storm on the horizon: data governance & security vs. employee privacy

October 21 2014SAM Summit London

Aurélie Pols@aureliepols

Data Governance and Security vs. Employee PrivacyStorm on the Horizon

Presented by: Aurélie Pols

@AureliePols

Aurélie PolsChief Visionary Officer & co-founderMind Your Privacy@aureliepols

• Grew up in the Netherlands, Dutch passport

• French mother tongue

• Most of my friends are bilingual at least

• Have Polish & Russian origins

• Co-founded 1st start-up in Belgium in 2003

• Sold it to Digitas LBi (Publicis) UK in 2008

• Moved to Spain in 2009

• Created 2 other start-ups in Spain in 2012

Mind Your Group, Putting Your Data to Work

Mind Your Privacy, Data Science Protected

Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with

a bunch of Lawyers


@AureliePols

SUN on Privacy: Get over It!

“You have zero privacy anyway, get over it”,

Scott McNealy, CEO of Sun Microsystems, January 1999

At eMetrics in Boston in 2006, this turned into “Privacy is Dead Aurélie, get over it!”


@AureliePols

EU fines?Spain: responsible for 80% of data protection fines in the EU

Source: http://i0.kym-

cdn.com/photos/images/newsfeed/00

0/242/381/63a.jpg

Source:

http://www.mindyourprivacy.com/downlo

ad/privacy-infographic.pdf


@AureliePols

Data: 3 types vs. Privacy

1. Customer data

Visitor, prospect, citizen, voter, …

2. Competitive data

Market share, IP, …

3. Employee data

Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg

(mere)Server access control

- $ / € / £- License compliance

SERVERSoft.

Licenc.Mang.

Corporate use only COPE BYOD

(multi) device controluser profiling ↵

CLOUD[SaaS]

A B C


@AureliePols

Summary

• How to reconcile Privacy viewpoints on a Global Level (US, EU, APEC)

• Key Legal concepts to collaborate with Legal Council

• The current challenge for SAM & employee data

• 7 Rules to collect employees’ data without invading their privacy

• Q&A


@AureliePols

RECONCILING GLOBAL PRIVACY VIEWPOINTS

US, EU, APEC


@AureliePols

National Security vs. Privacy

Data Retentionvs. Data Protection

Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg

Eg. DRIP (UK, passed), SOPA (US: Stop Online Piracy Act, similar to French HADOPI) & PIPA (US: Protect IP Act)

http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg


@AureliePols

Complicated?

Source: https://www.forrestertools.com/heatmap/


@AureliePols

Regulatory Law“Every country is a little different.

You run into different regulatory regimes and you need to make sure you have the right tools so that people can implement the right policies they are required to by law…

They aren’t that different”

Source: Bloomberg Singapore SessionsApril 23rd 2014http://www.bloomberg.com/video/big-data-big-results-singapore-sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html

http://www.bloomberg.com/video/big-data-big-results-singapore-sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html


@AureliePols

A Global Perspective

US & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)

Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high


@AureliePols

If you collect PII… thenUS & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)

Business focused Citizen focused

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high


@AureliePols

PII vs. Risk levels

Low

Medium(profiling)

High(sensitive)

Risk level

Data typeInformation Security Measures

Extremely high(profiling of sensitive data)

PII


@AureliePols

Where to start?

Compliance?

Privacy?

Security?

Moving targets


@AureliePols

The “Magnum” Plan• Document your data set-up

• Set-up a compliance check-list:

– Applicable legislations to your sector

– Territorial scope

• Evaluate your risk

• Follow-up with information security measures (data protection)

• Risk Management: Adopt global & sustainable Privacy best practices


@AureliePols

Or in a nutshell: steps 1-2-3

Which legislation(s)

does your company need

to respect? Region/country,

sector, type/groups of

data

What are the risks?

Fines, class actions, customer

complaints, security breaches

What is the trade off?

Compliance vs. data, business

needs and technology

1 32

Competences:Legal/Compliance(matrix)

Competences:Risk management

Competences:Business, understanding risks vs. rewards, for data and technology


@AureliePols

Employee Privacy legislation?

Source: http://4.bp.blogspot.com/_DhwcCqGFPe4/TH46NxsIYqI/AAAAAAAAAKY/mU5osFaYQII/s1600/WWbuffalobillP.jpg

http://4.bp.blogspot.com/_DhwcCqGFPe4/TH46NxsIYqI/AAAAAAAAAKY/mU5osFaYQII/s1600/WWbuffalobillP.jpg


@AureliePols

What an employer should tell an employee – UK legislation

An employee has the right to be told:

• What records are being kept and how they’re used

• The confidentiality of the records

• How these records can help with their training and development at work

If an employee asks to find out what data is kept on them, the employer will have 40 days to provide a copy of the information.

An employer shouldn’t keep data any longer than is necessary and they must follow the rules on data protection.

Source: https://www.gov.uk/personal-data-my-employer-can-keep-about-me

https://www.gov.uk/personal-data-my-employer-can-keep-about-me


@AureliePols

LEGAL CONCEPTS TO EFFICIENTLY COLLABORATE WITH LEGAL COUNCIL

Privacy cheat sheet


@AureliePols

Data lifecycles

Analytics => Follow the Money

Privacy => Follow the Data

Legal: Procedures/Processes, Compliance & Risks Assessments


@AureliePols

Fair Information Privacy Practices (FIPPs)

Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg

https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg


@AureliePols

FIPPs: Fair Information Practice PrinciplesThese principles are not laws, they form the backbone of privacy law and provide guidance in the collection, use and protection of personal information

Transparency ensures no secrete data collection; provides information about the

collection of personal data to allow users to make an informed choice

Choice gives individuals a choice as to how their information will be used

Information review & correction allows individuals the right to review and

correct personal information

Information protection requires organizations to protect the quality and

integrity of personal information

Accountability holds organizations accountable for complying with FIPPs


@AureliePols

Purpose, Consent & Data Uses

Purpose

Consent

FIPPs

Data for approved

use

From:

Purpose

Consent

FIPPs

Data analysis or merging

New business

opportunity

To:

Big Data is Killing the Privacy Framework


@AureliePols

Entreprise goal User goals

Privacy Policy

Requirements

Privacy Mechanisms

Procedures & Processes

Privacy Awareness Training

Quality Assurance

Quality AssuranceFeedback


@AureliePols

Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada

1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive events before they happen

2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by ensuring that personal data are automatically protected in any given IT system or business practice

3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an essential component of the core functionality being delivered

4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies

5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of information, end-to-end

6. Visibility and Transparency – Keep it Open: operating according to the stated promises and objectives, subject to independent verification

7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice, and empowering user-friendly options

Privacy by Design (PbD) 7 Fundamental Principles


@AureliePols

THE EVOLUTION OF SAM

Respect Employee Privacy


@AureliePols

The good old days

Uber simplified


$ / € / £License compliance

SERVERSoft.

Licenc.Mang.



SERVERSoft.

Licenc.Mang.



CLOUD[SaaS]

A B C


@AureliePols

Corporate use only, COPE or BYOD?

Corporate Owned, Personally Enabled (COPE)

– IT defines supported devices

– (Remote) Control over devices

• Wipe clean when theft

• Access management

The company chooses between A, B or C

And follows up with controls and processes (here out of scope)



SERVERSoft.

Licenc.Mang.



CLOUD[SaaS]

A B C


@AureliePols

Consequences for SAM

Changes to take into consideration:

1. Multi user device control

2. Create & manage user profiles

3. Increased use of SaaS & the cloud

Typical example for (digital) marketing:

Source: http://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1

http://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1


@AureliePols

It’s about the data exhaust

Changes to take into consideration:

1. Multi user device control

2. Create & manage user profiles

3. Increased use of SaaS & the cloud

Creating a data exhaust your company will want to leverage


@AureliePols

What does this mean?

Issues to be tackled:

1. Purpose definition

• Consent? Opt-in, opt-out

2. Data ownership

3. Local compliance

• For your company with respect to your employees

• For the SaaS/cloud provider used with respect to Privacy right

4. Security

Accountability


@AureliePols

[EU Cookie Directive: implicit consent]

Opt-in vs. Opt-out strategies & consequences on data collection

Source: http://chinwag.com/files/images/photos/ico-traffic-post-cookie-graph.gif

http://chinwag.com/files/images/photos/ico-traffic-post-cookie-graph.gif


@AureliePols

HQLOCAL SUBSIDIARY

1

Employee Terms & Conditions

Applicable Security Measures???

LOCAL SUBSIDIARY

1

LOCAL SUBSIDIARY

2

LOCAL SUBSIDIARY

3

LOCAL SUBSIDIARY

4

Moving to the cloud/SaaS


@AureliePols

Security (technical)

Data Collection

Pro

cess

es R

eso

urce

s


@AureliePols

Purpose, Consent & Data Uses

Purpose

Consent

FIPPs

Data for approved

use

From:

Purpose

Consent

FIPPsData analysis or merging

New business

opportunity

To:


@AureliePols

7 RULES TO COLLECT EMPLOYEES’ DATA WITHOUT INVADING THEIR PRIVACY

Respect Employee Privacy


@AureliePols

1. Find a sponsor, often HR

2. Have an hypothesis

• Purpose

3. Default to anonymity and aggregation

4. If you can’t let employees be anonymous, let them choose how you use their data

• Consent: opt-out vs. opt-in

5. Screen for confidential information

6. Don’t dig for personal information

7. For additional protection, consider using a third party

Source: http://blogs.hbr.org/2014/09/collect-your-employees-data-without-invading-their-privacy/


@AureliePols

Legal base lines

Germany:

– Probably the strictest, start here if required

UK:

– Quick guide to the employment practices code, chapter 5 http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.pdf

US:

– Use California as a reference to start with: http://oag.ca.gov/privacy/workplace-privacy

http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.pdf

http://oag.ca.gov/privacy/workplace-privacy


@AureliePols

Reminder: steps 1-2-3

Which legislation(s)

does your company need

to respect? Region/country,

sector, type/groups of

data

What are the risks?

Fines, class actions, customer

complaints, security breaches

What is the trade off?

Compliance vs. data, business

needs and technology

1 32

Competences:Legal/Compliance(matrix)

Competences:SAM + manager who wants to use the employee data exhaust?

Competences:HR, legal, manager, SAM?


@AureliePols

Q&A / discussion

THANKSFor your coming

storm on the horizon: data governance & security vs. employee privacy

Data & Analytics

privacy data retentionvs

employee data source

employees data

data science

data protectionsource

dead aurlie

data protection fines

bunch of data scientists