#agilitytour

Would  You  Lie  to  Your  Physician?

Presented  by  Aurélie  Pols,  CVO  of  Mind  Your  Privacy  

#agilitytour

I  Do!  (Lie  to  My  Doctor)

When  it  applies  to  me!    

Not  for  what’s  most  dear…  

#agilitytour

Risk  Adverse  for  My  Children

Ø   My  most  precious  assets  Ø   We  share  common  goals  Ø   And  speak  the  same  language    Could  you  say  the  same  of  your    Legal  Council?  

#agilitytour

Consider  Before  Crucifying  the  Rule  of  Law

1.  The  specifics  of  data  as  an  Economic  Asset:  ²   Data  in  infinitely  transferable  without  decay  

2.  OPen  forgoQen  LegislaRve  Challenges  ²   Defining  and  recognising  Data  Harms  

3.  Related  to  evolving  Privacy  LegislaRon  ²   Compliance  is  a  Risk  Exercise  

4. Minimizing  Privacy  related  Risks  ²   YOUR  liability  within  the  Data  Ecosystem  

#agilitytour

I’m  Not  Here  to  Define  Privacy

AnalyRcs    

Privacy  (&  Data  ProtecRon)  

#agilitytour

Fact  Remains:  RACI  Matrices

Ø Legal  council  will  be  held  accountable  

Ø Legal  council  should  be  consulted  

•  Responsible  • Who  is/will  be  doing  this  task?  • Who  is  assigned  to  work  on  this  task?  R  

•  Accountable  • Who’s  head  will  roll  if  this  goes  wrong?  • Who  has  the  authority?  to  take  decision?  A  

•  Consulted  •  Anyone  who  can  tell  me  more  about  this  task?  •  Any  stakeholders  already  idenRfied?  C  

•  Informed  •  Anyone  whose  work  depends  on  this  task?  • Who  has  to  be  kept  updated  about  the  progress?  I  

#agilitytour

In  a  World  of  Dynamic  RegulaMon

Two  fundamental  Data  Privacy  quesRons:  1.  How  far  is  too  far  (for  data  use  &  transparency)?  2. Who  will  decide  (what  is  acceptable)?  

#agilitytour

If  I  Had  1  £  for  Every  Time  I  Heard…

1.  Yes  but  we  don’t  collect  PII  2.  InternaRonal  data  transfers?  Safe  Harbour!  

#agilitytour

So  What  to  Do?  1  Rules  Them  All

FIPPs:  Fair  informaRon  PracRce  Principles  1.  Transparency  

•  NoRce/awareness  &  Purpose  =>  how  transparent?  2.  Choice  

•  Consent  =>  opt-­‐in  or  opt-­‐out,  ex-­‐  or  implicit?  3.  InformaRon  Review  &  CorrecRon  

•  Access  &  parRcipaRon  in  (data)  accuracy  4.  InformaRon  ProtecRon  

•  Data  integrity  &  security  5.  Accountability  

•  Enforcement  and  redress:    I.  Self-­‐regulaRon,    II.  Private  remedies  through  civil  acRons  (Germany)  III.  Government  enforcement  (FTC,  European  Data  ProtecRon  Agencies,  …)  

Transparency

Choice

InformaMon  review  &  correcMon

InformaMon  protecMon

Accountabil ity

#agilitytour

There  Is  No  PII  NOC  List

#agilitytour

PII  vs.  Risk  Levels

DIGITAL  EXHAUST  Low  Risk  

OBA  Medium  Risk  (profiling)  

HIPAA  HEALTH  DATA  High  Risk  (sensiRve)  

Risk  Level  

Data  type  InformaRon  Security  Measures  

Gehng  closer  to  uniquely  idenRfying  an  individual    

FCRA  CREDIT  SCORING  Extremely  High  Risk  (profiling  of  sensiRve  data)  

US:  if/then  exercises  PII

#agilitytour

Where  to  Start?  

1.   Define  yourself  

•  Who  are  you  in  the  data  ecosystem?  

•  What  are  your  obligaRons?  

•  What  is  expected  of  you?  

•  (Who  can  find  out?)  

 

#agilitytour

Where  to  Start?

2.   Document  your  Digital  Entanglement  

High-­‐level  mock-­‐up  of  exisRng  client.  

Next  steps:  

ü Terms  &  sovereignRes    

ü Data  points  &  access/sharing  ü Purpose  &  Consent  ü Data  retenRon  periods  

#agilitytour

Where  to  Start?

3.   Align  your  liabiliOes:  Ø   What  do  the  terms  allow?  

Ø   Which  data  points  are  you  collecRng?  

Ø   Which  clauses  are  being  used    (InternaRonal  data  transfer  mechanisms:  SafeHarbour)?  

Ø   Who  has  access?  Data  sharing  

Ø   …  

#agilitytour

Where  to  Start?

Purpose   Consent  4.   Don’t  drop  the  ball  on  Purpose  and  Consent!  

What  happens  if  opt-­‐out  of  email  list,                                              ?  hQps://support.google.com/adwords/answer/6276125?hl=en    

UK:  OpRcal  Express  bought  “consented”  data  from  Thomas  Cook  See  ICO  PECR:    hQps://ico.org.uk/for-­‐organisaRons/guide-­‐to-­‐pecr/introducRon/what-­‐are-­‐pecr/  z  

#agilitytour

Where  to  Start?

5.   Understand  your  risk  Ø   Of  legal  issues:  fines,  class  acRons  

Schleswig-­‐Holstein  DPA  considers  SafeHarbour  clauses  today  unacceptable  +  can’t  be  replaced  by  model  clauses  either  =>  is  this  a  risk  for  your  company?  

Ø   Of  customer  backlashes:  unexpected/creepy    data  uses  Target:  using  shopping  behavior  to  define    pregnancy  state  (sensiRve  data)  =>  consent!  

#agilitytour

Where  to  Start?

6.   Document,  train  &  communicate  

•  If  asked,  be  able  to  show    you’ve  done  your  homework  

•  Define  accountability    (data  stewards)  &  escalaRon    procedures  

•  Explain  &  ask  for  help:    your  company  is  the  paOent!    

#agilitytour

We  All  Hated  the  “Cookie  DirecMve”,  Right?

Thank  you  for  listening!  

Gracias  por  su  atención!  

aurelie@mindyourprivacy.com    

#agilitytour

QUESTIONS?