Lecture given during my class of strategy for digital business at Ichec Brussels

1. Digital Business & GDPR
Jacques Folon
Partner
Edge Consulting
Maître de conférences
Université de Liège
Professeur
ICHEC
Professeur invité
Université de Lorraine (Metz)
Visiting professor
ESC Rennes School of Business

2. https://gdprfolder.eu
© 2018 GDPRFOLDER.EU SPRL All Rights Reserved.
Every company & self employed is concerned
SM
E
Self employed
Non profit
Private sector
Public
sector

3. https://gdprfolder.eu
© 2018 GDPRFOLDER.EU SPRL All Rights Reserved.
employees Prospects
ContactsUsers & clients
Which Data ?

5. http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg

6. privacy ?????
6
http://www.fieldhousemedia.net/wp-content/uploads/2013/03/fb-privacy.jpg

7. Average number of Facebook
« friends » in France: 177 in 2018
30

8. PRIVACYVS SOCIAL
NETWORKS
https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcQgeY4ij8U4o1eCuVJ8Hh3NlI3RAgL9LjongyCJFshI5nLRZQZ5Bg

9. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the first place.
Eric Schmidt

10. 1

14. 14SOURCE: http://mattmckeon.com/facebook-privacy/

15. 15

16. 16

17. 17

18. 18

19. 19

20. 20

21. 21
IN 2018

23. 1
Privacy statement confusion
• 53% of consumers consider that a privacy statement
means that data will never be sell or give
• 43% only have read a privacy statement
• 45% only use different email addresses
• 33% changed passwords regularly
• 71% decide not to register or purchase due to a
request of unneeded information
• 41% provide fake info
112
Source: TRUSTe survey

24. 24
http://1.bp.blogspot.com/-NqwjuQRm3Co/UCauELKozrI/AAAAAAAACuQ/MoBpRZVrZj4/s1600/Party-Raccoon-Get-Friends-Drunk-Upload-Facebook.jpg

25. The person who took the photo
is a real friend
25
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg

26. privacy and graph search ?

27. 27

28. 28

29. 29

30. 30

35. From Big Brother to Big Other

36. http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def
Antonio Casili
• Importance of T&C
• Everybody speaks
• mutual surveillance
• Lateral surveillance

37. geolocalisation
http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png

38. data collection
1

39. 39

40. Interactions controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

41. Interactions NOT controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

42. GDPR

44. Codes of conducts and certifications
!44

53. May 25, 2018 GDPR !!!

54. !54
A.CONTEXT
B.SOME DEFINITIONS
C.THE PRINCIPLES
D.GDPR CONSEQUENCES
E.METHODOLOGY

55. A : CONTEXT
!55

56. IN 3 WORDS
!56
• GDPR IS A "REGULATION" ><
"DIRECTIVE"
• WORLDWIDE INFLUENCE
• CONSEQUENCES FOR COMPANIES
AND PUBLIC SECTOR

57. !57
MAY 2018
ENTRY INTO FORCE MAY
25,2018
DISCUSSED SINCE 2014
VOTED IN 2016
RISKS
PENALTIES
4% ANNUAL TO
20 M €
COMPENSATION IN COURT
REPUTATION
IMPACT
CONTRACT
PROCESSES
MARKETING
ORGANISATION

58. B : SOME DEFINITIONS…
!58

59. PERSONAL DATA
!59
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;

60. PROCESSING
!60
‘processing’ means any operation or set of
operations which is performed on personal data or
on sets of personal data, whether or not by
automated means, such as collection, recording,
organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making
available, alignment or combination, restriction,
erasure or destruction;

61. CONTROLLER
!61
controller’ means the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State
law;

62. processor or sub-contractor
!62
processor means a natural or legal
person, public authority, agency or other
body which processes personal data on
behalf of the controller

63. Sub-contractor
129
The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing
to be carried out, and must ensure compliance with those
measures

64. 64
The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State in
which the processor is established, shall also be incumbent on the
processor

65. data breach
!65
personal data breach’ means a breach of
security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed

66. C : 12 MAIN PRINCIPLES OF GDPR
!66
1. Accountability
2. Consumer / citizen rights
3. Privacy by design
4. Information security
5. Data breach
6. Penalties
7. identity access management
8. lawfulness for processing
9. Register
10.Risk analysis and PIA
11.Training
12.Data privacy officer

67. 1/ ACCOUNTABILITY
!67

68. DO-CU-MEN-TA-TION

71. PRIVACY POLICY OR REGULATION OR …

72. 2/ Consumer/citizen's right
!72
TRANSPARENCY
SENSITIVE INFORMATIONS
INFORMATION COLLECTED
RIGHT OF ACCESS
RIGHT TO RECTIFICATION
RIGHT TO ERASE
RIGHT OF PROCESSING LIMITATION
PORTABILITY
RIGHT OF OPPOSITION TO PROFILING

73. RIGHT TO ACCESS

74. right to be forgotten ?

75. Right to be forgotten
• On 13.05.2014 the European Union Court of
Justice backed a ruling called “the right to be
forgotten,” which allows individuals to control
their data and ask search engines, such as Google,
to remove inadequate personal results from the
Internet.
• However, the decision cannot be interpreted as a
“victory” for the protection of the personal data
of Europeans, according to privacy experts.

76. • In 2010 a Spanish citizen lodged a complaint against a Spanish
newspaper with the national Data Protection Agency and
against Google Spain and Google Inc.
• The citizen complained that an auction notice of his
repossessed home on Google’s search results infringed his
privacy rights because the proceedings concerning him had
been fully resolved for a number of years and hence the
reference to these was entirely irrelevant.
• He requested, first, that the newspaper be required either to
remove or alter the pages in question so that the personal
data relating to him no longer appeared;
• and second, that Google Spain or Google Inc. be required to
remove the personal data

77. • In its ruling of 13 May 2014 the EU Court said :
• a)On the territoriality of EU rules: Even if the physical server of a
company processing data islocated outside Europe, EU rules apply
to search engine operators if they have a branch or a sub sidiary in
a Member State which promotes the selling of advertising space
offered by the search engine;
• b)On the applicability of EU data protection rules to a search
engine : Search engines are controllers of personal data. Google can
therefore not escape its responsibilities before European lawwhen
handling personal data by saying it is a search engine. EU data
protection law applies and so does the right to be forgotten.
• c) On the “Right to be Forgotten” : Individuals have the right -
under certain conditions - to ask search engines to remove links
with personal information about them.This applies where the
information is inaccurate, inadequate, irrelevant or excessive for the
purposes of the data

78. • At the same time, the Court explicitly clarified
that the right to be forgotten is not absolute but
will always need to be balanced against other
fundamental rights, such as the freedom of
expression and of the media

79. • Right to erasure (future rules?)
• 1.The data subject shall have the right to obtain from the
controller the erasure of personal data relating to them and the
abstention from further dissemination of such data, and to
obtain from third parties the erasure of any links to, or copy or
replication of that data, where one of the following grounds
applies:
• (a) the data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed
• (b) the data subject withdraws consent on which the processing
is based according
• (c) when the storage period consented to has expired and
where there is no other legal ground for the processing of the
data

80. 3/ PRIVACY BY DESIGN
!80

81. INFORMATION LIFECYCLE

82. Look at the entire data lifecycle

83. 1.CREATE
OR

84. BALANCE TEST NEEDED

85. PRIVACY POLICY OR REGULATION OR …

86. CONSENT & EVIDENCES

87. SENSITIVE DATA
IF THENOR

88. 2.STORE
• SECURITY
• ENCRYPTION
• AUTHENTICATION
• AVAILABILITY
• CONFIDENTIALITY
• IAM

89. 3. USE

90. 4. SHARE

91. 4. SHARE

92. 5.ARCHIVE

93. 6. DESTROY

94. 4/INFORMATION SECURITY
!94

96. The weakest link

98. SECURITY
SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-
security-2/

99. Source : https://www.britestream.com/difference.html.

100. Threats

101. Who knows … now?

102. certifications

103. Control by the employer
161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/

104. What your boss thinks...

105. Employees share (too) many
information and also with third parties

106. Where do one steal data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars

107. 63
RESTITUTIONS

108. DATA PRIVACY & THE EMPLOYER
45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg

109. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/

110. May the employer control everything?

111. Who controls what?

112. Could my employer
open my emails?
169

113. IAM

114. 114
CODE OF CONDUCTS

118. TELEWORKING

119. Employer’s control
177
http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux

121. 121

122. 48

123. 86
SECURITY IS A LEGAL OBLIGATION

124. 5/ DATA BREACH
!124

125. Data breaches

126. Disastrous data breaches

127. So it is a real threat !

128. 6/ PENALTIES
!128

129. 7/ IDENTITY ACCESS MANAGEMENT
!129

130. 8/ LAWFULNESS OF PROCESSING
!130
CONSENT MUST BE EXPLICIT

131. 131
'the data subject's consent' shall
mean any freely given specific
and informed indication of his
wishes by which the data subject
signifies his agreement to
personal data relating to him
being processed

132. 132

133. OPT IN

134. 134
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. Further
processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States
shall lay down appropriate safeguards for personal data stored for
longer periods for historical, statistical or scientific use.

135. 135
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of
the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority
vested in the controller or in a third party to whom the data are
disclosed

136. 136
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life

137. 125
Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected
with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject

138. Cookies

142. 9/ RECORD OF PROCESSING ACTIVITIES
!142
RECORD

143. 10/ RISK ANALYSIS AND PIA
!143

144. 11/ TRAINING
!144

145. INTERNAL TRAININGS

146. 12/ DATA PRIVACY OFFICER
!146

147. D : CONSEQUENCES
!147

148. E : METHODOLOGY
!148

149. METHODOLOGY
!149
1. PRELIMINARY AUDIT
2. RISK ANALYSIS
3. LIST OF SERVICES
4. RECORD OF PROCESSING ACTIVITIES
5. ACTION PLAN
6. SERACH FOR COMPLIANCE
7. SOLUTION FOR NON COMPLIANCE
8. CONTINUOUS PROCESSES
9. TRAINING
Préparation
Implémentation
Pérennisation

151. 154
Source de l’image : http://ediscoverytimes.com/?p=46

153. RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html

154. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University

155. The new head of MI6 has been left
exposed by a major personal security
breach after his wife published
intimate photographs and family
details on the Facebook website.
Sir John Sawers is due to take over
as chief of the Secret Intelligence
Service in November, putting him in
charge of all Britain's spying
operations abroad.
But his wife's entries on the social
networking site have exposed
potentially compromising details
about where they live and work, who
their friends are and where they
spend their holidays.
http://www.dailymail.co.uk

156. Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

157. Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

158. Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

159. Phishing
Sources/ Luc Pooters, Triforensic, 2011

160. DATA
THEFT

161. Social engineering
Sources/ Luc Pooters, Triforensic, 2011

162. Take my stuff,
please!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University

163. 3rd Party
Applications
•Games, quizzes, cutesie stuff
•Untested by Facebook – anyone
can write one
•No Terms and CondiVons – you
either allow or you don’t
•InstallaVon gives the developers
rights to look at your profile and
overrides your privacy seYngs!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University

164. Big data
182

165. Biometry
186

166. facial recognition
187

167. RFID & internet of things
188
http://www.ibmbigdatahub.com/sites/default/files/public_images/IoT.jpg

168. SECURITY ???

169. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin

171. ANY QUESTIONS ?