assurance
Quality AssuranceFeedback
Presented by: Aurélie Pols
@AureliePols
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by ensuring that personal data are automatically protected in any given IT system or business practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated promises and objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice, and empowering user-friendly options
Privacy by Design (PbD) 7 Fundamental Principles
Presented by: Aurélie Pols
@AureliePols
The good old days
Uber simplified
(mere)Server access control
$ / € / £License compliance
SERVERSoft.
Licenc.Mang.
(mere)Server access control
- $ / € / £- License compliance
SERVERSoft.
Licenc.Mang.
Corporate use only COPE BYOD
(multi) device controluser profiling ↵
CLOUD[SaaS]
A B C
Presented by: Aurélie Pols
@AureliePols
Corporate use only, COPE or BYOD?
Corporate Owned, Personally Enabled (COPE)
– IT defines supported devices
– (Remote) Control over devices
• Wipe clean when theft
• Access management
The company chooses between A, B or C
And follows up with controls and processes (here out of scope)
(mere)Server access control
- $ / € / £- License compliance
SERVERSoft.
Licenc.Mang.
Corporate use only COPE BYOD
(multi) device controluser profiling ↵
CLOUD[SaaS]
A B C
Presented by: Aurélie Pols
@AureliePols
Consequences for SAM
Changes to take into consideration:
1. Multi user device control
2. Create & manage user profiles
3. Increased use of SaaS & the cloud
Typical example for (digital) marketing:
Source: http://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1
Presented by: Aurélie Pols
@AureliePols
It’s about the data exhaust
Changes to take into consideration:
1. Multi user device control
2. Create & manage user profiles
3. Increased use of SaaS & the cloud
Creating a data exhaust your company will want to leverage
Presented by: Aurélie Pols
@AureliePols
What does this mean?
Issues to be tackled:
1. Purpose definition
• Consent? Opt-in, opt-out
2. Data ownership
3. Local compliance
• For your company with respect to your employees
• For the SaaS/cloud provider used with respect to Privacy right
4. Security
Accountability
Presented by: Aurélie Pols
@AureliePols
[EU Cookie Directive: implicit consent]
Opt-in vs. Opt-out strategies & consequences on data collection
Source: http://chinwag.com/files/images/photos/ico-traffic-post-cookie-graph.gif
Presented by: Aurélie Pols
@AureliePols
HQLOCAL SUBSIDIARY
1
Employee Terms & Conditions
Applicable Security Measures???
LOCAL SUBSIDIARY
1
LOCAL SUBSIDIARY
2
LOCAL SUBSIDIARY
3
LOCAL SUBSIDIARY
4
Moving to the cloud/SaaS
Presented by: Aurélie Pols
@AureliePols
Security (technical)
Data Collection
Pro
cess
es R
eso
urce
s
Presented by: Aurélie Pols
@AureliePols
Purpose, Consent & Data Uses
Purpose
Consent
FIPPs
Data for approved
use
From:
Purpose
Consent
FIPPsData analysis or merging
New business
opportunity
To:
Presented by: Aurélie Pols
@AureliePols
7 RULES TO COLLECT EMPLOYEES’ DATA WITHOUT INVADING THEIR PRIVACY
Respect Employee Privacy
Presented by: Aurélie Pols
@AureliePols
1. Find a sponsor, often HR
2. Have an hypothesis
• Purpose
3. Default to anonymity and aggregation
4. If you can’t let employees be anonymous, let them choose how you use their data
• Consent: opt-out vs. opt-in
5. Screen for confidential information
6. Don’t dig for personal information
7. For additional protection, consider using a third party
Source: http://blogs.hbr.org/2014/09/collect-your-employees-data-without-invading-their-privacy/
Presented by: Aurélie Pols
@AureliePols
Legal base lines
Germany:
– Probably the strictest, start here if required
UK:
– Quick guide to the employment practices code, chapter 5 http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.pdf
US:
– Use California as a reference to start with: http://oag.ca.gov/privacy/workplace-privacy
Presented by: Aurélie Pols
@AureliePols
Reminder: steps 1-2-3
Which legislation(s)
does your company need
to respect? Region/country,
sector, type/groups of
data
What are the risks?
Fines, class actions, customer
complaints, security breaches
What is the trade off?
Compliance vs. data, business
needs and technology
1 32
Competences:Legal/Compliance(matrix)
Competences:SAM + manager who wants to use the employee data exhaust?
Competences:HR, legal, manager, SAM?