This document discusses digital analytics and privacy. It begins by noting expectations around a lack of new privacy legislation. It then discusses privacy as a human right and how public opinion around privacy is changing. It notes concerns around democracy being in danger since the passage of laws like the Patriot Act. The document is authored by Aurélie Pols and discusses bridging analytics and data protection in Europe under upcoming regulations. It stresses the importance of a risk-based approach, identifying intersections between professionals, and developing a privacy culture.
Digital analytics & privacy: it's not the end of the world
1. Digital Analytics & Privacy:
it’s not the end of the world
November 12th 2013
Aurélie Pols
Something (Digital) Analytics Europe
Chief Visionary Officer & Founder
@aureliepols
4. Privacy, a human right?
Navi Pillay
Source: http://rt.com/news/germany-brazil-un-spying-resolution-394/
@aureliepols
Source: http://www.ohchr.org/EN/Pages/WelcomePage.aspx
5. The changing tide of public opinion
Source:
http://www.gl
obalresearch.c
a/25verdadessobre-el-casoevomoralesedwar
dsnowden/534
1660
@aureliepols
6. Democracy in danger since the Patriot Act?
Source:
http://minnesota.publicradio.org/display/we
b/2013/01/22/daily-circuit-alexis-detocqueville-democracy-in-america
@aureliepols
7. This is about keeping your job
Source: http://toogoodtogodown.wordpress.com/2012/04/30/yourefired-which-grimsby-town-players-will-be-offered-new-deals-and-whichwill-be-released/
@aureliepols
http://blog.kevinmaxwell.co.uk/2012/11/guess-what-youre-fired/
8. The confessions of a European analyst
Grew up in the Netherlands, Dutch passport
French mother tongue
Most of my friends of bilingual at least!
Have Polish & Russian origins
Set-up my first start-up in Belgium in 2003
Sold it to a UK agency, Digitas LBi (Publicis), in 2008
Moved to Spain in 2009
Created Mind Your Group (Putting Your Data to Work) + sister company Mind Your
Privacy in 2012 (yes, law firm)
@aureliepols
9. Bridging Analytics & Data Protection in Europe
European Convention of Human Rights, Article 8: Privacy is a fundamental right
you don’t have to agree ;-)
Spain = 80% of EU Data Protection fines; strict data protection legislation, breach
notification & security protocols best practices
@aureliepols
10. The Rule of Law is the foundation of Democracy
“Democracy must be built through open
societies that share information.
When there is information, there is
enlightment.
When there is debate, there are solutions.
When there is no sharing of power, no rule
of law, no accountability, there is abuse,
corruption, subjugation and indignation.”
Atifete Jahjaga, President of Kosovo
@aureliepols
11. The Rule of Law is the foundation of Democracy
APEC
Continental law
influenced
US & UK
Common Law
EU
Continental Law
Class actions
Privacy
Business focused
Fines (by DPAs: Data protection Agencies)
Personal Data Protection
Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Over-arching EU Directives & Regulations
Sector based legislations: HIPPA,
COPPA, VPPA, …
PII varies per state but lists defined
* Again, you don’t have to agree!
@aureliepols
Introduction of pseudo-anonymized data within
the new PDP Regulation, partially trying to
avoid pinning down PII exactly imho
12. Privacy is a tough cookie to crack
So was probably the Declaration of
Human Rights, ask Eleanor Roosevelt!
So called Cookie Directive, good or bad
idea?
- Very techno specific
- Doesn’t help when legislation lags
behind…
- Raised awareness?
- Clean house?
@aureliepols
Best cookies in the world: Maison Dandoy, Brussels,
since 1829, http://www.maisondandoy.com/en/home/,
13. Rome wasn’t build in a day
Take away #1:
The EU & the US view Privacy & data
protection very differently and that is fine!
Rome wasn’t built in one day, neither was
the traffic regulation in NY or Madrid!
@aureliepols
14. Wicked French ;-)
Most EU countries talk of zebra paths
France: are still talking of passages cloûtés
Take away #2 related to data:
Time:
- Techno evolves faster than legislation
- Privacy procedures are new to techno
players => no Privacy culture!
Data is ad infinitum transferable, without
decay => new Privacy challenges, la bande
de GAFA (CNIL)
@aureliepols
Image source: http://images.forum-auto.com/mesimages/770027/passage
%20cloute.jpg
15. Privacy tri-partite
Joint effort by:
1. Governments &/or international
Associations => regulations, guidelines..
2. Businesses
3. Citizens/consumers/voters
Each party wanting to defend its rights:
-
Personal Data Protection & the Rule of
Law through respect of Fundamental
Rights
vs.
-
Profits & hopefully Sustainability
@aureliepols
16. If data is the new oil, is Privacy the new Green?
Comparing Facebook’s Privacy policy
Source: http://mattmckeon.com/facebook-privacy/
@aureliepols
17. What’s in a word? DATA LIFECYCLE
Source:
https://vividcortex.com/blog/2013/10/30/slides-from-makingbig-data-small-at-strata
@aureliepols
Source:
http://www.simpletraining.com/lifecycledata-management-training.html
19. The evolution of Breach notification
http://www.informationisb
eautiful.net/visualizations/
worlds-biggest-databreaches-hacks/
@aureliepols
20. LinkedIn Big Data feedback loop
Consent?
Anyone?
Example:
Netflix
VPPA
Source: https://www.facebook.com/photo.php?v=10151708759330687&set=vb.9445547199&type=2&theater
@aureliepols
21. Some basic Privacy terms, bouh!
PURPOSE:
What are you using the data for?
CONSENT:
Reasonable expectation of the use of
data => Transparency
Trust => Social Media reputation
(See also Breach notification for Crisis Management)
Creepy => Ethics boundary
@aureliepols
22. You: Data Controller – Tools: Data Processor, ok?
Take away #4
Review those bloody
contracts, will you?
Assure liability is clear
and that you are covered!
Source:
http://ec.europa.eu/justice/
data-protection/datacollection/obligations/index
_en.htm
@aureliepols
23. Did Big Data kill the Privacy framework?
No, it introduced a paradigm shift
Just like analytics is becoming
permeable through the company
Purpose
Purpose
New business opportunity
New business opportunity
through data
through data
User consent
User consent
This is also the case for the legal
consequences of the use of data:
Employee Training & internal debate
related to what is acceptable & what is
not should become part of business
Fair & Legal process
Fair & Legal process
Data diving analysis / /Big Data
Data diving analysis Big Data
Information for approved use
Information for approved use
@aureliepols
24. Security is only one solution to the problem
SECURITY
SECURITY
(TECHNOLOGY)
(TECHNOLOGY)
The guy in the middle is a
DPO: Data Protection
Officer, required key
personnel once the EU
Personal Data Protection
Regulation passes
DATA COLLECTION
DATA COLLECTION
@aureliepols
25. The EU Personal Data Protection Regulation is coming
#EUDataP
Source:
www.iabeurope.eu/fil
es/8813/7882/1681/IA
B_Tuesday_Webinar
_Data_Protection_FI
NAL.pdf
ICO is an outlier
@aureliepols
26. Without the right support, the best security crumbles
RIITY ))
R TY Y
ECU OG Y
E C U L OG
S
S
NO L
H NO
TE C H
((TEC
DATA COLLECTION
DATA COLLECTION
@aureliepols
27. Human error causes most data breaches
Source:
http://www.cooldail
yinfographics.com/p
ost/data-andsecurity-breaches
28. Bridging the analytics to the legal world
Security = Icing on the cake
SECURITY
SECURITY
TECHNOLOGY
TECHNOLOGY
Information for
Information for
approved use
approved use
Data diving analysis //
Data diving analysis
Big Data
Big Data
Fair & Legal process
Fair & Legal process
New business
New business
opportunity through
opportunity through
data
data
User consent
User consent
DATA COLLECTION
DATA COLLECTION
@aureliepols
29. Harmonising Security & Privacy
Effective Privacy management depends upon a Risk driven approach that surpasses
compliance needs
- Prepare for legislative changes
- Recognise that just because something is legal, it doesn’t mean it is a good idea
- Consider how Privacy drives strategic advantage => USP?
Skill requirements & interfaces between professionals
- Identifying intersection and tackling conflict
- Finding a common language
- Developing a Privacy culture
@aureliepols
Source:
http://www.rsaconference.com/writable/pr
esentations/file_upload/grc-w07-whenworlds-collide-harmonising-governancebetween-security-and-privacy.pdf
30. Always ask yourself these 3 questions & keep your job
What data am I collecting?
- PII vs. non-PII
- Persönlich ↔ Pseudonym ↔ Anonym
Who has access to this data?
- Both persons & tools
Where is the data stored?
- SafeHarbor vs. Binding Corporate
Rules
@aureliepols
33. Thank you for your time!
Aurélie Pols
Something (Digital) Analytics Europe
Chief Visionary Officer & Founder
@aureliepols – www.mindyourprivacy.com/uk/
So data doesn’t erode over time and can be sold multiple times but its destruction is not part of any analytics process?
Question:
With breach notifications being increasingly adopted by varying countries, the level of fines and class actions going up related to any data breaches or privacy infringements, wouldn’t it make sense to take a look at some procedures?