SlideShare ist ein Scribd-Unternehmen logo

Data Protection Magazine

T
teresadepiano

Magazine che si occupa di privacy e del GDPR

Leadership & Management
1 von 68
Downloaden Sie, um offline zu lesen
DATA PROTECTION MAGAZINE spring 2018 issue 1
Published by Data Protection World Forum Editor: Michael Baxter, michael@dataprotectionworldforum.com Contributions from: Laura Edwards, Ardi Kolah, Adil Akkus, Deborah Dillon, Jenna Banks, Nathan Sykes, Jason Choy Design : Hannah Richards, Amplified Business Content DATA PROTECTION MAGAZINE Lawfulness of processing Before you go any further, take a note of this, it seems to be the most common point of discussion whenever the topic of GDPR comes up. Article 6 GDPR, Lawfulness of processing • Processing shall be lawful only if and to the extent that at least one of the following applies: • The data subject has given consent to the processing of his or her personal data for one or more specific purposes; • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; • Processing is necessary for compliance with a legal obligation to which the controller is subject; • Processing is necessary in order to protect the vital interests of the data subject or of another natural person; • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. • Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. a note from the editor Welcome to Data Protection Magazine. We are all data protection people now. Privacy and data protection has moved from an obscure corporate cubbyhole to the front pages of newspapers and it feels as if everyone has an opinion. The role of the data protection officer, or DPO, has been transformed. In the post GDPR era, DPOs don’t simply take instructions. They report to the highest level of management authority and are experienced in business continuity, risk and technology. Read the media, and you may come away with the impression that the DPO has gone from the person of last redress to rock star. In fact, the change is more nuanced than that. The role of the DPO under the GDPR is radically and legally different. But caring about data protection is not just a job for the DPO. It needs to run deep within a company and become a key consideration for senior management. The c-suite does not merely need to become data protection aware, the ladies and gentlemen who make up the higher echelons of corporate hierarchy need to breathe it. It needs to be embedded into their corporate mindset. As the editor of this publication, I too have been on a data protection and privacy journey. My background is as an economic and disruptive technology writer, but until a year or so ago, thinking deeply, or indeed narrowly, about privacy was barely on my radar. I had this notion that we may be entering an era which will see the end of secrets - that this is the inevitable consequence of creating transparency. But the truth is there is a dividing line. Transparency is good, but we do not want a transparent wall in our bathroom. Teenagers crave privacy from their parents. The mums and dads want transparency from their kids. Creating privacy in the age of transparency is one of the most important challenges of the digital economy. Data Protection Magazine is aimed at the business generalist rather than the data protection or privacy professional and will be released on a quarterly basis. Enjoy!
You haven’t seen anything yet! GDPR is good for you Goodbye darkness hello friend GDPR and the United States GDPR and how the millennial generation manage privacy GDPR – a quick summary Privacy by design and default From Grim Reaper to hero The Canadian experience Interview with Abigail Dubiniecki GDPR and the Fourth Industrial Revolution AI, GDPR and the anonymisation of data Selling your data Anatomy of a breach in trust, the Facebook story Blockchain and GDPR The GDPR and small businesses The Data Protection World Forum Breaches, incidences and security Let’s put our head in the clouds Everything you need to know about cybersecurity The cardless society Subject access requests The wallflower of compliance grows thorns spring 2018 issue 1 contents 02. 05. 06. 10. 12. 14. 20. 22. 26. 28. 30. 34. 38. 40. 44. 46. 50. 52. 56. 58. 60. 62. 65.
The General Data Protection Regulation is here. We sat down with Nicola McKilligan-Regan, one of the UK’s leading experts on data privacy, a woman who literally wrote the book about the Data Protection Act of 1998, to give us the benefit of her wisdom. Nicola herself has been working in privacy for 20 years, she admits reluctantly. She began working at the Information Commissioner’s Office (ICO) before it was called that. Instead, it went by the name of the Data Protection Registrar. She worked as a Strategic Policy and International Officer. In 2000, after the Data Protection Act 1998 came into force, she left to focus on helping organisations with the new law. In 2004, her book: A Pocket Guide to the Data Protection Act, was published. The ICO once said of the book that it was the sort of guidance it wished it had written. Today, she is the Senior Partner at the Privacy Partnership, as well as the founder and CEO of Smart Privacy, which provides privacy tools for businesses struggling to implement GDPR. And between now and when her book was published, she has been the Vice President Privacy at Thomson Reuters, and has enjoyed a glittering career in data privacy. The latest version of her book: The Pocket Guide to the Data Protection Act, GDPR and DPA 2018, is being published later this year. And we began by talking about whether GDPR is over-hyped, like the millennium bug 18 years earlier, soon to be forgotten, just as May 25th 2018 itself will be relegated to being just another ticked off date on the calendar. isGDPRislikethemillenniumbug,theso-calledY2K? Nicola: “No. We didn’t know what effect the millennium bug would have, but before GDPR is even implemented, regulators have begun flexing their muscles. She poses a question. “If GDPR is just like the millennium bug, why has Facebook moved the accounts of 1.5 billion users from Ireland to the US?” “The new regulations give regulators a lot more scope to take a hard line against businesses that don’t treat our personal data and privacy with the respect it deserves.” And then she sums it all up in one phrase: “You haven’t seen anything yet!” Why does GDPR matter? We can all get lost in detail: GDPR is such a vast topic that it can be devilishly difficult to sum it up in a way that captures the imagination. We asked Nicola to do just that.SUBSCRIBE FOR FREE TODAY HERE Thescaleofthepenaltiesindicatesthatgovernmentsnow seeprotectingprivacyasanimportantanissueasbeing abletostoppeoplefromlendingmoneytocriminals orsellingarmstoroguestates. • Whyit’snotlikethemillenniumbug • WhydoesGDPRmatter? • Isitgoodorbad? • MessagefortheCEO • MessagefortheDPO • Firststeps • GDPRandtheleanstart-up • “
Nicola: “It’s the biggest change in data legislation in 18 years, as it brings data protection legislation up to speed with the internet age. “The scale of the penalties indicate that governments now see protecting privacy as an important an issue as being able to stop people from lending money to criminals or selling arms to rogue states. “For the first time, privacy regulators have really strong powers. The law now applies more directly to the latest technology and is supported by a compliance regime which is the equivalent of major compliance regimes such as AML – anti-money laundering. “If privacy was like a poor second cousin to AML compliance, it’s not like that now. “It’s about public interest. What governments think is important has changed from 18 years ago.” And is GDPR good or bad? So, given this, we asked whether the regulation is good or bad. Nicola: “It’s both. It was needed and I am a supporter of the general provisions. I am not so keen on the bureaucracy. It means a lot of record keeping, a lot of work for lawyers and consultants. But the trouble is, there is a danger that you end up paying less attention to the real risks to individuals - bureaucracy may act as a distraction from real issues.” Nicola cites as an example, Facebook: “It has a compliant privacy policy, but whether it is fair in the way it processes its users’ data is another matter.” A message for CEOs What advice does Nicola have for the CEO? “It is no longer possible, as Mark Zuckerberg found out, to hide behind saying ‘I didn’t know.’ Make sure you understand how privacy affects the business. CEOs are always busy, but they must find the time. If their organisation is large, they may have a General Counsel and a data protection officer. Pay attention to them. CEOs who are not aware of the key issues will be hung out to dry.” A message for the Data Protection Officer Andwhataboutthedataprotectionofficer, or an external advisor, how do you convince the board to take GDPR seriously? “Make sure your advice is very specific to the business model. Make sure your leadership fully understand how GDPR affects the business. “Remember, if you can stand out as an organisation that can solve GDPR problems or provide data privacy safeguards for customers and clients, that can be a commercial advantage. CEOs like to hear about that. “If instead, you focus on the fines, you risk the CEO saying ‘but, that’s what we pay you to avoid.’” InshortNicolasays,“engagetheboardontheir levelbyfocusingonthebusinessadvantage”. The DPO As you read this magazine you will find our article ‘Grim Reaper to Hero’. The role of the data protection officer has changed. But Nicola sees a challenge ahead, there is a shortage of people with the necessary skills. “To be a DPO you need to have experience to deal with practical issues - just sending someone on a course won’t cut it.” She also foresees a conflict of interest problem. “You can’t be the problem solver and advisor like you used to be. You are more like a policeman now. That means you are going to have to say ‘no’ a lot more. The first steps It’s a bit late to be worrying about the first steps now. But Nicola does have some specific advice on your general approach to GDPR. “If you do nothing else, train your staff. If you have an informed work- force it will reduce your risk.” The lean-start-up Nicola also has some advice for the start- up, maybe a company applying the ideas of a lean start-up. “Elizabeth Denham, the (UK’s Information Commissioner) has said that one of her big focuses is supporting small businesses. “I would say to a small business, talk to the regulator, either on a no name basis or get written advice. “The ICO has specialist teams in different sectors. And going to the ICO is cheaper than going to a lawyer. “My advice to a lean-start up, talking to the ICO, is to provide it with as much information as possible. If you get written advice keep it, if you get advice from an ICO help-line, take accurate notes, the name of the person you spoke to and the date and time of the call. “But you need to know enough about GDPR to recognise you have a problem.” Three take-homes Finally, we asked her to sum it all up and tell us the three most important things about GDPR. First off, she talked about consent. “I have always had a problem with consent being used as grounds for processing information, because people were not really given a choice. Now companies can no longer say ‘yes we have consent’ if they make it a condition of providing a service. And that is a big change. Now consent has to be totally free and informed.” Second off, she turned to legitimate interests. Consent and legitimate interests are two of the legal bases for processing data under GDPR. “Organisations can no longer tick a box, they have to document their argument for why their legitimate interests are not a threat to individuals’ privacy. So, they have to conduct a balancing test. You can’t just process information because it is a good commercial idea, you have to make sure it is balanced against the rights of individuals. And you have to document it, prove it and have a response if you are challenged.” Thirdly, “what you now see is a confident regulator, who has the power to take on large companies and is not afraid to act. Regulators now feel that they have the tools to act against Big Tech. “GDPRislikeagunaimedatthetempleof the big technology companies. Other smaller businesses are caught in the crossfire.” The rest is history The build-up to GDPR is over. That is now history. Now the hard work is on-going. In producing this magazine, we have spoken to experts on GDPR and data privacy, many of whom have been speakers at our GDPR Summits. We have more in the diary. And don’t forget, the Data Protection World Forum this November, where many of the experts we have been talking to for this publication, including Nicola herself, will be speaking. By MICHAEL BAXTER 03.
GDPR IS GOOD FOR YOU The world’s largest company boasts a privacy policy that is a joy to read. What’s good for the customer is good for the business that serves that customer and GDPR is good for both. Let’s face it, privacy policies are not always fun to peruse. If someone wrote a book: “The world’s riveting privacy policies” it may be thick enough to act as a door stop, but only in a dolls’ house. Yet Apple, the company whose iTunes terms and conditions make GDPR read like romantic fiction, takes a pretty impressive stab at it. Maybe it is a coincidence that the company with such a privacy policy is also valued at $845 billion. But then there is no doubt that many millions of users choose its phones for the perception of privacy and data security. Maybe it is unfair to describe the company thus, Samsung will undoubtedly claim its own policies are just as robust, and maybe it would be right to do so. But perception is everything, and Apple is perceived in a certain way, this is at least one of the reasons why it is so successful and valuable. But to get to the nub of the matter, cast your mind back to 1949, when a book was published whose first sentence should be etched onto the minds of data professionals: “It was a bright cold day in April and the clocks were striking thirteen.” So began George Orwell’s 1984, a dystopian vision which gave the world such memes as Big Brother, Room 101 and Doublespeak. In the vision, privacy is no more. Not even our thoughts belong to us. Thirty nine years later, Apple announced its new computer to the world with a now famous ad featuring an Orwellian world: “On January 24th, Apple Computer will introduce Macintosh and you will see why 1984 won’t be like ‘1984.’” Fifteen years after that, Scott McNealy, the then chief executive of Sun Microsystems said: “Privacy is dead, get over it”, and famously in 2011, Mark Zuckerberg himself said: “People have gotten really comfortable, not only sharing more information and different kinds, but more openly and with more people.” He suggested that such lack of privacy has become a “social norm”. Zuckerberg is often quoted as saying privacy is dead. But there is no evidence he actually said that. Soon after he uttered those words about lack of privacy becoming a social norm, a spokesperson for Facebook said: “His remarks were mischaracterised and added: “A core part of Facebook’s mission has always been to deliver the tools that empower people with control over their information.” She continued: “If the assertion is that anything Mark chooses to make private is inconsistent with his remarks last week, here are a few other hypocritical elements of his life: he hides his credit card numbers in his wallet, he does not post the passwords to his online accounts, and he closes the door behind him when he goes to the toilet.” Yet,lookathowtheFacebooksharepriceslidaftertherevelations of its deal with Cambridge Analytica were outed by The Guardian and New York Times, look at the value of Apple. That is why there are big bucks in data protection, and it is why GDPR is not merely a good thing, it’s good news for the world. If, as The Economist suggested last year, big data is really the new oil, and not the new asbestos, as cynics might suggest, then that counts for nothing if people don’t trust companies with their data. A recent survey by ForgeRock found that 57 per cent of UK consumers are worried that they have shared too much personal dataonline.Fiftythree percentsaidtheywouldnotbecomfortable if their personal data was shared without their permission and a further 58 per cent said they would stop using a company’s services completely if it shared data without permission. If data is the means by which the digital economy can create wealth and give the so called Fourth Industrial Revolution the impetus it needs, then without trust, without the public’s confidence that their privacy is respected, the data revolution will stutter and then collapse. That is why we need GDPR - not as a piece of regulation to scare companies, not through some sense of anti-Orwellian sentiment, nor do we want regulators strutting the privacy stage like thought police, punishing the slightest transgression with fines to bankrupt well-meaning companies, but without trust, the data revolution may not happen - and that would be a disaster. PS: This article was written before Apple announced a new upgrade to its iOS operating system and OS for the Mac, designed to offer improved privacy. It seems that Apple sees data privacy as core strength, a feature that can give its products an edge. GDPR IS GOOD FOR YOU 05. PRE-REGISTER FOR DATA PROTECTION WORLD FORUM HERE
GDPR is the general regulation, but contrary to many media reports, other rules and directives such as MiFID II, Open Banking, ePrivacy Regulation and The Directive on Security of Network and Information Systems, do not muddy the water, in fact they fit together. People too easily forget the financial crisis in 2008 was so severe that at one point it seemed as if capitalism itself was tottering. The truth is, that in the build up to that crisis, if you listened to the noise coming out of regulators and august bodies such as the IMF, then to borrow words from Simon and Garfunkel, you heard the sound of silence. The famous singing duo also said: “Hello darkness my old friend”, but the new digital single market and other regulations slowly being unveiled by the EU do not create a new barrier to business, as some might say, rather they are designed to bring “down barriers to online opportunity,” or, so says the European Commission. New regulations are also about transparency, and especially in the case of GDPR, responsibility and accountability. Above all, they are also about creating trust. Take MiFID II - Markets in Financial Instruments Directive version 2 - the media, always keen to spot a scandal, say that the new financial instruments directive is not compatible with GDPR - that the transparency required by MiFID II is at odds with the privacy that GDPR is designed to support. But this is simply not true. The detail does not reveal the devil, it reveals light. MiFID II is designed to force financial organisations to act in the best interests of their clients, and do not, as happened prior Goodbye darkness, hello friend to 2008, occasionally bet against clients, or recommend products simply because they pay a higher commission. So, for example, out goes the practice of giving away free research as an inducement to trade via an organisation - instead research must either be charged for or given away to all who want it, regardless of whether they are customers. High frequency trades must be time stamped in an effort to put an end to the practice of ordering a trade in an attempt to manipulate the market, and then cancelling the order before it is executed. But perhaps most significantly of all, MiFID II requires the holding of data concerning staff’s trading activities. It does this by saying that for every trade that your bank or broker makes on your behalf, there must be a detailed record. It must be possible to pull up all the data and information that goes with the trade, regardless of the medium, for example, a recorded phone call with someone giving instructions. Or it could be a text, an email, anything that relates to that trade - creating a paper trail, so there is a clear record showing what went into that decision to make that trade and whether it was in the best of interests of the customer. So MiFID II is all about empowering the consumer to make the right choices. ButsomearguethattheyhavespottedacontradictionwithGDPR. MiFID II requires the processing of data related to individuals, GDPR imposes rules on the processing of personal data. But as Abigail Dubiniecki, Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer, says: “There may seem to be a contradiction between MiFID II and GDPR but that’s not the case. Indeed, the FCA (Financial Conduct Authority) and ICO (Information Commission Office) have gone on record saying they are not incompatible, because under article six of GDPR, By Michael Baxter 06. Subscribe for free here and get the next issue to your inbox
GDPR means you can only use the data for the purpose for which it was given. So if they share it with someone else, or try and sell another service, that is a no no, unless they find a legitimate interest or they get my consent or make use of one of the other bases of lawful consent. one of the lawful bases for processing personal data is legal obligation – you have a legal obligation, under MiFID II, to suck up all that data related to that trade.” Of course, it is nuanced. As Ms Dubiniecki added: “Could you suck up all that data and keep it forever, or not use it for the purpose for which you gathered it? Absolutely not. Under GDPR you have limited retention periods, you are not allowed to hold onto it for longer than is necessary for the purpose for which you got it, under the legal bases you used.” Returning to the Digital Single Market another new area is Open Banking, or PSD2. The idea here is simple enough, and at least in part the regulation has been created from one of the lessons of the 2008 crash, the risk of ‘too big to fail’ banks. It’s about data portability for the financial services sector, it is saying: ‘I should be able to take my personal data related to the banking that I have been doing with a particular bank, in a machine readable format that is common to everyone else, and plug it in somewhere else to see if I can get better rates, or a better device.’ Some fintechs may provide more information to you. Under Open Banking, it will be possible to take your banking data and via an app, provide you with a detailed online tool on your spending, updated in real time, projecting how much money you have at the end of the month, and search for better deals for you on financial products. But will the consumer have sufficient trust in how her or his data is processed? If the consumer is reluctant to let a third party take control of their data, then PSD2 will not achieve its desired outcome. There are lots of safeguards built into PSD2, rules about how data is used, but perception matters - the barriers to online opportunities will not be overcome unless this trust can be earned. That is why GDPR is so vital - the General Data Protection Regulation is what its name suggests: general. And as Abigail Dubiniecki said: “PSD2 does provide protections, but GDPR means you can only use the data for the purpose for which it was given. So if they share it with someone else, or try and sell another service, that is a no no, unless they find a legitimate interest or they get my consent or make use of one of the other lawful bases.” Open banking is a fundamental part of creating a digital market that serves the best interests of customers, but without trust it won’t get the take-up. GDPR is vital for creating that trust. Another area to watch is the new ePrivacy Regulation. At the moment, GDPR and the Privacy and Electronic Communications Directive or PECR, work hand in hand. A marketer, for example, seeking a legal basis for emailing customers may feel that the requirements for consent, under GDPR, are too onerous, but instead choose legitimate interest as their legal bases for processing personal data. GDPR is clear, Recital 47 states it in black and white: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” It is just that PECR imposes additional considerations. For one thing, it requires that in most cases, people have to give consent to receive emails, but, as John Mitchison at the Direct Marketing Association pointed out in a discussion with us: “There is a line that refers to soft opt-in. So if you have collected someone’s email in the course of doing business, and there is an opt-out option, you can send them emails.” PECR is soon to be replaced by the new e-Privacy Regulation. We are not sure what the final regulation will say yet, but there is one thing we can say for sure: it will dovetail with GDPR, the regulations will support each other and provide more light. Finally, there is The Directive on Security of Network and 07. “ The media, always keen to spot a scandal, say that the new financial instruments directive is not compatible with GDPR – that the transparency required by MiFID II is at odds with the privacy that GDPR is designed to support. But, one of the lawful bases for processing personal data is legal obligation – you have a legal obligation, under MiFID II, to suck up all that data related to that trade. Open banking is a fundamental part of creating a digital market that serves the best interests of customers, but without trust it won’t get the take-up. PECR is soon to be replaced by the new e-Privacy Regulation. We are not sure what the final regulation will say yet, but there is one thing we can say for sure: it will dovetail with GDPR; the regulations will support each other and provide more light.
Information Systems (NIS Directive). EU countries have until 25 May 2018 to transpose this into national law. GDPR is unambiguous on the subject of security, and what to do in the event of a data breach: Article 33 states: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” GDPR then goes into further detail on cybersecurity. The NIS directive objective is to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers.” While GDPR focuses on cybersecurity in the context of data privacy, the NIS focuses on the sharing of information on cybersecurity threats, and improving security safeguards. The two regulations are once again designed to dovetail - and if there is any superficial indication that the sharing of information required by NIS is at odds with GDPR’s requirement for privacy, such a contradiction breaks down when you consider that one of the lawful bases for processing of personal data under GDPR is legal obligations. However, in NISD it is specifically stated that any information sharing that happens reincidence must be consistent with GDPR regulations when personal data is involved. The digital single market, big data, and the opportunity it all brings can create wealth and prosperity - but only if it can illuminate where currently there is darkness, bring transparency where where there is lack of visibility and trust where there is suspicion. GDPR, together with a raft of other measures, is designed to bring lightness and make digital technology and data the customers’ friend. The NIS directive objective is to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers.” Goodbye darkness, hello friend 08.
GDPR IS A JOURNEY, NOT A DESTINATION £50 OFF BOOK NOW PROMO CODE: DPMAG GDPRSUMMIT.LONDON THE U K’ S L E ADING GDPR EVENT SERIES UNDERSTAND WHAT GDPR MEANS FOR THEIR BUSINESS HEAR FROM THE LEADING GDPR EXPERTS BENEFIT FROM INTERACTIVE IN-DEPTH SESSIONS GET ANSWERS TO THEIR BURNING QUESTIONS GAIN AN ACTIONABLE ROADMAP TO COMPLIANCE AND BEYOND SUPPORTED BY ATTENDEES WILL:
GDPR is an EU measure, but the principles that lie behind the regulation are gaining traction around the world. George Soros, the billionaire investor and speculator, who famously bet against the Bank of England in 1992 and won, is an arch critic of the way big tech companies such as Alphabet and Facebook use data. Maybe it has something to do with Soros’ roots - growing up in Hungary under Nazi occupation. “Social-media companies are inducingpeopletogiveuptheirautonomy,” he said, “the power to shape people’s attention is increasingly concentrated in the hands of a few companies threatening the concept of ‘the freedom of mind.’” For that reason, he is a big supporter of GDPR. “Europe has much stronger privacy and data-protection laws than America,” he said when speaking at the World Economic Forum in Davos, earlier this year. He continued, “Commissioner Vestager (European Commissioner for Competition) is the champion of the European approach. It took the EU seven years to build a case against Google, but as a result of her success, the process has been greatly accelerated. Due to her proselytizing, the European approach has begun to affect attitudes in the United States as well.” Yet there is a perception that the US is too far behind. Commenting on the ongoing issues with Facebook, Vera Jouriuva, EU Commissioner for Justice, Consumers and Gender Equality, recently told the BBC: “I can tell you that now we have much stronger arguments to say that we did the right thing to adopt the General Data GDPR and the United Statesby Michael Baxter Don’t miss the data protection event of the year – pre-register here
11. Protection Regulation. . . So there will be a much stricter regulatiory framework in the EU. . . But I have just come back from Washington and when I look at the American legislation, I don’t see such a robust legislative framework so it will be interesting to look at the United States to see whether they will come up, in the future, with stricter rules.” Could this be changing? “The Americans have famously over time been the people who will give away data all day long,” says Eve Maler, the VP of Innovation & Emerging Technology at ForgeRock. But this could be changing: speaking to us from Seattle, she said “but Americans have become sensitised and more cynical.” A recent survey from The Economist Intelligence Unit (EIU) and sponsored by ForgeRock, which describes itself as a digital identity management company, found that Americans are the most concerned about misuse of data, with the survey including people from Europe and Asia Pacific as well as the US. Eve Maler speculates that, in what she calls ‘the post, post-Snowdon era’, people are beginning to have strategies around their privacy rights. She suggests that following various breaches, United Healthcare and Equifax, for example, American attitudes have shifted. Vera Jouriuva said: “I have a very strong feeling that the tiger got out of the cage.” Referring to the recent furore over Facebook, she continued: “Something that is serious happened. That will have opened all of our eyes. I see that American people are more relaxed about their privacy and they are not looking to impose such strong pressure as the Europeans. This strong pressure from Europeans resulted in the stricter rules, coming into force in May (GDPR). And I expect something like that in the United States.” What happens in the US regarding data privacy is relevant to companies trying to comply with GDPR, not least because under GDPR, a data controller is responsible for the personal data it has collected, even when it is processed by third parties including third parties not based in the EU. See this in the context of uploading data onto the cloud: as far as GDPR is concerned, when data gathered by a country that falls under the jurisdiction of GDPR uploads data into the cloud, and that data is held on servers in the US, maybe owned by Amazon, Microsoft or Alphabet, then that data is regarded as imported. Or so Anthony Lee, a privacy lawyer and Partner at DMH Stallard told us. Mr Lee explained: “There is a general prohibition of personal data exported out of the European Economic Area, unless it is going to a country which has been designated by the EU commission as having suitably robust privacy laws in place. And for example, the US is not one of those countries.” The data privacy story in the US weaves. There used to be Safe Harbour, until the Austrian lawyer and privacy activist, Max Schrems, with half a mind on the Edward Snowdon revelations, took on Facebook. Safe Harbour was a voluntary scheme that had been set up by the US government in conjunction with the EU Commission, it meant that if a company was a member you could tick the adequacy box, as required under GDPR for the export of data. Schrems objected to the way, US state agencies could, as Anthony Lee put it, “essentially help themselves to data under the Patriots Act - creating the impression of mass surveillance.” Mr Schrems took the matter up with the Irish Data Protection Agency, who dismissed his case, saying it was “frivolous and vexatious.” Schrems was not finished, however, takingthecasetotheIrishHighCourt,who referred the matter to the European Court of Justice to the European Commission, who sided with Schrems saying that Safe Harbour was unlawful and henceforth ‘you can’t use it’. The eventual result was The Privacy Shield, the voluntary system currently in place. According to Anthony Lee, under Obama there was an understanding that there would be restraints on the extent to which state agencies could help themselves to data. The Trump administration, however, has made it clear that US rules are there to protect US residents and not European citizens .” Sylvia Kingsmill is a Partner at KPMG, heading up digital privacy and compliance nationally for the firm. Canada, and in particular, Ontario, is the home of privacy by design and default, a fundamental part of GDPR, and Ms Kingsmill worked with the Ontario privacy commissioner in the early days of privacy by design. Shesays:“TheproblemwiththeUSisthat they do not have a national omnibus data protection law that regulates data privacy, but they do have a very heavy handed regulator, The Federal Trade Commission, which exercises its powers under section five of the Federal Trade Act, for any practices that are misleading and deceptive. Privacy falls under that umbrella. That’s where The FTC flexes its muscles, against the tech giants like Facebook and Google, but they do need a national standard, so there is a uniform approach.” However, Ms Kingsmill says that sectors like healthcare and banking have been regulated for some time, and “I know that the US gets a lot of flack because the tech giants aren’t regulated enough, but in certain sectors take privacy very seriously.” Another important element in US data privacy relates to class action law suits, which are far more prevalent in the US. “Facebook could be the game changer, though,” suggests Ms Kingsmill. And that takes us to how the US, with its own particular priorities and the EU, via GDPR, view data privacy. The differences are clear. Maybe in the EU, the experiences from the World War II period, strikes a stronger resonance. It may be no coincidence that within the EU, the most vociferous of defenders of data privacy, and how it relates to human rights, is Germany. But if attitudes in the US, as the ForgeRock sponsored EIU survey suggests, are changing, then the mood may be ripe for a GDPR type framework to be applied there too. Maybe the eruption of media attention relating to Facebook and data privacy will be the catalyst. There is a general prohibition of personal data exported out of the European Economic Area, unless it is going to a country which has been designated by the EU commission as having suitably robust privacy laws in place. And, for example, the US is not one of those countries. A recent survey from The Economist Intelligence Unit (EIU), sponsored by ForgeRock, found that Americans are the most concernedaboutmisuseofdata.
Expand your knowledge – pre-register to Data Protection World Forum today
Millennials are different, or so they say. The generation born in the decade or two before the end of the last century, or so we keep hearing, have a different way of thinking. Take their attitude towards personal data. A study by the USC Annenberg Center for Digital Future and Bovitz Inc found that 56 per cent of the millennial generation would be willing to share their location with a nearby company in return for a relevant coupon or promotional deal. By contrast, only 42 per cent of users of 35 years and older agreed they would share their location. Jeffrey I. Cole, the director of the USC Annenberg Center for the Digital Future said: “Millennials recognise that giving up some of their privacy online can provide benefits to them. This demonstrates a major shift in online behaviour.” But is it really like that? The millennial generation and their youngers, generation Z, are what they call digital natives - they are digitally savvy. But how many kids do you know who share only minimal information on Facebook with parents? Don’t they know precisely how to change privacy settings, determining who can see certain posts. Abigail Dubiniecki, data privacy specialist lawyer, recalls “being at a conference where people were talking about 14-year-olds using Instagram, setting up multiple user profiles, deleting stuff when it no longer supports the narrative they put forward to friends. Whether it is cheetah photos or skate boarding, they are actively developing their brands on social media.” She says: “I think this is far more natural to them than to us; I did not grow up being seen by the whole world. If something embarrassing at high school happened, maybe most of the people at the school would know about it, but not someone a couple of blocks away, or half an hour away. But they have found very creative ways to control their own narrative.” It’s what’s Dr Ann Cavoukian calls informational self-determination. It’s about ‘when I want to share, I do, when I don’t want to, I don’t. If I share it’s for this purpose not that’. Abigail says: “That’s what privacy is.” Valerie Steeves, Professor of Criminology at the University of Ottawa, conducted a study into this very area. It seems that privacy consideration come as almost second nature to this generation. In the study, she found that participants engaged in a number of different strategies to manage their privacy. For example, a small number of photos were kept entirely private, while priority was given to efforts aimed at controlling who sees particular photos and preventing them from being spread to unintended audiences.Some topics were seen as private and not appropriate to share. Snapchat and Instagram were used to ensure audiences saw particular photos. Snapchat was seen as platform for sharing with friends, Instagram was seen as a platform for building a persona and thus required more careful curation. Some created multiple accounts to limit which audiences saw which content, for example, ‘spamming friends using one Instagram with less formal images,’ but these accounts only have a very small number of followers, such as close friends. Snapchat has a feature that tells users if a screen shot is taken of one of their photos, and this was cited by some as an important feature. More than half expected friends to ask permission before posting an image with them in it. There was a lot of emphasis on retrospective consent, asking peers to delete photos they didn’t want shared. Data privacy seems to be something that is implicitly understood by this generation. GDPR and how the millennial generation manage privacy By Michael Baxter 13. Dr Ann Cavoukian refers to informational self- determination. It’s about ‘when I want to share, I do, when I don’t want to, I don’t. If I share it’s for this purpose not that’.
GDPR: A QUICK SUMMARY BY ARDI KOLAH, Executive Fellow and Director of the GDPR Transition Programme at Henley Business School
Introduction GDPR requires a re-boot in our thinking about data protection, privacy and security for the digital age. It represents the biggest shake up in European data protection and privacy laws for over two decades. The genesis of GDPR is the 2012 proposal by the European Commission for a modern legal framework for the world’s largest digital single market of 500 million consumers. This was more about lowering the barriers to market entry for new entrants, increasing competition and choice of products and services for consumers and stimulating economic activity and employment across the European Economic Area (EEA). Since that time, the pendulum has swung in the other direction and there’s now an obsessive focus on data protection, privacy and security in the wake of an exponential increase in cyber- crime and the misuse of personal data on a global scale. Although this is extremely important it has clouded judgment on seeing GDPR as a significant opportunity, not a regulatory threat for companies and organisations. The open competition aspects of GDPR remain in place, and the European Commission is actively leading the effort to encourage companies and organisations to create a deeper level of digital trust in order to do more, not less, with personal data. Fully enforceable across all 28 EU Member States from 25 May 2018, GDPR aims to deliver a high degree of consistency, certainty and harmonisation in the application of data protection, privacy and security laws across the EU, replacing the Data Protection Directive 95/46/EC and other Member State legislation like the Data Protection Act 1998 in the UK, in its wake. Within this new landscape, there’s limited ‘wriggle room’ for Member States to pass laws that impact the processing of personal data seen only through the lens of national self-interest. Many commentators have pointed to this as evidence of a lack of harmonisation of data protection, privacy and security laws applying across the EU, given the differences in the way some aspects of GDPR will work on a country-by-country basis. However, the reality is that such differences are largely confined to a relatively small number of operational areas for companies and organisations within the EU. Many countries, including the UK, have passed their own data protection laws in alignment with GDPR and globally, this trend is gaining momentum. In the case of the UK, certain standards under GDPR are being raised under Member State laws. From a commercial perspective, companies and organisations that conduct cross-border personal data processing will be primarily regulated by the local supervisory authority in the jurisdiction in which it has its main establishment. Data protection principles GDPR retains the core principles of the Data Protection Directive 95/46/EC,buthasbeefedthemup.Thecorerulesmaylookfamiliar to experienced privacy practitioners and senior managers, but this is a trap for the unwary as there are many important new obligations as well as a tougher regime of sanctions and fines for getting this wrong. There are seven data protection principles and the data controller and data processor must ensure that it complies with all of them: 1. Lawfulness, fairness and transparency Personal data must be processed lawfully, fairly and in a transparent manner. 2. Purpose limitation Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that’s incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes). 15. GDPR is complex, right? Even if you feel you know the basics the Regulation can be confusing. Here, GDPR is summarisedbyArdiKolah,DirectoroftheGDPRTransition Programme at Henley Business School, and Editor-in- Chief at the Journal of Data Protection and Privacy. This summary comes from Ardi’s book, The GDPR Handbook, whichisavailableonAmazonfrom3June2018. Make sure you don’t miss issue 2 – subscribe here for free
3. Data minimisation Personal data must be adequate, relevant and limited to what’s necessary in relation to purposes for which they are processed. 4.Accuracy Personal data must be accurate and where necessary, kept up- to-date. Inaccurate personal data should be corrected or deleted. 5. Retention Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes). 6. Integrityandconfidentiality Personal data should be kept secure. 7. Accountability The data controller should be able to demonstrate and in some cases, verify compliance, with GDPR. What to do now? Double check that all policies, processes and procedures are in place and that this delivers the seven data protection principles. Ensure that the board support company and organisation-wide awareness and training programmes that should be short, informative (not boring!) and that all of this is recordable and logged. Security of processing GDPR requires the data controller and the data processor to keep personal data secure. This obligation is expressed in general terms but does indicate that some enhanced measures, such as encryption and pseudonymizing may be required. The data controller must report data breaches to their supervisory authority within 72 hours of discovering this has happened, unless the personal data breach doesn’t cause high or very risk to the rights and freedoms of individuals. What to do now? Undertake a full review of technical security measures that are appropriate for the type of personal data processing being carried out at the data controller and data processor. Seek expert guidance and support. Data Protection Officer (DPO) A data controller, joint data controller and a data processor may be required to appoint a data protection officer (DPO). This depends on what processing of personal data is being carried out. Certain private and most public-sector organisations will be required to appoint a DPO to oversee their data processing operations. A DPO will be required where: the processing is carried out by a public authority or body; the core activities of the data controller or data processor consist of processing which requires regular and systematic monitoring of data subjects on a large scale; the core activities consist of processing special categories of personal data on a large scale and required by Member State law. The DPO must be involved in all data protection issues and can’t be dismissed or penalised for performing their duties and responsibilities. The DPO must also report to the highest level of management authority within the company and organisation. The DPO must be involved in all data protection and security issues and can’t be dismissed or penalised for performing their role. The DPO must report directly to the highest level of management within the company or organisation but doesn’t have to physically report to the CEO. The report they write must be considered by the board. What to do now? Ensure that a suitable senior manager within the company and organisation has been identified and can be trained independently to fulfil the duties and responsibilities of the DPO. They need to be adequately resourced otherwise this in itself is a breach of GDPR. Other alternatives including using a consultant as a DPO or an outsourced DPO service. Data Controller and pan-European data breach notification obligations The data controller is responsible for deciding the purposes and means for the processing of personal data and can be a private company and organisation, a charitable or voluntary body, operate in the public sector or be government department. The responsibility and liability of the data controller for any processing of personal data or that done on its behalf by the data processor needs to be established. The data controller is obliged to implement appropriate and effective organisational and technical measures to mitigate very high risks of processing personal data that could cause harm or damage to data subjects. It’s important that the data controller is able to demonstrate compliance of personal data processing activities with GDPR. Those organisational and technical measures should take account of the nature, scope, context and purposes of the personal data processing and the risks to the rights and freedoms of natural persons. GDPR imposes stricter obligations with respect to data security and a specific data breach notification process. In the event of a personal data breach that’s likely to result in a high risk to the rights and freedoms of data subjects, the data controller must notify the supervisory authority and where appropriate affected data subjects within 72 hours of becoming aware of the breach. Notice needs to be given “without undue delay” and must contain proscribed information. What to do now? Prepare for personal data breaches and practice the way in which the company and organisation will respond to the real thing. 16.
Double check policies, processes and procedures are fit for purpose and ensure how the company and organisation will react and whom to notify including the DPO. Implement staff training as to what to do in such instances, as well as how to reduce the risk of incidents and personal data breaches occurring in the first place. Extra-territorial reach GDPR primarily applies to companies and organisations established in the EU. It will also apply to businesses based outside the EU that offer goods and services to, or monitor the behaviour of individuals in the EU. What to do now? These businesses based outside of the EU will need to appoint a representative in the EU, subject to certain limited exemptions. The representative may have to accept liability for breaches of GDPR and could only act under specific instructions from the data controller. The representative effectively has all of the downsides but no corresponding upsides so it’s a difficult relationship from the start. Cross-border data transfer rules GDPR prohibits the transfer of personal data outside the EU unless certain conditions are met. Those conditions are broadly the same as those under the Data Protection Directive 95/46/EC. but adds new ones such as certification mechanisms and codes of conduct, as well as a new very limited derogation for occasional transfers based on legitimate interest. Country-specific authorization processes will no longer be needed (with some exceptions) and Binding Corporate Rules (BCRs) are formally recognised in GDPR. What to do now? Double check that there’s an up-to-date inventory of cross-border data flows; check the strategy in the light of any decisions from the European Commission, the Court of Justice of the European Union and EU-US Privacy Shield (if appropriate). Data mapping The data controller and data processor must maintain an up-to-date record of processing activities. Under GDPR, detailed information must be kept and could be inspected. What to do now? The DPO must ensure and document what actually the data controller holds now in the way of personal data, the intentions of transferring this personal data, and how such data flows internally through the company and organisation. Data Processor obligations GDPR expands the list of provisions that data controllers must include in their contracts with data processors. Some aspects of GDPR are directly applicable to processors. This will be a major change for some suppliers who have avoided direct regulation under the Data Protection Directive 95/46/EC by setting themselves up as data processors. Processors will be jointly and severally liable with the relevant controller for compensation claims by individuals. What to do now? Ensure that new obligations under GDPR are understood and observed. GDPR imposes compliance obligations directly on the dataprocessor,suchasimplementingsecuritymeasures,notifying the data controller of personal data breaches, appointing a DPO (if applicable), maintaining records of processing activities, etc. the data processor will be directly liable in case of non-compliance and may be subject to direct enforcement action. The data controller and data processor will be required to enter into detailed data processing agreements or renegotiate existing ones. Data Subject’s rights GDPR largely preserves the existing rights of individuals to access their own personal data, rectify inaccurate data and challenge automated decisions about them. The Regulation also retains the right to object to direct marketing. There are also potentially significant new rights for individuals, includingthe“righttobeforgotten”andtherighttodataportability. The new rights are complex and it isn’t clear how they will operate in practice. In addition, the data controller will also be required to provide significantly more information to Data subjects about their personal data processing activitiesd What to do now? The data controller must implement appropriate processes and infrastructure to be able to address data subjects’ rights and requests. It must also ensure that an adequate Data Privacy Notice is provided prior to commencement or within one month where the personal information comes from a third party. Quality of consent Obtaining consent from an individual is just one way to justify processing their personal data. There are other justifications. It will be much harder for the data controller to obtain a valid consent under GDPR. Individuals can also withdraw their consent at any time. As under the Data Protection Directive 95/46/EC, consent to process special (sensitive) personal data must be explicitly given. Consent to transfer personal data outside the Union must now also be explicit. What to do now? Consent is retained as a processing condition but GDPR is more prescriptive than the Directive 95/46/EC when it comes to the conditions for obtaining valid consent, so this needs to be very carefully understood. The key change is that consent will require a statement or clear affirmative action of the data subject. Silence, pre-ticked boxes 17.
and inactivity will not be sufficient. GDPR clarifies cases where consent won’t be freely given (e.g. no genuine choice to refuse, clear imbalance between the data subject and the data controller such as in the workplace). Data subjects must be informed of their right to withdraw consent. One-Stop Shop GDPR applies to the processing of personal data by data controllers and data processors established in the EU, as well as by data controllers and data processors outside the EU where their processing activities relate to the offering of goods or services (even for free) to data subjects within the EU, or to the monitoring of their behaviour. The supervisory authority in the jurisdiction of the main or single establishment of the data controller/data processor will be the lead authority for cross-border processing (subject to derogations). What to do now? Assess whether – as a non-EU data controller and data processor – data processing activities of data subjects is within scope of GDPR. This must determine where the ‘main establishment’ might be located based on data processing activities. Profiling and Profiling-based decision making GDPR includes a wide range of existing and new rights for data subjects. Amongst these are the right to data portability (right to obtain a copy of one’s personal data from the controller and have them transferred to another controller), right to erasure (or ‘right to be forgotten’), right to restriction of processing, right to object to certain processing activities (profiling) and to automated processing decisions. The data controller will also be required to provide significantly more information to data subjects about their processing activities. What to do now? Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Individuals will also have an express right to ‘opt out’ of profiling and automated processing in a wide range of situations. If the data controller is engaging in profiling activities, then it must consider the best way to implement total security measures. Data Protection by Design and by Default These concepts are codified in GDPR and require the data controller to ensure that individuals’ privacy is considered from the outset of each new processing, product, service or application, and that, by default, only minimum amounts of personal data as necessary for specific purposes are collected and processed. What to do now? Implement measures, such as pseudonymisation or data minimisation designed to implement data protection principles from the outset of any project. Data Protection Impact Assessment ‘Lite’ and DPIA The data controller will be required to perform a data protection Impact Assessment (DPIA), where the processing of personal data (particularly when using new technologies) is likely to result in a high risk to the rights and freedoms of the individuals. At Henley Business School we conceived of DPIA ‘Lite’ which is a helicopter view of what is being done that’s compliant, what’s currently being done that isn’t compliant and what the data controller needs to consider starting to do in order to be complaint with GDPR. What to do now? DPIAs will particularly be required in cases of: an evaluation of personal aspects based on automated data processing including profiling processing on a large scale of special categories of personal data; systematic monitoring of a publicly accessible area; make DPIAs part of standard procedures for all personal data processing operations so that they are easier to implement as an everyday task; DPO should ensure that staff have been trained in order to carry out a DPIA and these need to be documented very carefully. Sanctions and fines There is a step change in sanctions and fines where supervisory authorities can impose fines up to 4% of annual worldwide turnover or €20 million, whichever is greater. There are also other powers at their disposal including audit rights, issue warnings and issue a temporary or permanent ban on the processing of personal data (known as a ‘STOP order’). What to do now? Understand and keep under review the type of personal data being processed, whether it is very high or high risk and what mitigation measures are necessary to reduce this to a residual risk that doesn’t cause harm or damage to data subjects and record the organisational and technical measures deployed within the company and organisation. 18.
The EU General Data Protection Regulation (GDPR) comes into force in May 2018, and will impact every organisation that trades with any EU country. The new regulations will disrupt how organisations: store,manageandprocessdata.GDPRisthebiggest shake-up in data protection for a generation. Ourhalf-dayandfull-daycoursesprovideapractical and efficient staff training programme, presenting staff with the knowledge, understanding and practical tools to implement and maintain GDPR compliant processes. Contact Leon for more details: leon@dataprotection.media 0203 515 3015 Half Day : £2,000 Full Day : £3,500
Privacy by design and default Where it began: Dr Ann Cavoukian is passionate about data privacy. Appointed Information and Privacy Commissioner of Ontario, Canada in 1997, today she is the Distinguished Expert-in-Residence, leading the Privacy by Design Centre of Excellence at Ryerson University, Canada. And when it comes to privacy by design and default - she is the boss, the governor - the person who brought the concept to the world. Privacy by design and default is a key, maybe the single most vital, part of GDPR - it means privacy is part of the foundation of a new product or service, an integral part - not a bolt-on extra. AndwhenDrCavoukiantalksonthesubject, her passion is palpable - and contagious. Back in 2016, she expanded on the idea at the SAI Computing Conference, London. You can see a video of her talk on the Ryerson website. It’s worth watching. But when you hear her story, you begin to get it. Privacy, and by extension, because it is so essential to it, privacy by design and default, is about freedom - a human right. The good doctor herself has a personal tale which may point to why this concept is so important to her. She is from an Armenian family born in Egypt - her parents fled the country in the 1950s in the dead of night. They had lived charmed lives, but still they left. Why? She asked her parents that very question. “We moved for you, for your freedom” they said. But then maybe a similar story can be applied to the German people as a whole. Today they have a phrase to describe it. Germans call it informationelle Selbstbestimmung - Information self- determination. It was enshrined into the German constitution in 1983 and Dr Cavoukian says “Germany is now the leading privacy and data protection country in the world.” But there is a myth about privacy - it does not mean secrecy. Not zero sum Some people fear that, in a healthcare setting, data privacy could hold back progress, cost safety and lives. Data is helping the fight against disease - it was once estimated that if the data gathered by the British NHS was captured and monetised it would create an organisation worth over a trillion dollars. But privacy does not have to come at the expense of the benefits of data. It’s not a zero-sum game - privacy does not means less of another benefit, rather privacy can enhance, create a positive sum. Dr Cavoukian says “privacy can work with safety, with data analytics, marketing - it’s not an either, you can have both. Privacy does not equal secrecy it’s about personal control, which belongs to you. Privacy does not equal secrecy. By Michael Baxter 20. Privacybydesign It’s about freedom - a human right. PRE-REGISTER FOR DATA PROTECTION WORLD FORUM HERE
Adil Akkus has 24 years’ experience in IT and Business change delivery. He holds a B.Sc. degree in Computer Science as well as PRINCE2, MSP and MoP Practitioner certifications. He has successfully implemented a wide varity of multi-site and multi-million-pound programmes for industry leaders such as Mercer, Sky, IBM, Virgin Media, BT, AT&T Wireless and T-Mobile. With his CIPP/E privacy and data protection certification, he has set up and implemented 3 multi-national GDPR programmes. Here he introduces privacy by design. Equifax In September 2017, Equifax hit the news headlines with reports suggesting that over 140 million people’s personal data was breached. It transpired that Equifax failed to install a security patch tool for building web applications in a timely manner. Some proactive actions and securing data even at the design stage would have saved a lot of money and bad press for Equifax. Facebook, WhatsApp data sharing for ad targeting After Facebook purchased the WhatsApp messaging platform, they set out to change WhatsApp’s terms and conditions to allow the data sharing with Facebook for ad targeting purposes. The news raised a lot of public uproar. Even though most of us use both apps separately, a significant percentage of the users changed their settings to prevent this. In March 2018, the ICO convinced WhatsApp to sign a public commitment not to share personal data with Facebook until data protection concerns are addressed. Setting the users’ privacy to the strictest mode (i.e. privacy by default) would surely have prevented all this hassle. Conclusion With the undeniable influence of GDPR, public and the regulators expect “privacy by design” to prevent such high profile cases and to increase public confidence in the organisations with their data. Until recently, data protection teams had to fight hard to convince the product, service and technology teams to pay attention to privacy concerns, GDPR’s emphasis on “privacy by design” will transform out ways of working and thinking. 1.ProactivenotReactive;Preventative not Remedial The principle encourages the proactive rather than reactive measures. It requires the organisations to anticipate the risks and prevent privacy incidents before they occur. Privacy as the Default Setting (referred to as Privacy by Default) This principle promotes the maximum privacy protection as a baseline. It requires any new service or product to use strictest privacy settings by default, without any manual input from the end user. Some privacy experts argue that GDPR’s push for “explicit” consent can be traced back to this principle. Privacy Embedded into Design This principle demands the privacy measures not to be bolted on as add-ons, after the fact. It drives privacy to become an essential component of the core service, product or functionality that is being delivered. As a result, privacy becomes an integral part of the product or service, instead of a functionality trade-off. Full Functionality – Positive-Sum, Not Zero-Sum This principle encourages creating a privacy-by-design culture where privacy policies drive rather than hinder growth and revenue. End-to-End Security with a full Lifecycle Protection Having embedded privacy by design into the systems in the previous principles, this one requires the data to be protected cradle to grave; wherever it goes, from the time it is created, shared, and finally archived. Visibility and Transparency – Keep it Open This principle is all about building consumer trust. Information about your privacy practices should be out in the open and written in plain language. Respect for User Privacy – Keep it User-Centric This principle puts consumers in charge of their data. It requires users to be given the ability to update and correct any data held about them. It also requires the users to be the only ones who can grant and revoke access to their data. 2. 3. 4. 5. 6. 7. 21. Over the recent few years, we have witnessed some of the highest profile data breaches and incidents from Yahoo to Uber, from Equifax to Talktalk. Some of these breaches remained undetected, unreported or unknown for various reasons. A good proportion of these incidents could have been prevented or handled in a much less costly and much less distressing way by using the privacy by design principles. Background Even though privacy by design has become very popular over the last few years, thanks to GDPR, it is has been around since the 90s. Privacy by design argues the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks. It argues that privacy assurance must become an organisation’s default mode of operation. Dr. Ann Cavoukian, who is hailed as the ‘Godmother of Privacy by Design,’ set out the foundations across seven principles: The 7 Foundational Principles of Privacy by Design By Adil Akkus
From Don’t miss our next issue – subscribe for free here Youcandomorewiththedatabecause people already know; they are not goingtobeshockedorannoyed,they are going to share more, they are goingtosharegoodqualityaccurate databecausetheywillseethatthere isabenefittoit.Andtheytrustyou.” Andthatistheessenceofprivacyby designanddefault.
Grim Reaper to hero How the data protection officer has become an enabler - and is no longer seen as a block to new ideas. Once, the data protection officer was the last port of call. So you had an idea for a product, you researched it, tested it, tweaked it, honed it some more, the PR people were ready, the advertising agency was briefed, the design was just so - and then it was compliance - the only barrier. To some it felt like the kiss of death to their brilliance. Deborah Dillon, a privacy protection officer of considerable experience says that is how it used to feel like to her. Today, she is the Data Privacy Lead at Atos. Before that, she worked for a ‘large bank.’ “Data privacy” she recalls “was like an after- thought. There had been no consideration of data development at all, until they came to me needing the information governance. And I often had to put the dampeners on projects.” It is not like that now, of course, and privacy by design is one of the main reasons, at least for Deborah. There’s a growing realisation that privacy by design is a key part of a product or service. And the data protection officer, by being the person who is integral to that, has been transformed. “I used to feel like I was seen as a grim reaper, now I am seen as an enabler,” says Deborah. Maybe she is being too modest. In the era of digital transformation and big data, the data protection officer is a hero, the one whose insights can help create trust between data subject, and controller or processor. Abigail Dubiniecki, Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer, says that GDPR, and privacy by design in particular, also present an opportunity to do some house keeping. It’s a kind of nudge. It is in our own interests to wear seat belts when driving, but until it became compulsory - the law - many of us ignored it. How many lives were saved when the law was changed? The numbers are probably countless? In fact, the Royal Society for the Prevention of Accidents has estimated that 50,000 lives have been saved in the UK alone since the law making it compulsory to wear seat belts in the front of a car was introduced in the country some 30 years ago. Indeed, behavioral economists have a word for it: ‘nudge’, advanced by Cass Sunstein and the Nobel Prize winning Richard Thaler - that we can change our behavior to act in our own best interests through quite subtle influences. Maybe GDPR and privacy by design are like that. Companies are run by people - and some tasks are seen as more fun. Efficiently managing data, ensuring it’s not kept unnecessarily eating up valuable storage space, may not feel sexy, but it’s still important. Or for that matter, since data is valuable, knowing what you have is vital. As Ms Dubiniecki continued: “People are not leveraging their data because they don’t know what they have. So they are not unlocking the value from 23. So for me, GDPR is the missing link to get to companies before they do digital transformation. “
it, they are just hoarding it, and putting it into lakes because they are hoping that some day they will find something in that closet or lake - so GDPR is forcing you to know exactly what you have, which gives you an opportunity to really harvest it.” But privacy by design and default is about creating trust. Ms Dubiniecki explained: “You can do more with the data because people already know, they are not going to be shocked or annoyed, they are going to share more, they are going to share good quality accurate data because they will see that there is a benefit to it. And they trust you.” And that is the essence of privacy by design and default. When she was working at the ‘large bank’, Deborah Dillon says “I brought in privacy by design, in anticipation of GDPR, working with system developers, products teams, and building it right at the start of a product. And it worked so well, and data was captured so well, that systems developers were talking to each other about the datasets they needed to collect to apply privacy principles.” She says it was so refreshing to hear, “really turning data privacy on its head. I am bringing it in with clients now, it’s great for compliance and transparency.” If you can get privacy right, rather than becoming an after-thought, a necessary hurdle to overcome, it can enhance a product, make it more appealing to the customer, a reason to buy your product or service. She recalls an occasion, at the bank, how she managed to build data protection into a Christmas competition in a way that made it more interesting. It involved a Christmas tree in every branch - the idea wasforcustomerstonominateaneighbourforanaward, as someone who had done a lot for the local community and put their nomination on the tree. But the privacy implications were enormous - and potentially damaging to the bank’s reputation with customers. Deborah explained: “Privacy by design is not just the big systems. In this particular case, by using personal privacy as an advantage, we made the identity of the person nominated anonymous, instead they were described without revealing who they were and the person who nominated them put their own email address into the competition, and in the event their nominee win, the neighbour was to be told and in turn inform the winner.” Digital transformation; the missing link Digital transformation has become a big buzz word of the moment - a lot of companies are looking to transform their businesses - they may have a good budget, but, as Deborah says: “They have to get their house in order first, for me GDPR comes before digital transformation.” She says that if they know data is accurate, and relevant, in the right place at the right time, then when they are looking at digital transformation, the process can become a whole lot more effective. She gives as an example, uploading data onto the cloud: if they have classification of documents, then if there is highly sensitive information and data, it stays in the private cloud, but internal information might go into the public cloud. “So for me, GDPR is the missing link to get to companies before they do digital transformation.” Atos is the European leader in the payment industry. It focuses on big data services, cybersecurity, and digital workplace, cloud services, infrastructure & data management, business & platform solutions, as well as transactional services through Worldline. Given what it does, it may come as no surprise to learn that Deborah says: “At Atos, privacy by design is a must for our customers.” The benefit The headlines focus on the fines associated with GDPR, the potentially heavy cost of not complying. But for many large companies a fine, even one that could be four per cent of turnover, is just another problem - and not necessarily even one of the more serious challenges. Maybe that will change when the first fines are rushed out, but at the moment there is a perception that regulators across the world are thinly stretched, have multiple responsibilities, and that in practice, fines will be rare - a risk to a company for sure, but maybe not a great one. The latest revelations concerning Facebook add another dimension - the damage to the company’s reputation - the falls in the share price that saw over $70 billion knocked off the company’s market capitalisation - shows how data privacy and respecting customer’s data is not just about trying to avoid fines, but protecting reputation too - something that can be worth far more than a few per cent of turnover. So, while the threat of a fine, may be seen as a stick to ensure data protection is taken more seriously, the reputational damage that can arise from a data breach, or allegations that governance is not what it should be, is potentially a much more fearsome stick. But privacy by design and default can provide a carrot too, it can help a company manage costs by making more efficient use of data, but above all can be a superb communication message to the customer. Privacy policies say: “we take your privacy seriously” but do people believe it? Do they just assume the policy is there to provide legal protection? By contrast, if privacy can become a core part of a product, if it screams out at the customer ‘you can trust us, we are on your side, protecting your privacy is fundamental to who we are, a human right’ then all of a sudden your image is transformed - the customer will be more willing to agree to their data being processed, and your reputation is given the kind of boost that can make the difference between success and failure, that can give you a decisive edge over rivals. That is why privacy by design has transformed the data protection and privacy officer - from grim reaper, who was seen as a hurdle that could prove impossible to pass, to hero - someone whose insights can transform the reputation of a company, or public service, creating a bold, empowering and successful relationship with the customer. by michael baxter 24.
SPEAKERS INCLUDE: WWW.DATAPROTECTIONWORLDFORUM.COM 20TH & 21ST November 2018, ExCeL London JAM IE BARTLETT PERN ILLE TRAN BERG RO H IT TALW AR ARD IKO LAH 2018 WILL BE A LANDMARK YEAR FOR DATA PROTECTION AND PRIVACY LEON@DATAPROTECTIONWORLDFORUM.COM 0203 515 3015 Pre-register for the data protection event of the year here
The Canadian experience... By Michael Baxter Don’t miss the data protection event of the year – pre-register here
“We exported privacy by design to the rest of the world” says Sylvia Kingsmill, a Partner at KPMG Canada, and the Canadian Digital Privacy & Compliance Leader, “now we are importing it back.” But the Canadian experience is illuminating - unlike in the EU, where under GDPR, privacy by design and default is a requirement, in Canada it has been voluntary. But companies and other organisations still apply it. The Canadian view and the Dr Ann Cavoukian view is that it is just common sense. “We in Canada,” she says “took Ann’s seven foundational principles which are the lynchpin. It is one thing to have it as a philosophy, another to actually do it and operationally track it.” Ms Kingsmill worked with Dr Ann Cavoukian and her team at Ryerson University in developing privacy by design methodology and framework to assess new technology and services against the principles of privacy by design. What does this mean? “What do controls look like from the perspective of a company or entity? How do we bake in the right controls, so they can demonstrate, whether it is in the EU or Canada, that they are taking the right steps to directionally protect our consumer rights and freedoms?” In Canada, you “can get certified to say look we are doing the right things to your data, we are listening, we are following best practice, we are following guidelines, we are listening to regulators, we don’t want to just appease them.” There is another way of putting it that really does sum it all up: “We satisfied a market need, and that need is to re-assure the public.” She cites as an example CANTATICS, a Canadian organisation that produce an anti-insurance fraud solution. Privacy by design is a core part of the product. The data generated by insurance claims across companies can be used to spot fraud, regular insurance claimants, who, in order to avoid detection, spread their fraudulent claims across multiple companies. But the result of this is higher insurance premiums, so it is very much in the interests of customers to come up with a fix. So CANTATICS applied privacy by design. They showed how processing customer’s data worked to their benefit, promoted how the data would only be used for the specific purpose stated and kept no longer than necessary. In short, privacy by design became a feature, a key part of what CANTATICS is about. There was no need for an enforcement body - it was there because it was important, a key part of creating trust, building and maintaining a reputation. But rules are being introduced. “We had a Parliamentaryreportrecommending19 areas toreformtomaintainouradequacystandards and the main topic is privacy by design.” ButthenSylviaKingsmillreckonsthisishow things are going worldwide. “International regulators are collaborating, there is a global privacy enforcement network,” she says. GDPR then, or at least Privacy by design anddefault,mayhavehaditsrootsinCanada, but now it is being applied worldwide. GDPR is about “transparency, accountability and control.” “It is actually pretty brilliant the way they have put together GDPR, as awful as it looks, I just wish they had used clear concise intelligible language like they say we should. The architecture of that law is really quite impressive, and I say this as someone who has read a lot of laws.” Abigail Dubiniecki, is an Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer. To put it mildly, she knows her GDPR. And, like so many experts on GDPR and advocates of privacy by design and default, she is Canadian. When she talks about GDPR her passion shines through, she tells it like privacy is one of the most important issues of the day - of the digital world, but then given how data and personal data is shaping the economy, business and impacting upon us all, it probably is. “Before I came here, I was already doing privacy by design without calling it that,” she says, referring back to when she was the privacy lead on an in-house counsel team for a Canadian crown corporation. We in Canada took Ann’s seven foundational principles which are the lynchpin. It is one thing to have it as a philosophy, another to actually do it and operationally track it. 27. “
The Canadian take Cardinal rule “Under GDPR, one of the cardinal rules is ‘know the data”. She explains: • what data you have • why you have it • what you are doing with it • do you have a lawful basis for having it • how long you need to keep it • who you are sharing it with • and for what purpose But then, look at the detail, the devil may not emerge, but you must be devilishly careful: • Are there secondary purposes for which you are using it? • if so, are they sufficiently linked? • is this something that requires you to go back to the drawing board? “It’s not a legal obligation in Canada to apply privacy by design, but those basic principles are there.” Says Dubiniecki. “She adds: “what GDPR does and what privacy by design asks you to do is take data cycle life management practices, cyber security best practices and fair information principles and make that a legal obligation.” She turns to the public sector. We had this constant interaction with our regulators, so when something comes up, we are supposed to report that, not just to the regulators and privacy commissioner’s office, but there is also the Treasury Board Secretariat, so accountability has been built in; it’s just a reflex. “And although no one would say it’s a legal obligation to apply privacy by design, much of that is already there, if not articulated.” Shakespeare said it well, “that which we call ‘privacy by design’ by any other phrase smells so sweet.” Not to mention helps confer a human right. In Canada there is no formal right to be forgotten law, but there is the Right to Rectify. “You can correct something that is wrong, and if something is unlawfully processed that’s a problem, but where we differ is that we don’t have the same teeth for enforcement.” Privacy by design may have been invented in Canada, but she says “we only started to take it seriously once the EU adopted it”, but that seems to be the Canadian way. If you are a Canadian rock star, or Canadian hip hop artist or painter, no one is going to care about you in Canada until you go somewhere else and become really popular, then they call you Canadian. “It is being looked at in many other countries, such as in Latin America and in countries that are eager to trade with the EU, such as Japan where there is a lot of interest and now finally Canadians are paying attention to it too. As they seek to reap the benefits of greater trade with Europe under the Canada- EU comprehensive and economic trade agreement (CETA).” Examples of privacy by design and default Dubiniecki cites as an example: Securekey and its product, SecureKey Concierge, technology that enables you to ‘bring your own credentials’ to prove your identity. Abigail explained: “You can access 80 government services using banking credentials” and it’s a service in which privacy by design is an integral part. “The idea is that you don’t have to have loads and loads of different data, in different treasure troves, my company and your company, and government so that you can be attacked from any angle. Now we have this system to verify when you need to be verified This has been a big trend, putting control in the hands of the individual, giving them greater security because there are fewer places where your identity is spread about, creating a richer, more reliable way to confirm someone’s identity, because you have much richer dataset than you would have if you just have passwords, and date of birth and other things that someone could steal.” 1. 2. 3. 28. GDPR is about transparency, accountability and control: Interview with Abigail Dubiniecki, Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer
End-to-end and the seven foundation principles With privacy by design, we talk about end to end protection, rights, and putting the user first, all those things are baked into GDPR. So as a starting point, you have to meet the seven personal data processing principles, in every activity that you do. You have to make sure that your default choice is the most privacy preserving choice. So if it is social media, the default is to share information with the people ‘I want to share with, not share with the public,’ you can’t ‘default to share with the public’ and roll it back, you have to default to something more defensible that makes sense in the light of our exchange, and the reason why ‘I am coming to your platform.’ You have to meet those principles. It must be lawful. You have to choose which lawful basis you are relying on. If you are relying on consent, you have to be able to let someone withdraw consent as easily as they give it, and ensure it is freely given. In an employment situation you cannot rely on consent, because it can’t be freely given. Therefore, you have to look at other lawful bases. Then you have to go through all the principles which must be baked into everything you are doing. People have these seven rights under GDPR and you have to make good on them, which means however you design those systems you have to find that needle in a haystack, so if, say Rob Lowe makes a subject access request, when you are designing your system, you have to make it so that you can find everything that is said about Rob Lowe in everything you have done or shared with his data. Be warned “Lots of companies are doing back flips, ‘oh this does not apply to me because of Brexit’, ‘it does not apply to me because I amjustaprocessorforatelecomscompany and I don’t actually see anything’, ‘I am not even interested in what’s coming in there’, but it absolutely does, if there is personal data in there, if you don’t need it, then don’t have it. Or anonymise it so you reduce your compliance footprint. “If they say, ‘I am not going to do anything with it, so I should be okay,’ They will be in trouble. If not under GDPR, then under ePrivacy regulation and the Cyber Security Act that is being proposed. Or under the ‘Directive on the Security of Networks and Information Systems’. There is something in that digital single market strategy that will hit you. So, pay attention.” 4. 5.
GDPRandthefourthindustrialrevolution by Michael Baxter Subscribe for free here and get the next issue to your inbox
There is a nice analogy with a chess board that illustrates the point. Put a grain of rice on the top left-hand square. Moving to the right, put two on the one next to it, then four, doubling, with each square working your way across and down the square until you reach square 64, at the bottom right hand corner. At the end of the first row, you would have 128 grains of rice. At the end of row two, 32,000 grains of rice, eight million by the end of row three, and by the last square 128 trillion grains of rice. This, goes the idea, serves as a metaphor for the way technology is accelerating. Whether this is accurate or not, one can say, without doubt, that technology is developing at an extraordinary pace. Moore’s Law Moore’s Law, relates to words spoken by Gordon Moore, co- founder of Intel, in 1965, that the number of transistors on an integrated circuit double every two years. Today, Moore’s Law is said to refer to computers doubling in speed every 18 months to two years. It’s the classic example of accelerating technology, the chess board analogy seems to describe this perfectly. The economist Brad de Long estimated that if someone had built a computer with the kind of processing power of the iPhone X in 1957, it would have cost 150 trillion of today’s dollars, the device would have taken up a hundred-storey square building, 300 meters high, and 3 kilometres long and wide and would have drawn 150 terawatts of power—30 times the world’s generating capacity at that time. There is a view that Moore’s Law is now slowing down, because of the physical limits in cramming more transistors on a chip. But newer technologies, such as quantum computers, applying the super material graphene instead of silicon, or photonic chips could give Moore’s Law a new lease of life. Metaphorical Moore’s Law But the idea of Moore’s Law can be applied to other applications - not literally Moore’s Law, but following a similar trajectory. Examples include Butter’s Law, which predicts a doubling of data transmission over a fibre optic cable every nine months, or genome sequencing, which has seen the cost of sequencing the human genome fall from $2.7 billion when it was first sequenced as part of the human genome project, at the start of the century, to less than $1,000 today. Renewable energy also seems to be falling in cost at an exponential pace - although the factor here seems to be the learning rate - a doubling in the user base leads to a proportional fall in cost, or lithium ion batteries which have fallen in cost from $1,000 a kilowatt hour in 2008 to around $200 in 2016. Convergence But it’s when we take into account convergence that things get exciting. Technologies to watch include: • The Internet of Things • Robotics • Artificial Intelligence (AI) • Augmented reality • Virtual reality • Super materials such as graphene • Quantum computing • 3D printing/additive manufacturing • 5G and faster internet speeds • Genome sequencing • CRISPR/cas-9 - DNA editing • Mobile computing/the cloud • Blockchain • Drones • Energy storage • Renewable energies Convergence, combined with Moore’s Law and metaphorical Moore’s Law, are causing things to develop at an extraordinary pace. Faster computers are helping to support advances in AI, developments in screen technology, advances in processing power, and in the components that make up smart phones such as accelerometers - which tell a phone which way it is being held - are supporting advances in virtual reality. The combination of AI, with sensors that make up the Internet of Things inside wearable devices, and genome sequencing is set to create a revolution in health tech. Data But data is a key part of the revolution. Aggregation of data from genomesequencingandsensorsmonitoringthebody,whenanalysed by AI, may create new insights on the treatment of diseases. According to a study by IBM, 90 per cent of the information on the internet has been created since 2016. Eric Schmidt, chair at Alphabet, once said that every two days we create as much information as we did up to 2003. But it seems to be getting quicker. Another way to put it is to say technology has never changed so fast, but it will never again change as slowly as it is now. Fourth Industrial Revolution The ‘Fourth Industrial Revolution’ was so named by Klaus Schwab, founderoftheWorldEconomicForumwhichfamouslymeetsinDavos every January. In 2016, it was the theme of the Davos conference. It follows the first industrial revolution of the 18th century, dominated by steam power and textiles, the period from the mid-19th century to 1914, led by the use of electricity, the rise of the motor car, flight, mass production, and then the more recent IT revolution. Personal data It is clear that personal data will be part of this revolution and the processing of it may create extraordinary insight and make incredible efficiencies. But there is risk. Will it lead to a surveillance state? The end of secrets does not sound so bad, but the end of privacy does. Maybe we are heading for a time when we sell our data? Can AI take our data, even anonymous data, and by comparison with our data streams de-anonymise it? These are among the biggest issues of the day. GDPR takes us the heart of this matter. It has its critics, but the regulation may represent a key moment in the battle to ensure the results of the Fourth Industrial Revolution are benign. Technology,astheysay,isaccelerating. Moretothepoint,itisalsoconverging. 31.
“Our research shows that around two thirds of people are conformable with the data exchange part of a modern economy” says Chris Combemale. The Direct Marketing Association (DMA) recently published research into what the consumer really thinks about data privacy. Data isn’t the only thing that is making the Fourth Industrial Revolution possible, but without it, the Revolution could flitter out and die. And the DMA research finds that more needs to be done to create the trust that is required so that consumers are comfortable with their data being processed. The DMA survey also found that 54 per cent say “trust in an organisation is the single most important reason why they will share data,” but 78 per cent say that “the company gets the best value of the exchange, 86 per cent say they want more control over what companies do with their data, and 88 per cent of companies say they would like more transparency. “Unless there is trust; that data is held securely and trust that companies will only do with it what they say they are going to do, tell you openly and honesty, then we will have a real issue going forward,” suggests Chris. Chris began his working life in TV production before entering the world of advertising and marketing, joining Young and Rubicam in New York. He worked for the famous advertising and marketing agency for 12 years, with a stint in Asia, working in Hong Kong and Singapore. Today, he is CEO of the DMA Group, comprising the DMA, IDM (Institute of Direct and Digital Marketing) and TPS (Telephone Preference Service). He sees a parallel between GDPR and the Advertising Standards Authority. “The ASA, ensures that, on a voluntary self-regulated basis, ads are truthful and meet societal standards. If ads are found to be untruthful they have to be removed. This is really important as it means that the consumer can trust that the ads they see are truthful, and don’t have to worry about deciding which ones are telling lies and which ones are not. The same applies to data, companies have to have open honest and transparent in their communications about what they are doing with their data. GDPR will mandate this.” Referring to the DMA survey, he said “we have some way to go if we are going to create the eco system and environment that is right for the modern future. “GDPR can play an important role, as it mandates that companies, and government for that matter, give people more control and greater transparency. “If companies do a good job, they will articulate the benefits in a better way than they have done, so that people start to see the value exchange as a balance between the great benefit they get, and the benefit the company gets.” Yet, in some respects, he says that this perception that the company achieves the greater benefit from the value exchange is almost inexplicable. “When you think of some of the value we get every day in our lives, so if you think of the number of people who use Google maps for free, several times a day, it is not only free it contains minimal advertising.” “Do we just take it for granted, is that why we won’t see value, why 78 per cent say the company benefits from the value exchange?” “GDPR is going to be helpful, not perfect, but was drafted with the idea of increasing consumer confidence in the future technological and data driven economy. In a similar way to how self-regulated watch dogs such as the ASA have created confidence in the traditional advertising market.” Advertising and the Fourth Industrial Revolution The media is not like it used to be. There was a time when we instinctively knew the difference between the media and, say, a ChrisCombemale,CEOattheDMA:FourthIndustrialRevolution 32. trust in an organisation is the single most important reason why they will sharedata. Anyone who is wholly worried or wholly optimistic, is missing the point. optimismandworrymustbeinbalance. And the benefits cannot accrue if you don’tmitigateagainsttherisks.
retailer or taxi operator. “But,” suggests Chris, “technology has evolved such that new products and services that have become available, that make is easier and more efficient to live their lives, are all essentially media channels that rely on the use of data to deliver them. So that is true; whether it be an Uber, who use data to work out where to collect you from and drop you off somewhere, or websites that sell you products or access to services providing content. “And increasingly, as we move into a world of AI and big data analytics, more and more we will combine technology and data to create new services of the future. But it is really important, that people trust the technologies and how they use the data. “ 33. “GDPRcanplayanimportantrole,asitmandatesthatcompanies, and government for that matter, give people more control and greater transparency. The opportunity and threat from data So, the point is hammered home. Trust is vital, and GDPR can be a key part of creating that trust. “Big data could be the new oil or the new asbestos. There is a huge amount of opportunity for businesses, people and society in the era of big data, but there is an equal amount of risk. That is why it is important we have a set of rules on our playing field which help us mitigate the risk and empower the opportunity. “And that is what GDPR is trying to do. It is important we think about the risk as well as the opportunities. “At the DMA, we say we need to move from responsible marketing and codes of practice, to ethical marketing, where people think about the impact on society of these technologies that are coming forward and understand how your business can use them for positive purposes and mitigate the risk. “Anyone who is wholly worried or wholly optimistic, is missing the point, optimism and worry must be in balance. And the benefits cannot accrue if you don’t mitigate against the risks.” And that is why GDPR may prove to be a vital tool or even weapon in the battle to ensure that the final outcome of the Fourth Industrial Revolution is benign. SUBSCRIBE FOR FREE TODAY HERE
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine
Data Protection Magazine

Empfohlen

Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdprExponential_e
 
In-house counsel Masterclass: Navigating the Social Network
In-house counsel Masterclass: Navigating the Social NetworkIn-house counsel Masterclass: Navigating the Social Network
In-house counsel Masterclass: Navigating the Social NetworkMHCLawyers
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020TheCEOViews
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
 
What Are The Pitfalls Of People Analytics And Data-Driven HR?
What Are The Pitfalls Of People Analytics And Data-Driven HR? What Are The Pitfalls Of People Analytics And Data-Driven HR?
What Are The Pitfalls Of People Analytics And Data-Driven HR? Bernard Marr
 
GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?Samuel Pouyt
 

Empfohlen

Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdprExponential_e
 
In-house counsel Masterclass: Navigating the Social Network
In-house counsel Masterclass: Navigating the Social NetworkIn-house counsel Masterclass: Navigating the Social Network
In-house counsel Masterclass: Navigating the Social NetworkMHCLawyers
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?Hayden McCall
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020Top 10 GDPR solution providers 2020
Top 10 GDPR solution providers 2020TheCEOViews
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
 
What Are The Pitfalls Of People Analytics And Data-Driven HR?
What Are The Pitfalls Of People Analytics And Data-Driven HR? What Are The Pitfalls Of People Analytics And Data-Driven HR?
What Are The Pitfalls Of People Analytics And Data-Driven HR? Bernard Marr
 
GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?GDPR: Threat or Opportunity?
GDPR: Threat or Opportunity?Samuel Pouyt
 
3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
3 Steps To Tackle The Problem Of Bias In Artificial Intelligence3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
3 Steps To Tackle The Problem Of Bias In Artificial IntelligenceBernard Marr
 
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...Dana Gardner
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to ActCathy Gilmartin
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
 
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...Jessica Pattison
 
DMA Data Protection 2014
DMA Data Protection 2014DMA Data Protection 2014
DMA Data Protection 2014Rachel Aldighieri
 
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...DATUM LLC
 
Actiance whitepaper-social-media-legal-issues-canada
Actiance whitepaper-social-media-legal-issues-canadaActiance whitepaper-social-media-legal-issues-canada
Actiance whitepaper-social-media-legal-issues-canadashibrah76
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPRMissMarvel70
 
Introduction to Ethics of Big Data
Introduction to Ethics of Big DataIntroduction to Ethics of Big Data
Introduction to Ethics of Big Data28 Burnside
 
Privacy and Big Data Overload!
Privacy and Big Data Overload!Privacy and Big Data Overload!
Privacy and Big Data Overload!SparkPost
 
Designing for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldDesigning for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldRobert Stribley
 
Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Hubbamar
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Ethics of Big Data
Ethics of Big DataEthics of Big Data
Ethics of Big DataMatti Vesala
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRMatt Stubbs
 
Be aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailBe aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailLance Michalson
 
Cloud security and cloud adoption public
Cloud security and cloud adoption publicCloud security and cloud adoption public
Cloud security and cloud adoption publicJohn Mathon
 
Vint big data research privacy technology and the law
Vint big data research privacy technology and the lawVint big data research privacy technology and the law
Vint big data research privacy technology and the lawKarlos Svoboda
 
INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc
 

Weitere ähnliche Inhalte

Was ist angesagt?

3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
3 Steps To Tackle The Problem Of Bias In Artificial Intelligence3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
3 Steps To Tackle The Problem Of Bias In Artificial IntelligenceBernard Marr
 
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...Dana Gardner
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Ian Beckett
 
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...Jessica Pattison
 
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...DATUM LLC
 
Actiance whitepaper-social-media-legal-issues-canada
Actiance whitepaper-social-media-legal-issues-canadaActiance whitepaper-social-media-legal-issues-canada
Actiance whitepaper-social-media-legal-issues-canadashibrah76
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPRMissMarvel70
 
Introduction to Ethics of Big Data
Introduction to Ethics of Big DataIntroduction to Ethics of Big Data
Introduction to Ethics of Big Data28 Burnside
 
Privacy and Big Data Overload!
Privacy and Big Data Overload!Privacy and Big Data Overload!
Privacy and Big Data Overload!SparkPost
 
Designing for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldDesigning for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldRobert Stribley
 
Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Hubbamar
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Ethics of Big Data
Ethics of Big DataEthics of Big Data
Ethics of Big DataMatti Vesala
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRMatt Stubbs
 
Be aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailBe aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailLance Michalson
 
Cloud security and cloud adoption public
Cloud security and cloud adoption publicCloud security and cloud adoption public
Cloud security and cloud adoption publicJohn Mathon
 
Vint big data research privacy technology and the law
Vint big data research privacy technology and the lawVint big data research privacy technology and the law
Vint big data research privacy technology and the lawKarlos Svoboda
 

Was ist angesagt? (20)

3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
3 Steps To Tackle The Problem Of Bias In Artificial Intelligence3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
3 Steps To Tackle The Problem Of Bias In Artificial Intelligence
 
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
How Enterprises Can Gain Data Privacy, and Build their Bottom Lines, By Compl...
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to Act
 
Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017 Deloitte the case for disruptive technology in the legal profession 2017
Deloitte the case for disruptive technology in the legal profession 2017
 
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
GDPR: A ticking time bomb is approaching - Another Millennium Bug or is this ...
 
DMA Data Protection 2014
DMA Data Protection 2014DMA Data Protection 2014
DMA Data Protection 2014
 
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
Data Discovery & Search: Making it an Integral Part of Analytics, Compliance ...
 
Actiance whitepaper-social-media-legal-issues-canada
Actiance whitepaper-social-media-legal-issues-canadaActiance whitepaper-social-media-legal-issues-canada
Actiance whitepaper-social-media-legal-issues-canada
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
 
Introduction to Ethics of Big Data
Introduction to Ethics of Big DataIntroduction to Ethics of Big Data
Introduction to Ethics of Big Data
 
Privacy and Big Data Overload!
Privacy and Big Data Overload!Privacy and Big Data Overload!
Privacy and Big Data Overload!
 
Designing for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public WorldDesigning for Privacy in an Increasingly Public World
Designing for Privacy in an Increasingly Public World
 
Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533Chapter 8 big data and privacy - social media 3533
Chapter 8 big data and privacy - social media 3533
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Ethics of Big Data
Ethics of Big DataEthics of Big Data
Ethics of Big Data
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPR
 
Be aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to emailBe aware of the laws in South Africa that apply to email
Be aware of the laws in South Africa that apply to email
 
Cloud security and cloud adoption public
Cloud security and cloud adoption publicCloud security and cloud adoption public
Cloud security and cloud adoption public
 
Vint big data research privacy technology and the law
Vint big data research privacy technology and the lawVint big data research privacy technology and the law
Vint big data research privacy technology and the law
 

Ähnlich wie Data Protection Magazine

INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securitySamo Zavašnik
 
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...
Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...
Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...Rick Bouter
 
Sogeti big data research privacy technology and the law
Sogeti big data research privacy technology and the lawSogeti big data research privacy technology and the law
Sogeti big data research privacy technology and the lawYann SESE
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
Marketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataMarketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataLaurence
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a CareerDaviesParker
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesTech Trust
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyMicrosoft Österreich
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Spotlight on Technology 2017
Spotlight on Technology 2017Spotlight on Technology 2017
Spotlight on Technology 2017Craig Devlin
 
Mapping the pii market
Mapping the pii marketMapping the pii market
Mapping the pii marketpii2011
 
Gdpr workshop module_1
Gdpr workshop module_1Gdpr workshop module_1
Gdpr workshop module_1S Sid Ahmed
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingMagento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingErwin Otten
 
Tech For Good Meetup 10.11.14 The Good Data
Tech For Good Meetup 10.11.14 The Good DataTech For Good Meetup 10.11.14 The Good Data
Tech For Good Meetup 10.11.14 The Good DataTech For Good
 

Ähnlich wie Data Protection Magazine (20)

INFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL securityINFOMAGAZINE 8 by REAL security
INFOMAGAZINE 8 by REAL security
 
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Preparing for GDPR: A Firefly Guide
Preparing for GDPR: A Firefly GuidePreparing for GDPR: A Firefly Guide
Preparing for GDPR: A Firefly Guide
 
Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...
Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...
Big data 3 4- vint-big-data-research-privacy-technology-and-the-law - big dat...
 
Sogeti big data research privacy technology and the law
Sogeti big data research privacy technology and the lawSogeti big data research privacy technology and the law
Sogeti big data research privacy technology and the law
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
Marketing data management | The new way to think about your data
Marketing data management | The new way to think about your dataMarketing data management | The new way to think about your data
Marketing data management | The new way to think about your data
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a Career
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
GDPRforum London
GDPRforum LondonGDPRforum London
GDPRforum London
 
Beginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) JourneyBeginning your General Data Protection Regulation (GDPR) Journey
Beginning your General Data Protection Regulation (GDPR) Journey
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Spotlight on Technology 2017
Spotlight on Technology 2017Spotlight on Technology 2017
Spotlight on Technology 2017
 
GDPRforum Brighton
GDPRforum BrightonGDPRforum Brighton
GDPRforum Brighton
 
Mapping the pii market
Mapping the pii marketMapping the pii market
Mapping the pii market
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
Gdpr workshop module_1
Gdpr workshop module_1Gdpr workshop module_1
Gdpr workshop module_1
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingMagento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
 
Tech For Good Meetup 10.11.14 The Good Data
Tech For Good Meetup 10.11.14 The Good DataTech For Good Meetup 10.11.14 The Good Data
Tech For Good Meetup 10.11.14 The Good Data
 

Kürzlich hochgeladen

Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024Alex Marques
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Hedda Bird
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, MumbaiPooja Nehwal
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampPLCLeadershipDevelop
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxalinstan901
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxSaqib Mansoor Ahmed
 
situational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Ssituational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Smisbafathima9940
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607dollysharma2066
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementTulsiDhidhi1
 

Kürzlich hochgeladen (20)

Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote SpeakerLeadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
Leadership in Crisis - Helio Vogas, Risk & Leadership Keynote Speaker
 
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdfImagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
Imagine - Creating Healthy Workplaces - Anthony Montgomery.pdf
 
LoveLocalGov - Chris Twigg, Inner Circle
LoveLocalGov - Chris Twigg, Inner CircleLoveLocalGov - Chris Twigg, Inner Circle
LoveLocalGov - Chris Twigg, Inner Circle
 
Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024Construction Project Management | Coursera 2024
Construction Project Management | Coursera 2024
 
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 16 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 99 Noida Escorts >༒8448380779 Escort Service
 
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
{ 9892124323 }} Call Girls & Escorts in Hotel JW Marriott juhu, Mumbai
 
Day 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC BootcampDay 0- Bootcamp Roadmap for PLC Bootcamp
Day 0- Bootcamp Roadmap for PLC Bootcamp
 
Peak Performance & Resilience - Dr Dorian Dugmore
Peak Performance & Resilience - Dr Dorian DugmorePeak Performance & Resilience - Dr Dorian Dugmore
Peak Performance & Resilience - Dr Dorian Dugmore
 
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdfImagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
Imagine - HR; are handling the 'bad banter' - Stella Chandler.pdf
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Unlocking the Future - Dr Max Blumberg, Founder of Blumberg Partnership
Unlocking the Future - Dr Max Blumberg, Founder of Blumberg PartnershipUnlocking the Future - Dr Max Blumberg, Founder of Blumberg Partnership
Unlocking the Future - Dr Max Blumberg, Founder of Blumberg Partnership
 
Empowering Local Government Frontline Services - Mo Baines.pdf
Empowering Local Government Frontline Services - Mo Baines.pdfEmpowering Local Government Frontline Services - Mo Baines.pdf
Empowering Local Government Frontline Services - Mo Baines.pdf
 
Does Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptxDoes Leadership Possible Without a Vision.pptx
Does Leadership Possible Without a Vision.pptx
 
situational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima Ssituational leadership theory by Misba Fathima S
situational leadership theory by Misba Fathima S
 
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Tilak Nagar @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
GENUINE Babe,Call Girls IN Baderpur Delhi | +91-8377087607
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
operational plan ppt.pptx nursing management
operational plan ppt.pptx nursing managementoperational plan ppt.pptx nursing management
operational plan ppt.pptx nursing management
 

Data Protection Magazine

  • 2. Published by Data Protection World Forum Editor: Michael Baxter, michael@dataprotectionworldforum.com Contributions from: Laura Edwards, Ardi Kolah, Adil Akkus, Deborah Dillon, Jenna Banks, Nathan Sykes, Jason Choy Design : Hannah Richards, Amplified Business Content DATA PROTECTION MAGAZINE Lawfulness of processing Before you go any further, take a note of this, it seems to be the most common point of discussion whenever the topic of GDPR comes up. Article 6 GDPR, Lawfulness of processing • Processing shall be lawful only if and to the extent that at least one of the following applies: • The data subject has given consent to the processing of his or her personal data for one or more specific purposes; • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; • Processing is necessary for compliance with a legal obligation to which the controller is subject; • Processing is necessary in order to protect the vital interests of the data subject or of another natural person; • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. • Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. a note from the editor Welcome to Data Protection Magazine. We are all data protection people now. Privacy and data protection has moved from an obscure corporate cubbyhole to the front pages of newspapers and it feels as if everyone has an opinion. The role of the data protection officer, or DPO, has been transformed. In the post GDPR era, DPOs don’t simply take instructions. They report to the highest level of management authority and are experienced in business continuity, risk and technology. Read the media, and you may come away with the impression that the DPO has gone from the person of last redress to rock star. In fact, the change is more nuanced than that. The role of the DPO under the GDPR is radically and legally different. But caring about data protection is not just a job for the DPO. It needs to run deep within a company and become a key consideration for senior management. The c-suite does not merely need to become data protection aware, the ladies and gentlemen who make up the higher echelons of corporate hierarchy need to breathe it. It needs to be embedded into their corporate mindset. As the editor of this publication, I too have been on a data protection and privacy journey. My background is as an economic and disruptive technology writer, but until a year or so ago, thinking deeply, or indeed narrowly, about privacy was barely on my radar. I had this notion that we may be entering an era which will see the end of secrets - that this is the inevitable consequence of creating transparency. But the truth is there is a dividing line. Transparency is good, but we do not want a transparent wall in our bathroom. Teenagers crave privacy from their parents. The mums and dads want transparency from their kids. Creating privacy in the age of transparency is one of the most important challenges of the digital economy. Data Protection Magazine is aimed at the business generalist rather than the data protection or privacy professional and will be released on a quarterly basis. Enjoy!
  • 3. You haven’t seen anything yet! GDPR is good for you Goodbye darkness hello friend GDPR and the United States GDPR and how the millennial generation manage privacy GDPR – a quick summary Privacy by design and default From Grim Reaper to hero The Canadian experience Interview with Abigail Dubiniecki GDPR and the Fourth Industrial Revolution AI, GDPR and the anonymisation of data Selling your data Anatomy of a breach in trust, the Facebook story Blockchain and GDPR The GDPR and small businesses The Data Protection World Forum Breaches, incidences and security Let’s put our head in the clouds Everything you need to know about cybersecurity The cardless society Subject access requests The wallflower of compliance grows thorns spring 2018 issue 1 contents 02. 05. 06. 10. 12. 14. 20. 22. 26. 28. 30. 34. 38. 40. 44. 46. 50. 52. 56. 58. 60. 62. 65.
  • 4. The General Data Protection Regulation is here. We sat down with Nicola McKilligan-Regan, one of the UK’s leading experts on data privacy, a woman who literally wrote the book about the Data Protection Act of 1998, to give us the benefit of her wisdom. Nicola herself has been working in privacy for 20 years, she admits reluctantly. She began working at the Information Commissioner’s Office (ICO) before it was called that. Instead, it went by the name of the Data Protection Registrar. She worked as a Strategic Policy and International Officer. In 2000, after the Data Protection Act 1998 came into force, she left to focus on helping organisations with the new law. In 2004, her book: A Pocket Guide to the Data Protection Act, was published. The ICO once said of the book that it was the sort of guidance it wished it had written. Today, she is the Senior Partner at the Privacy Partnership, as well as the founder and CEO of Smart Privacy, which provides privacy tools for businesses struggling to implement GDPR. And between now and when her book was published, she has been the Vice President Privacy at Thomson Reuters, and has enjoyed a glittering career in data privacy. The latest version of her book: The Pocket Guide to the Data Protection Act, GDPR and DPA 2018, is being published later this year. And we began by talking about whether GDPR is over-hyped, like the millennium bug 18 years earlier, soon to be forgotten, just as May 25th 2018 itself will be relegated to being just another ticked off date on the calendar. isGDPRislikethemillenniumbug,theso-calledY2K? Nicola: “No. We didn’t know what effect the millennium bug would have, but before GDPR is even implemented, regulators have begun flexing their muscles. She poses a question. “If GDPR is just like the millennium bug, why has Facebook moved the accounts of 1.5 billion users from Ireland to the US?” “The new regulations give regulators a lot more scope to take a hard line against businesses that don’t treat our personal data and privacy with the respect it deserves.” And then she sums it all up in one phrase: “You haven’t seen anything yet!” Why does GDPR matter? We can all get lost in detail: GDPR is such a vast topic that it can be devilishly difficult to sum it up in a way that captures the imagination. We asked Nicola to do just that.SUBSCRIBE FOR FREE TODAY HERE Thescaleofthepenaltiesindicatesthatgovernmentsnow seeprotectingprivacyasanimportantanissueasbeing abletostoppeoplefromlendingmoneytocriminals orsellingarmstoroguestates. • Whyit’snotlikethemillenniumbug • WhydoesGDPRmatter? • Isitgoodorbad? • MessagefortheCEO • MessagefortheDPO • Firststeps • GDPRandtheleanstart-up • “
  • 5. Nicola: “It’s the biggest change in data legislation in 18 years, as it brings data protection legislation up to speed with the internet age. “The scale of the penalties indicate that governments now see protecting privacy as an important an issue as being able to stop people from lending money to criminals or selling arms to rogue states. “For the first time, privacy regulators have really strong powers. The law now applies more directly to the latest technology and is supported by a compliance regime which is the equivalent of major compliance regimes such as AML – anti-money laundering. “If privacy was like a poor second cousin to AML compliance, it’s not like that now. “It’s about public interest. What governments think is important has changed from 18 years ago.” And is GDPR good or bad? So, given this, we asked whether the regulation is good or bad. Nicola: “It’s both. It was needed and I am a supporter of the general provisions. I am not so keen on the bureaucracy. It means a lot of record keeping, a lot of work for lawyers and consultants. But the trouble is, there is a danger that you end up paying less attention to the real risks to individuals - bureaucracy may act as a distraction from real issues.” Nicola cites as an example, Facebook: “It has a compliant privacy policy, but whether it is fair in the way it processes its users’ data is another matter.” A message for CEOs What advice does Nicola have for the CEO? “It is no longer possible, as Mark Zuckerberg found out, to hide behind saying ‘I didn’t know.’ Make sure you understand how privacy affects the business. CEOs are always busy, but they must find the time. If their organisation is large, they may have a General Counsel and a data protection officer. Pay attention to them. CEOs who are not aware of the key issues will be hung out to dry.” A message for the Data Protection Officer Andwhataboutthedataprotectionofficer, or an external advisor, how do you convince the board to take GDPR seriously? “Make sure your advice is very specific to the business model. Make sure your leadership fully understand how GDPR affects the business. “Remember, if you can stand out as an organisation that can solve GDPR problems or provide data privacy safeguards for customers and clients, that can be a commercial advantage. CEOs like to hear about that. “If instead, you focus on the fines, you risk the CEO saying ‘but, that’s what we pay you to avoid.’” InshortNicolasays,“engagetheboardontheir levelbyfocusingonthebusinessadvantage”. The DPO As you read this magazine you will find our article ‘Grim Reaper to Hero’. The role of the data protection officer has changed. But Nicola sees a challenge ahead, there is a shortage of people with the necessary skills. “To be a DPO you need to have experience to deal with practical issues - just sending someone on a course won’t cut it.” She also foresees a conflict of interest problem. “You can’t be the problem solver and advisor like you used to be. You are more like a policeman now. That means you are going to have to say ‘no’ a lot more. The first steps It’s a bit late to be worrying about the first steps now. But Nicola does have some specific advice on your general approach to GDPR. “If you do nothing else, train your staff. If you have an informed work- force it will reduce your risk.” The lean-start-up Nicola also has some advice for the start- up, maybe a company applying the ideas of a lean start-up. “Elizabeth Denham, the (UK’s Information Commissioner) has said that one of her big focuses is supporting small businesses. “I would say to a small business, talk to the regulator, either on a no name basis or get written advice. “The ICO has specialist teams in different sectors. And going to the ICO is cheaper than going to a lawyer. “My advice to a lean-start up, talking to the ICO, is to provide it with as much information as possible. If you get written advice keep it, if you get advice from an ICO help-line, take accurate notes, the name of the person you spoke to and the date and time of the call. “But you need to know enough about GDPR to recognise you have a problem.” Three take-homes Finally, we asked her to sum it all up and tell us the three most important things about GDPR. First off, she talked about consent. “I have always had a problem with consent being used as grounds for processing information, because people were not really given a choice. Now companies can no longer say ‘yes we have consent’ if they make it a condition of providing a service. And that is a big change. Now consent has to be totally free and informed.” Second off, she turned to legitimate interests. Consent and legitimate interests are two of the legal bases for processing data under GDPR. “Organisations can no longer tick a box, they have to document their argument for why their legitimate interests are not a threat to individuals’ privacy. So, they have to conduct a balancing test. You can’t just process information because it is a good commercial idea, you have to make sure it is balanced against the rights of individuals. And you have to document it, prove it and have a response if you are challenged.” Thirdly, “what you now see is a confident regulator, who has the power to take on large companies and is not afraid to act. Regulators now feel that they have the tools to act against Big Tech. “GDPRislikeagunaimedatthetempleof the big technology companies. Other smaller businesses are caught in the crossfire.” The rest is history The build-up to GDPR is over. That is now history. Now the hard work is on-going. In producing this magazine, we have spoken to experts on GDPR and data privacy, many of whom have been speakers at our GDPR Summits. We have more in the diary. And don’t forget, the Data Protection World Forum this November, where many of the experts we have been talking to for this publication, including Nicola herself, will be speaking. By MICHAEL BAXTER 03.
  • 6.
  • 7. GDPR IS GOOD FOR YOU The world’s largest company boasts a privacy policy that is a joy to read. What’s good for the customer is good for the business that serves that customer and GDPR is good for both. Let’s face it, privacy policies are not always fun to peruse. If someone wrote a book: “The world’s riveting privacy policies” it may be thick enough to act as a door stop, but only in a dolls’ house. Yet Apple, the company whose iTunes terms and conditions make GDPR read like romantic fiction, takes a pretty impressive stab at it. Maybe it is a coincidence that the company with such a privacy policy is also valued at $845 billion. But then there is no doubt that many millions of users choose its phones for the perception of privacy and data security. Maybe it is unfair to describe the company thus, Samsung will undoubtedly claim its own policies are just as robust, and maybe it would be right to do so. But perception is everything, and Apple is perceived in a certain way, this is at least one of the reasons why it is so successful and valuable. But to get to the nub of the matter, cast your mind back to 1949, when a book was published whose first sentence should be etched onto the minds of data professionals: “It was a bright cold day in April and the clocks were striking thirteen.” So began George Orwell’s 1984, a dystopian vision which gave the world such memes as Big Brother, Room 101 and Doublespeak. In the vision, privacy is no more. Not even our thoughts belong to us. Thirty nine years later, Apple announced its new computer to the world with a now famous ad featuring an Orwellian world: “On January 24th, Apple Computer will introduce Macintosh and you will see why 1984 won’t be like ‘1984.’” Fifteen years after that, Scott McNealy, the then chief executive of Sun Microsystems said: “Privacy is dead, get over it”, and famously in 2011, Mark Zuckerberg himself said: “People have gotten really comfortable, not only sharing more information and different kinds, but more openly and with more people.” He suggested that such lack of privacy has become a “social norm”. Zuckerberg is often quoted as saying privacy is dead. But there is no evidence he actually said that. Soon after he uttered those words about lack of privacy becoming a social norm, a spokesperson for Facebook said: “His remarks were mischaracterised and added: “A core part of Facebook’s mission has always been to deliver the tools that empower people with control over their information.” She continued: “If the assertion is that anything Mark chooses to make private is inconsistent with his remarks last week, here are a few other hypocritical elements of his life: he hides his credit card numbers in his wallet, he does not post the passwords to his online accounts, and he closes the door behind him when he goes to the toilet.” Yet,lookathowtheFacebooksharepriceslidaftertherevelations of its deal with Cambridge Analytica were outed by The Guardian and New York Times, look at the value of Apple. That is why there are big bucks in data protection, and it is why GDPR is not merely a good thing, it’s good news for the world. If, as The Economist suggested last year, big data is really the new oil, and not the new asbestos, as cynics might suggest, then that counts for nothing if people don’t trust companies with their data. A recent survey by ForgeRock found that 57 per cent of UK consumers are worried that they have shared too much personal dataonline.Fiftythree percentsaidtheywouldnotbecomfortable if their personal data was shared without their permission and a further 58 per cent said they would stop using a company’s services completely if it shared data without permission. If data is the means by which the digital economy can create wealth and give the so called Fourth Industrial Revolution the impetus it needs, then without trust, without the public’s confidence that their privacy is respected, the data revolution will stutter and then collapse. That is why we need GDPR - not as a piece of regulation to scare companies, not through some sense of anti-Orwellian sentiment, nor do we want regulators strutting the privacy stage like thought police, punishing the slightest transgression with fines to bankrupt well-meaning companies, but without trust, the data revolution may not happen - and that would be a disaster. PS: This article was written before Apple announced a new upgrade to its iOS operating system and OS for the Mac, designed to offer improved privacy. It seems that Apple sees data privacy as core strength, a feature that can give its products an edge. GDPR IS GOOD FOR YOU 05. PRE-REGISTER FOR DATA PROTECTION WORLD FORUM HERE
  • 8. GDPR is the general regulation, but contrary to many media reports, other rules and directives such as MiFID II, Open Banking, ePrivacy Regulation and The Directive on Security of Network and Information Systems, do not muddy the water, in fact they fit together. People too easily forget the financial crisis in 2008 was so severe that at one point it seemed as if capitalism itself was tottering. The truth is, that in the build up to that crisis, if you listened to the noise coming out of regulators and august bodies such as the IMF, then to borrow words from Simon and Garfunkel, you heard the sound of silence. The famous singing duo also said: “Hello darkness my old friend”, but the new digital single market and other regulations slowly being unveiled by the EU do not create a new barrier to business, as some might say, rather they are designed to bring “down barriers to online opportunity,” or, so says the European Commission. New regulations are also about transparency, and especially in the case of GDPR, responsibility and accountability. Above all, they are also about creating trust. Take MiFID II - Markets in Financial Instruments Directive version 2 - the media, always keen to spot a scandal, say that the new financial instruments directive is not compatible with GDPR - that the transparency required by MiFID II is at odds with the privacy that GDPR is designed to support. But this is simply not true. The detail does not reveal the devil, it reveals light. MiFID II is designed to force financial organisations to act in the best interests of their clients, and do not, as happened prior Goodbye darkness, hello friend to 2008, occasionally bet against clients, or recommend products simply because they pay a higher commission. So, for example, out goes the practice of giving away free research as an inducement to trade via an organisation - instead research must either be charged for or given away to all who want it, regardless of whether they are customers. High frequency trades must be time stamped in an effort to put an end to the practice of ordering a trade in an attempt to manipulate the market, and then cancelling the order before it is executed. But perhaps most significantly of all, MiFID II requires the holding of data concerning staff’s trading activities. It does this by saying that for every trade that your bank or broker makes on your behalf, there must be a detailed record. It must be possible to pull up all the data and information that goes with the trade, regardless of the medium, for example, a recorded phone call with someone giving instructions. Or it could be a text, an email, anything that relates to that trade - creating a paper trail, so there is a clear record showing what went into that decision to make that trade and whether it was in the best of interests of the customer. So MiFID II is all about empowering the consumer to make the right choices. ButsomearguethattheyhavespottedacontradictionwithGDPR. MiFID II requires the processing of data related to individuals, GDPR imposes rules on the processing of personal data. But as Abigail Dubiniecki, Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer, says: “There may seem to be a contradiction between MiFID II and GDPR but that’s not the case. Indeed, the FCA (Financial Conduct Authority) and ICO (Information Commission Office) have gone on record saying they are not incompatible, because under article six of GDPR, By Michael Baxter 06. Subscribe for free here and get the next issue to your inbox
  • 9. GDPR means you can only use the data for the purpose for which it was given. So if they share it with someone else, or try and sell another service, that is a no no, unless they find a legitimate interest or they get my consent or make use of one of the other bases of lawful consent. one of the lawful bases for processing personal data is legal obligation – you have a legal obligation, under MiFID II, to suck up all that data related to that trade.” Of course, it is nuanced. As Ms Dubiniecki added: “Could you suck up all that data and keep it forever, or not use it for the purpose for which you gathered it? Absolutely not. Under GDPR you have limited retention periods, you are not allowed to hold onto it for longer than is necessary for the purpose for which you got it, under the legal bases you used.” Returning to the Digital Single Market another new area is Open Banking, or PSD2. The idea here is simple enough, and at least in part the regulation has been created from one of the lessons of the 2008 crash, the risk of ‘too big to fail’ banks. It’s about data portability for the financial services sector, it is saying: ‘I should be able to take my personal data related to the banking that I have been doing with a particular bank, in a machine readable format that is common to everyone else, and plug it in somewhere else to see if I can get better rates, or a better device.’ Some fintechs may provide more information to you. Under Open Banking, it will be possible to take your banking data and via an app, provide you with a detailed online tool on your spending, updated in real time, projecting how much money you have at the end of the month, and search for better deals for you on financial products. But will the consumer have sufficient trust in how her or his data is processed? If the consumer is reluctant to let a third party take control of their data, then PSD2 will not achieve its desired outcome. There are lots of safeguards built into PSD2, rules about how data is used, but perception matters - the barriers to online opportunities will not be overcome unless this trust can be earned. That is why GDPR is so vital - the General Data Protection Regulation is what its name suggests: general. And as Abigail Dubiniecki said: “PSD2 does provide protections, but GDPR means you can only use the data for the purpose for which it was given. So if they share it with someone else, or try and sell another service, that is a no no, unless they find a legitimate interest or they get my consent or make use of one of the other lawful bases.” Open banking is a fundamental part of creating a digital market that serves the best interests of customers, but without trust it won’t get the take-up. GDPR is vital for creating that trust. Another area to watch is the new ePrivacy Regulation. At the moment, GDPR and the Privacy and Electronic Communications Directive or PECR, work hand in hand. A marketer, for example, seeking a legal basis for emailing customers may feel that the requirements for consent, under GDPR, are too onerous, but instead choose legitimate interest as their legal bases for processing personal data. GDPR is clear, Recital 47 states it in black and white: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” It is just that PECR imposes additional considerations. For one thing, it requires that in most cases, people have to give consent to receive emails, but, as John Mitchison at the Direct Marketing Association pointed out in a discussion with us: “There is a line that refers to soft opt-in. So if you have collected someone’s email in the course of doing business, and there is an opt-out option, you can send them emails.” PECR is soon to be replaced by the new e-Privacy Regulation. We are not sure what the final regulation will say yet, but there is one thing we can say for sure: it will dovetail with GDPR, the regulations will support each other and provide more light. Finally, there is The Directive on Security of Network and 07. “ The media, always keen to spot a scandal, say that the new financial instruments directive is not compatible with GDPR – that the transparency required by MiFID II is at odds with the privacy that GDPR is designed to support. But, one of the lawful bases for processing personal data is legal obligation – you have a legal obligation, under MiFID II, to suck up all that data related to that trade. Open banking is a fundamental part of creating a digital market that serves the best interests of customers, but without trust it won’t get the take-up. PECR is soon to be replaced by the new e-Privacy Regulation. We are not sure what the final regulation will say yet, but there is one thing we can say for sure: it will dovetail with GDPR; the regulations will support each other and provide more light.
  • 10. Information Systems (NIS Directive). EU countries have until 25 May 2018 to transpose this into national law. GDPR is unambiguous on the subject of security, and what to do in the event of a data breach: Article 33 states: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” GDPR then goes into further detail on cybersecurity. The NIS directive objective is to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers.” While GDPR focuses on cybersecurity in the context of data privacy, the NIS focuses on the sharing of information on cybersecurity threats, and improving security safeguards. The two regulations are once again designed to dovetail - and if there is any superficial indication that the sharing of information required by NIS is at odds with GDPR’s requirement for privacy, such a contradiction breaks down when you consider that one of the lawful bases for processing of personal data under GDPR is legal obligations. However, in NISD it is specifically stated that any information sharing that happens reincidence must be consistent with GDPR regulations when personal data is involved. The digital single market, big data, and the opportunity it all brings can create wealth and prosperity - but only if it can illuminate where currently there is darkness, bring transparency where where there is lack of visibility and trust where there is suspicion. GDPR, together with a raft of other measures, is designed to bring lightness and make digital technology and data the customers’ friend. The NIS directive objective is to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers.” Goodbye darkness, hello friend 08.
  • 11. GDPR IS A JOURNEY, NOT A DESTINATION £50 OFF BOOK NOW PROMO CODE: DPMAG GDPRSUMMIT.LONDON THE U K’ S L E ADING GDPR EVENT SERIES UNDERSTAND WHAT GDPR MEANS FOR THEIR BUSINESS HEAR FROM THE LEADING GDPR EXPERTS BENEFIT FROM INTERACTIVE IN-DEPTH SESSIONS GET ANSWERS TO THEIR BURNING QUESTIONS GAIN AN ACTIONABLE ROADMAP TO COMPLIANCE AND BEYOND SUPPORTED BY ATTENDEES WILL:
  • 12. GDPR is an EU measure, but the principles that lie behind the regulation are gaining traction around the world. George Soros, the billionaire investor and speculator, who famously bet against the Bank of England in 1992 and won, is an arch critic of the way big tech companies such as Alphabet and Facebook use data. Maybe it has something to do with Soros’ roots - growing up in Hungary under Nazi occupation. “Social-media companies are inducingpeopletogiveuptheirautonomy,” he said, “the power to shape people’s attention is increasingly concentrated in the hands of a few companies threatening the concept of ‘the freedom of mind.’” For that reason, he is a big supporter of GDPR. “Europe has much stronger privacy and data-protection laws than America,” he said when speaking at the World Economic Forum in Davos, earlier this year. He continued, “Commissioner Vestager (European Commissioner for Competition) is the champion of the European approach. It took the EU seven years to build a case against Google, but as a result of her success, the process has been greatly accelerated. Due to her proselytizing, the European approach has begun to affect attitudes in the United States as well.” Yet there is a perception that the US is too far behind. Commenting on the ongoing issues with Facebook, Vera Jouriuva, EU Commissioner for Justice, Consumers and Gender Equality, recently told the BBC: “I can tell you that now we have much stronger arguments to say that we did the right thing to adopt the General Data GDPR and the United Statesby Michael Baxter Don’t miss the data protection event of the year – pre-register here
  • 13. 11. Protection Regulation. . . So there will be a much stricter regulatiory framework in the EU. . . But I have just come back from Washington and when I look at the American legislation, I don’t see such a robust legislative framework so it will be interesting to look at the United States to see whether they will come up, in the future, with stricter rules.” Could this be changing? “The Americans have famously over time been the people who will give away data all day long,” says Eve Maler, the VP of Innovation & Emerging Technology at ForgeRock. But this could be changing: speaking to us from Seattle, she said “but Americans have become sensitised and more cynical.” A recent survey from The Economist Intelligence Unit (EIU) and sponsored by ForgeRock, which describes itself as a digital identity management company, found that Americans are the most concerned about misuse of data, with the survey including people from Europe and Asia Pacific as well as the US. Eve Maler speculates that, in what she calls ‘the post, post-Snowdon era’, people are beginning to have strategies around their privacy rights. She suggests that following various breaches, United Healthcare and Equifax, for example, American attitudes have shifted. Vera Jouriuva said: “I have a very strong feeling that the tiger got out of the cage.” Referring to the recent furore over Facebook, she continued: “Something that is serious happened. That will have opened all of our eyes. I see that American people are more relaxed about their privacy and they are not looking to impose such strong pressure as the Europeans. This strong pressure from Europeans resulted in the stricter rules, coming into force in May (GDPR). And I expect something like that in the United States.” What happens in the US regarding data privacy is relevant to companies trying to comply with GDPR, not least because under GDPR, a data controller is responsible for the personal data it has collected, even when it is processed by third parties including third parties not based in the EU. See this in the context of uploading data onto the cloud: as far as GDPR is concerned, when data gathered by a country that falls under the jurisdiction of GDPR uploads data into the cloud, and that data is held on servers in the US, maybe owned by Amazon, Microsoft or Alphabet, then that data is regarded as imported. Or so Anthony Lee, a privacy lawyer and Partner at DMH Stallard told us. Mr Lee explained: “There is a general prohibition of personal data exported out of the European Economic Area, unless it is going to a country which has been designated by the EU commission as having suitably robust privacy laws in place. And for example, the US is not one of those countries.” The data privacy story in the US weaves. There used to be Safe Harbour, until the Austrian lawyer and privacy activist, Max Schrems, with half a mind on the Edward Snowdon revelations, took on Facebook. Safe Harbour was a voluntary scheme that had been set up by the US government in conjunction with the EU Commission, it meant that if a company was a member you could tick the adequacy box, as required under GDPR for the export of data. Schrems objected to the way, US state agencies could, as Anthony Lee put it, “essentially help themselves to data under the Patriots Act - creating the impression of mass surveillance.” Mr Schrems took the matter up with the Irish Data Protection Agency, who dismissed his case, saying it was “frivolous and vexatious.” Schrems was not finished, however, takingthecasetotheIrishHighCourt,who referred the matter to the European Court of Justice to the European Commission, who sided with Schrems saying that Safe Harbour was unlawful and henceforth ‘you can’t use it’. The eventual result was The Privacy Shield, the voluntary system currently in place. According to Anthony Lee, under Obama there was an understanding that there would be restraints on the extent to which state agencies could help themselves to data. The Trump administration, however, has made it clear that US rules are there to protect US residents and not European citizens .” Sylvia Kingsmill is a Partner at KPMG, heading up digital privacy and compliance nationally for the firm. Canada, and in particular, Ontario, is the home of privacy by design and default, a fundamental part of GDPR, and Ms Kingsmill worked with the Ontario privacy commissioner in the early days of privacy by design. Shesays:“TheproblemwiththeUSisthat they do not have a national omnibus data protection law that regulates data privacy, but they do have a very heavy handed regulator, The Federal Trade Commission, which exercises its powers under section five of the Federal Trade Act, for any practices that are misleading and deceptive. Privacy falls under that umbrella. That’s where The FTC flexes its muscles, against the tech giants like Facebook and Google, but they do need a national standard, so there is a uniform approach.” However, Ms Kingsmill says that sectors like healthcare and banking have been regulated for some time, and “I know that the US gets a lot of flack because the tech giants aren’t regulated enough, but in certain sectors take privacy very seriously.” Another important element in US data privacy relates to class action law suits, which are far more prevalent in the US. “Facebook could be the game changer, though,” suggests Ms Kingsmill. And that takes us to how the US, with its own particular priorities and the EU, via GDPR, view data privacy. The differences are clear. Maybe in the EU, the experiences from the World War II period, strikes a stronger resonance. It may be no coincidence that within the EU, the most vociferous of defenders of data privacy, and how it relates to human rights, is Germany. But if attitudes in the US, as the ForgeRock sponsored EIU survey suggests, are changing, then the mood may be ripe for a GDPR type framework to be applied there too. Maybe the eruption of media attention relating to Facebook and data privacy will be the catalyst. There is a general prohibition of personal data exported out of the European Economic Area, unless it is going to a country which has been designated by the EU commission as having suitably robust privacy laws in place. And, for example, the US is not one of those countries. A recent survey from The Economist Intelligence Unit (EIU), sponsored by ForgeRock, found that Americans are the most concernedaboutmisuseofdata.
  • 14. Expand your knowledge – pre-register to Data Protection World Forum today
  • 15. Millennials are different, or so they say. The generation born in the decade or two before the end of the last century, or so we keep hearing, have a different way of thinking. Take their attitude towards personal data. A study by the USC Annenberg Center for Digital Future and Bovitz Inc found that 56 per cent of the millennial generation would be willing to share their location with a nearby company in return for a relevant coupon or promotional deal. By contrast, only 42 per cent of users of 35 years and older agreed they would share their location. Jeffrey I. Cole, the director of the USC Annenberg Center for the Digital Future said: “Millennials recognise that giving up some of their privacy online can provide benefits to them. This demonstrates a major shift in online behaviour.” But is it really like that? The millennial generation and their youngers, generation Z, are what they call digital natives - they are digitally savvy. But how many kids do you know who share only minimal information on Facebook with parents? Don’t they know precisely how to change privacy settings, determining who can see certain posts. Abigail Dubiniecki, data privacy specialist lawyer, recalls “being at a conference where people were talking about 14-year-olds using Instagram, setting up multiple user profiles, deleting stuff when it no longer supports the narrative they put forward to friends. Whether it is cheetah photos or skate boarding, they are actively developing their brands on social media.” She says: “I think this is far more natural to them than to us; I did not grow up being seen by the whole world. If something embarrassing at high school happened, maybe most of the people at the school would know about it, but not someone a couple of blocks away, or half an hour away. But they have found very creative ways to control their own narrative.” It’s what’s Dr Ann Cavoukian calls informational self-determination. It’s about ‘when I want to share, I do, when I don’t want to, I don’t. If I share it’s for this purpose not that’. Abigail says: “That’s what privacy is.” Valerie Steeves, Professor of Criminology at the University of Ottawa, conducted a study into this very area. It seems that privacy consideration come as almost second nature to this generation. In the study, she found that participants engaged in a number of different strategies to manage their privacy. For example, a small number of photos were kept entirely private, while priority was given to efforts aimed at controlling who sees particular photos and preventing them from being spread to unintended audiences.Some topics were seen as private and not appropriate to share. Snapchat and Instagram were used to ensure audiences saw particular photos. Snapchat was seen as platform for sharing with friends, Instagram was seen as a platform for building a persona and thus required more careful curation. Some created multiple accounts to limit which audiences saw which content, for example, ‘spamming friends using one Instagram with less formal images,’ but these accounts only have a very small number of followers, such as close friends. Snapchat has a feature that tells users if a screen shot is taken of one of their photos, and this was cited by some as an important feature. More than half expected friends to ask permission before posting an image with them in it. There was a lot of emphasis on retrospective consent, asking peers to delete photos they didn’t want shared. Data privacy seems to be something that is implicitly understood by this generation. GDPR and how the millennial generation manage privacy By Michael Baxter 13. Dr Ann Cavoukian refers to informational self- determination. It’s about ‘when I want to share, I do, when I don’t want to, I don’t. If I share it’s for this purpose not that’.
  • 16. GDPR: A QUICK SUMMARY BY ARDI KOLAH, Executive Fellow and Director of the GDPR Transition Programme at Henley Business School
  • 17. Introduction GDPR requires a re-boot in our thinking about data protection, privacy and security for the digital age. It represents the biggest shake up in European data protection and privacy laws for over two decades. The genesis of GDPR is the 2012 proposal by the European Commission for a modern legal framework for the world’s largest digital single market of 500 million consumers. This was more about lowering the barriers to market entry for new entrants, increasing competition and choice of products and services for consumers and stimulating economic activity and employment across the European Economic Area (EEA). Since that time, the pendulum has swung in the other direction and there’s now an obsessive focus on data protection, privacy and security in the wake of an exponential increase in cyber- crime and the misuse of personal data on a global scale. Although this is extremely important it has clouded judgment on seeing GDPR as a significant opportunity, not a regulatory threat for companies and organisations. The open competition aspects of GDPR remain in place, and the European Commission is actively leading the effort to encourage companies and organisations to create a deeper level of digital trust in order to do more, not less, with personal data. Fully enforceable across all 28 EU Member States from 25 May 2018, GDPR aims to deliver a high degree of consistency, certainty and harmonisation in the application of data protection, privacy and security laws across the EU, replacing the Data Protection Directive 95/46/EC and other Member State legislation like the Data Protection Act 1998 in the UK, in its wake. Within this new landscape, there’s limited ‘wriggle room’ for Member States to pass laws that impact the processing of personal data seen only through the lens of national self-interest. Many commentators have pointed to this as evidence of a lack of harmonisation of data protection, privacy and security laws applying across the EU, given the differences in the way some aspects of GDPR will work on a country-by-country basis. However, the reality is that such differences are largely confined to a relatively small number of operational areas for companies and organisations within the EU. Many countries, including the UK, have passed their own data protection laws in alignment with GDPR and globally, this trend is gaining momentum. In the case of the UK, certain standards under GDPR are being raised under Member State laws. From a commercial perspective, companies and organisations that conduct cross-border personal data processing will be primarily regulated by the local supervisory authority in the jurisdiction in which it has its main establishment. Data protection principles GDPR retains the core principles of the Data Protection Directive 95/46/EC,buthasbeefedthemup.Thecorerulesmaylookfamiliar to experienced privacy practitioners and senior managers, but this is a trap for the unwary as there are many important new obligations as well as a tougher regime of sanctions and fines for getting this wrong. There are seven data protection principles and the data controller and data processor must ensure that it complies with all of them: 1. Lawfulness, fairness and transparency Personal data must be processed lawfully, fairly and in a transparent manner. 2. Purpose limitation Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that’s incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes). 15. GDPR is complex, right? Even if you feel you know the basics the Regulation can be confusing. Here, GDPR is summarisedbyArdiKolah,DirectoroftheGDPRTransition Programme at Henley Business School, and Editor-in- Chief at the Journal of Data Protection and Privacy. This summary comes from Ardi’s book, The GDPR Handbook, whichisavailableonAmazonfrom3June2018. Make sure you don’t miss issue 2 – subscribe here for free
  • 18. 3. Data minimisation Personal data must be adequate, relevant and limited to what’s necessary in relation to purposes for which they are processed. 4.Accuracy Personal data must be accurate and where necessary, kept up- to-date. Inaccurate personal data should be corrected or deleted. 5. Retention Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes). 6. Integrityandconfidentiality Personal data should be kept secure. 7. Accountability The data controller should be able to demonstrate and in some cases, verify compliance, with GDPR. What to do now? Double check that all policies, processes and procedures are in place and that this delivers the seven data protection principles. Ensure that the board support company and organisation-wide awareness and training programmes that should be short, informative (not boring!) and that all of this is recordable and logged. Security of processing GDPR requires the data controller and the data processor to keep personal data secure. This obligation is expressed in general terms but does indicate that some enhanced measures, such as encryption and pseudonymizing may be required. The data controller must report data breaches to their supervisory authority within 72 hours of discovering this has happened, unless the personal data breach doesn’t cause high or very risk to the rights and freedoms of individuals. What to do now? Undertake a full review of technical security measures that are appropriate for the type of personal data processing being carried out at the data controller and data processor. Seek expert guidance and support. Data Protection Officer (DPO) A data controller, joint data controller and a data processor may be required to appoint a data protection officer (DPO). This depends on what processing of personal data is being carried out. Certain private and most public-sector organisations will be required to appoint a DPO to oversee their data processing operations. A DPO will be required where: the processing is carried out by a public authority or body; the core activities of the data controller or data processor consist of processing which requires regular and systematic monitoring of data subjects on a large scale; the core activities consist of processing special categories of personal data on a large scale and required by Member State law. The DPO must be involved in all data protection issues and can’t be dismissed or penalised for performing their duties and responsibilities. The DPO must also report to the highest level of management authority within the company and organisation. The DPO must be involved in all data protection and security issues and can’t be dismissed or penalised for performing their role. The DPO must report directly to the highest level of management within the company or organisation but doesn’t have to physically report to the CEO. The report they write must be considered by the board. What to do now? Ensure that a suitable senior manager within the company and organisation has been identified and can be trained independently to fulfil the duties and responsibilities of the DPO. They need to be adequately resourced otherwise this in itself is a breach of GDPR. Other alternatives including using a consultant as a DPO or an outsourced DPO service. Data Controller and pan-European data breach notification obligations The data controller is responsible for deciding the purposes and means for the processing of personal data and can be a private company and organisation, a charitable or voluntary body, operate in the public sector or be government department. The responsibility and liability of the data controller for any processing of personal data or that done on its behalf by the data processor needs to be established. The data controller is obliged to implement appropriate and effective organisational and technical measures to mitigate very high risks of processing personal data that could cause harm or damage to data subjects. It’s important that the data controller is able to demonstrate compliance of personal data processing activities with GDPR. Those organisational and technical measures should take account of the nature, scope, context and purposes of the personal data processing and the risks to the rights and freedoms of natural persons. GDPR imposes stricter obligations with respect to data security and a specific data breach notification process. In the event of a personal data breach that’s likely to result in a high risk to the rights and freedoms of data subjects, the data controller must notify the supervisory authority and where appropriate affected data subjects within 72 hours of becoming aware of the breach. Notice needs to be given “without undue delay” and must contain proscribed information. What to do now? Prepare for personal data breaches and practice the way in which the company and organisation will respond to the real thing. 16.
  • 19. Double check policies, processes and procedures are fit for purpose and ensure how the company and organisation will react and whom to notify including the DPO. Implement staff training as to what to do in such instances, as well as how to reduce the risk of incidents and personal data breaches occurring in the first place. Extra-territorial reach GDPR primarily applies to companies and organisations established in the EU. It will also apply to businesses based outside the EU that offer goods and services to, or monitor the behaviour of individuals in the EU. What to do now? These businesses based outside of the EU will need to appoint a representative in the EU, subject to certain limited exemptions. The representative may have to accept liability for breaches of GDPR and could only act under specific instructions from the data controller. The representative effectively has all of the downsides but no corresponding upsides so it’s a difficult relationship from the start. Cross-border data transfer rules GDPR prohibits the transfer of personal data outside the EU unless certain conditions are met. Those conditions are broadly the same as those under the Data Protection Directive 95/46/EC. but adds new ones such as certification mechanisms and codes of conduct, as well as a new very limited derogation for occasional transfers based on legitimate interest. Country-specific authorization processes will no longer be needed (with some exceptions) and Binding Corporate Rules (BCRs) are formally recognised in GDPR. What to do now? Double check that there’s an up-to-date inventory of cross-border data flows; check the strategy in the light of any decisions from the European Commission, the Court of Justice of the European Union and EU-US Privacy Shield (if appropriate). Data mapping The data controller and data processor must maintain an up-to-date record of processing activities. Under GDPR, detailed information must be kept and could be inspected. What to do now? The DPO must ensure and document what actually the data controller holds now in the way of personal data, the intentions of transferring this personal data, and how such data flows internally through the company and organisation. Data Processor obligations GDPR expands the list of provisions that data controllers must include in their contracts with data processors. Some aspects of GDPR are directly applicable to processors. This will be a major change for some suppliers who have avoided direct regulation under the Data Protection Directive 95/46/EC by setting themselves up as data processors. Processors will be jointly and severally liable with the relevant controller for compensation claims by individuals. What to do now? Ensure that new obligations under GDPR are understood and observed. GDPR imposes compliance obligations directly on the dataprocessor,suchasimplementingsecuritymeasures,notifying the data controller of personal data breaches, appointing a DPO (if applicable), maintaining records of processing activities, etc. the data processor will be directly liable in case of non-compliance and may be subject to direct enforcement action. The data controller and data processor will be required to enter into detailed data processing agreements or renegotiate existing ones. Data Subject’s rights GDPR largely preserves the existing rights of individuals to access their own personal data, rectify inaccurate data and challenge automated decisions about them. The Regulation also retains the right to object to direct marketing. There are also potentially significant new rights for individuals, includingthe“righttobeforgotten”andtherighttodataportability. The new rights are complex and it isn’t clear how they will operate in practice. In addition, the data controller will also be required to provide significantly more information to Data subjects about their personal data processing activitiesd What to do now? The data controller must implement appropriate processes and infrastructure to be able to address data subjects’ rights and requests. It must also ensure that an adequate Data Privacy Notice is provided prior to commencement or within one month where the personal information comes from a third party. Quality of consent Obtaining consent from an individual is just one way to justify processing their personal data. There are other justifications. It will be much harder for the data controller to obtain a valid consent under GDPR. Individuals can also withdraw their consent at any time. As under the Data Protection Directive 95/46/EC, consent to process special (sensitive) personal data must be explicitly given. Consent to transfer personal data outside the Union must now also be explicit. What to do now? Consent is retained as a processing condition but GDPR is more prescriptive than the Directive 95/46/EC when it comes to the conditions for obtaining valid consent, so this needs to be very carefully understood. The key change is that consent will require a statement or clear affirmative action of the data subject. Silence, pre-ticked boxes 17.
  • 20. and inactivity will not be sufficient. GDPR clarifies cases where consent won’t be freely given (e.g. no genuine choice to refuse, clear imbalance between the data subject and the data controller such as in the workplace). Data subjects must be informed of their right to withdraw consent. One-Stop Shop GDPR applies to the processing of personal data by data controllers and data processors established in the EU, as well as by data controllers and data processors outside the EU where their processing activities relate to the offering of goods or services (even for free) to data subjects within the EU, or to the monitoring of their behaviour. The supervisory authority in the jurisdiction of the main or single establishment of the data controller/data processor will be the lead authority for cross-border processing (subject to derogations). What to do now? Assess whether – as a non-EU data controller and data processor – data processing activities of data subjects is within scope of GDPR. This must determine where the ‘main establishment’ might be located based on data processing activities. Profiling and Profiling-based decision making GDPR includes a wide range of existing and new rights for data subjects. Amongst these are the right to data portability (right to obtain a copy of one’s personal data from the controller and have them transferred to another controller), right to erasure (or ‘right to be forgotten’), right to restriction of processing, right to object to certain processing activities (profiling) and to automated processing decisions. The data controller will also be required to provide significantly more information to data subjects about their processing activities. What to do now? Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Individuals will also have an express right to ‘opt out’ of profiling and automated processing in a wide range of situations. If the data controller is engaging in profiling activities, then it must consider the best way to implement total security measures. Data Protection by Design and by Default These concepts are codified in GDPR and require the data controller to ensure that individuals’ privacy is considered from the outset of each new processing, product, service or application, and that, by default, only minimum amounts of personal data as necessary for specific purposes are collected and processed. What to do now? Implement measures, such as pseudonymisation or data minimisation designed to implement data protection principles from the outset of any project. Data Protection Impact Assessment ‘Lite’ and DPIA The data controller will be required to perform a data protection Impact Assessment (DPIA), where the processing of personal data (particularly when using new technologies) is likely to result in a high risk to the rights and freedoms of the individuals. At Henley Business School we conceived of DPIA ‘Lite’ which is a helicopter view of what is being done that’s compliant, what’s currently being done that isn’t compliant and what the data controller needs to consider starting to do in order to be complaint with GDPR. What to do now? DPIAs will particularly be required in cases of: an evaluation of personal aspects based on automated data processing including profiling processing on a large scale of special categories of personal data; systematic monitoring of a publicly accessible area; make DPIAs part of standard procedures for all personal data processing operations so that they are easier to implement as an everyday task; DPO should ensure that staff have been trained in order to carry out a DPIA and these need to be documented very carefully. Sanctions and fines There is a step change in sanctions and fines where supervisory authorities can impose fines up to 4% of annual worldwide turnover or €20 million, whichever is greater. There are also other powers at their disposal including audit rights, issue warnings and issue a temporary or permanent ban on the processing of personal data (known as a ‘STOP order’). What to do now? Understand and keep under review the type of personal data being processed, whether it is very high or high risk and what mitigation measures are necessary to reduce this to a residual risk that doesn’t cause harm or damage to data subjects and record the organisational and technical measures deployed within the company and organisation. 18.
  • 21. The EU General Data Protection Regulation (GDPR) comes into force in May 2018, and will impact every organisation that trades with any EU country. The new regulations will disrupt how organisations: store,manageandprocessdata.GDPRisthebiggest shake-up in data protection for a generation. Ourhalf-dayandfull-daycoursesprovideapractical and efficient staff training programme, presenting staff with the knowledge, understanding and practical tools to implement and maintain GDPR compliant processes. Contact Leon for more details: leon@dataprotection.media 0203 515 3015 Half Day : £2,000 Full Day : £3,500
  • 22. Privacy by design and default Where it began: Dr Ann Cavoukian is passionate about data privacy. Appointed Information and Privacy Commissioner of Ontario, Canada in 1997, today she is the Distinguished Expert-in-Residence, leading the Privacy by Design Centre of Excellence at Ryerson University, Canada. And when it comes to privacy by design and default - she is the boss, the governor - the person who brought the concept to the world. Privacy by design and default is a key, maybe the single most vital, part of GDPR - it means privacy is part of the foundation of a new product or service, an integral part - not a bolt-on extra. AndwhenDrCavoukiantalksonthesubject, her passion is palpable - and contagious. Back in 2016, she expanded on the idea at the SAI Computing Conference, London. You can see a video of her talk on the Ryerson website. It’s worth watching. But when you hear her story, you begin to get it. Privacy, and by extension, because it is so essential to it, privacy by design and default, is about freedom - a human right. The good doctor herself has a personal tale which may point to why this concept is so important to her. She is from an Armenian family born in Egypt - her parents fled the country in the 1950s in the dead of night. They had lived charmed lives, but still they left. Why? She asked her parents that very question. “We moved for you, for your freedom” they said. But then maybe a similar story can be applied to the German people as a whole. Today they have a phrase to describe it. Germans call it informationelle Selbstbestimmung - Information self- determination. It was enshrined into the German constitution in 1983 and Dr Cavoukian says “Germany is now the leading privacy and data protection country in the world.” But there is a myth about privacy - it does not mean secrecy. Not zero sum Some people fear that, in a healthcare setting, data privacy could hold back progress, cost safety and lives. Data is helping the fight against disease - it was once estimated that if the data gathered by the British NHS was captured and monetised it would create an organisation worth over a trillion dollars. But privacy does not have to come at the expense of the benefits of data. It’s not a zero-sum game - privacy does not means less of another benefit, rather privacy can enhance, create a positive sum. Dr Cavoukian says “privacy can work with safety, with data analytics, marketing - it’s not an either, you can have both. Privacy does not equal secrecy it’s about personal control, which belongs to you. Privacy does not equal secrecy. By Michael Baxter 20. Privacybydesign It’s about freedom - a human right. PRE-REGISTER FOR DATA PROTECTION WORLD FORUM HERE
  • 23. Adil Akkus has 24 years’ experience in IT and Business change delivery. He holds a B.Sc. degree in Computer Science as well as PRINCE2, MSP and MoP Practitioner certifications. He has successfully implemented a wide varity of multi-site and multi-million-pound programmes for industry leaders such as Mercer, Sky, IBM, Virgin Media, BT, AT&T Wireless and T-Mobile. With his CIPP/E privacy and data protection certification, he has set up and implemented 3 multi-national GDPR programmes. Here he introduces privacy by design. Equifax In September 2017, Equifax hit the news headlines with reports suggesting that over 140 million people’s personal data was breached. It transpired that Equifax failed to install a security patch tool for building web applications in a timely manner. Some proactive actions and securing data even at the design stage would have saved a lot of money and bad press for Equifax. Facebook, WhatsApp data sharing for ad targeting After Facebook purchased the WhatsApp messaging platform, they set out to change WhatsApp’s terms and conditions to allow the data sharing with Facebook for ad targeting purposes. The news raised a lot of public uproar. Even though most of us use both apps separately, a significant percentage of the users changed their settings to prevent this. In March 2018, the ICO convinced WhatsApp to sign a public commitment not to share personal data with Facebook until data protection concerns are addressed. Setting the users’ privacy to the strictest mode (i.e. privacy by default) would surely have prevented all this hassle. Conclusion With the undeniable influence of GDPR, public and the regulators expect “privacy by design” to prevent such high profile cases and to increase public confidence in the organisations with their data. Until recently, data protection teams had to fight hard to convince the product, service and technology teams to pay attention to privacy concerns, GDPR’s emphasis on “privacy by design” will transform out ways of working and thinking. 1.ProactivenotReactive;Preventative not Remedial The principle encourages the proactive rather than reactive measures. It requires the organisations to anticipate the risks and prevent privacy incidents before they occur. Privacy as the Default Setting (referred to as Privacy by Default) This principle promotes the maximum privacy protection as a baseline. It requires any new service or product to use strictest privacy settings by default, without any manual input from the end user. Some privacy experts argue that GDPR’s push for “explicit” consent can be traced back to this principle. Privacy Embedded into Design This principle demands the privacy measures not to be bolted on as add-ons, after the fact. It drives privacy to become an essential component of the core service, product or functionality that is being delivered. As a result, privacy becomes an integral part of the product or service, instead of a functionality trade-off. Full Functionality – Positive-Sum, Not Zero-Sum This principle encourages creating a privacy-by-design culture where privacy policies drive rather than hinder growth and revenue. End-to-End Security with a full Lifecycle Protection Having embedded privacy by design into the systems in the previous principles, this one requires the data to be protected cradle to grave; wherever it goes, from the time it is created, shared, and finally archived. Visibility and Transparency – Keep it Open This principle is all about building consumer trust. Information about your privacy practices should be out in the open and written in plain language. Respect for User Privacy – Keep it User-Centric This principle puts consumers in charge of their data. It requires users to be given the ability to update and correct any data held about them. It also requires the users to be the only ones who can grant and revoke access to their data. 2. 3. 4. 5. 6. 7. 21. Over the recent few years, we have witnessed some of the highest profile data breaches and incidents from Yahoo to Uber, from Equifax to Talktalk. Some of these breaches remained undetected, unreported or unknown for various reasons. A good proportion of these incidents could have been prevented or handled in a much less costly and much less distressing way by using the privacy by design principles. Background Even though privacy by design has become very popular over the last few years, thanks to GDPR, it is has been around since the 90s. Privacy by design argues the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks. It argues that privacy assurance must become an organisation’s default mode of operation. Dr. Ann Cavoukian, who is hailed as the ‘Godmother of Privacy by Design,’ set out the foundations across seven principles: The 7 Foundational Principles of Privacy by Design By Adil Akkus
  • 24. From Don’t miss our next issue – subscribe for free here Youcandomorewiththedatabecause people already know; they are not goingtobeshockedorannoyed,they are going to share more, they are goingtosharegoodqualityaccurate databecausetheywillseethatthere isabenefittoit.Andtheytrustyou.” Andthatistheessenceofprivacyby designanddefault.
  • 25. Grim Reaper to hero How the data protection officer has become an enabler - and is no longer seen as a block to new ideas. Once, the data protection officer was the last port of call. So you had an idea for a product, you researched it, tested it, tweaked it, honed it some more, the PR people were ready, the advertising agency was briefed, the design was just so - and then it was compliance - the only barrier. To some it felt like the kiss of death to their brilliance. Deborah Dillon, a privacy protection officer of considerable experience says that is how it used to feel like to her. Today, she is the Data Privacy Lead at Atos. Before that, she worked for a ‘large bank.’ “Data privacy” she recalls “was like an after- thought. There had been no consideration of data development at all, until they came to me needing the information governance. And I often had to put the dampeners on projects.” It is not like that now, of course, and privacy by design is one of the main reasons, at least for Deborah. There’s a growing realisation that privacy by design is a key part of a product or service. And the data protection officer, by being the person who is integral to that, has been transformed. “I used to feel like I was seen as a grim reaper, now I am seen as an enabler,” says Deborah. Maybe she is being too modest. In the era of digital transformation and big data, the data protection officer is a hero, the one whose insights can help create trust between data subject, and controller or processor. Abigail Dubiniecki, Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer, says that GDPR, and privacy by design in particular, also present an opportunity to do some house keeping. It’s a kind of nudge. It is in our own interests to wear seat belts when driving, but until it became compulsory - the law - many of us ignored it. How many lives were saved when the law was changed? The numbers are probably countless? In fact, the Royal Society for the Prevention of Accidents has estimated that 50,000 lives have been saved in the UK alone since the law making it compulsory to wear seat belts in the front of a car was introduced in the country some 30 years ago. Indeed, behavioral economists have a word for it: ‘nudge’, advanced by Cass Sunstein and the Nobel Prize winning Richard Thaler - that we can change our behavior to act in our own best interests through quite subtle influences. Maybe GDPR and privacy by design are like that. Companies are run by people - and some tasks are seen as more fun. Efficiently managing data, ensuring it’s not kept unnecessarily eating up valuable storage space, may not feel sexy, but it’s still important. Or for that matter, since data is valuable, knowing what you have is vital. As Ms Dubiniecki continued: “People are not leveraging their data because they don’t know what they have. So they are not unlocking the value from 23. So for me, GDPR is the missing link to get to companies before they do digital transformation. “
  • 26. it, they are just hoarding it, and putting it into lakes because they are hoping that some day they will find something in that closet or lake - so GDPR is forcing you to know exactly what you have, which gives you an opportunity to really harvest it.” But privacy by design and default is about creating trust. Ms Dubiniecki explained: “You can do more with the data because people already know, they are not going to be shocked or annoyed, they are going to share more, they are going to share good quality accurate data because they will see that there is a benefit to it. And they trust you.” And that is the essence of privacy by design and default. When she was working at the ‘large bank’, Deborah Dillon says “I brought in privacy by design, in anticipation of GDPR, working with system developers, products teams, and building it right at the start of a product. And it worked so well, and data was captured so well, that systems developers were talking to each other about the datasets they needed to collect to apply privacy principles.” She says it was so refreshing to hear, “really turning data privacy on its head. I am bringing it in with clients now, it’s great for compliance and transparency.” If you can get privacy right, rather than becoming an after-thought, a necessary hurdle to overcome, it can enhance a product, make it more appealing to the customer, a reason to buy your product or service. She recalls an occasion, at the bank, how she managed to build data protection into a Christmas competition in a way that made it more interesting. It involved a Christmas tree in every branch - the idea wasforcustomerstonominateaneighbourforanaward, as someone who had done a lot for the local community and put their nomination on the tree. But the privacy implications were enormous - and potentially damaging to the bank’s reputation with customers. Deborah explained: “Privacy by design is not just the big systems. In this particular case, by using personal privacy as an advantage, we made the identity of the person nominated anonymous, instead they were described without revealing who they were and the person who nominated them put their own email address into the competition, and in the event their nominee win, the neighbour was to be told and in turn inform the winner.” Digital transformation; the missing link Digital transformation has become a big buzz word of the moment - a lot of companies are looking to transform their businesses - they may have a good budget, but, as Deborah says: “They have to get their house in order first, for me GDPR comes before digital transformation.” She says that if they know data is accurate, and relevant, in the right place at the right time, then when they are looking at digital transformation, the process can become a whole lot more effective. She gives as an example, uploading data onto the cloud: if they have classification of documents, then if there is highly sensitive information and data, it stays in the private cloud, but internal information might go into the public cloud. “So for me, GDPR is the missing link to get to companies before they do digital transformation.” Atos is the European leader in the payment industry. It focuses on big data services, cybersecurity, and digital workplace, cloud services, infrastructure & data management, business & platform solutions, as well as transactional services through Worldline. Given what it does, it may come as no surprise to learn that Deborah says: “At Atos, privacy by design is a must for our customers.” The benefit The headlines focus on the fines associated with GDPR, the potentially heavy cost of not complying. But for many large companies a fine, even one that could be four per cent of turnover, is just another problem - and not necessarily even one of the more serious challenges. Maybe that will change when the first fines are rushed out, but at the moment there is a perception that regulators across the world are thinly stretched, have multiple responsibilities, and that in practice, fines will be rare - a risk to a company for sure, but maybe not a great one. The latest revelations concerning Facebook add another dimension - the damage to the company’s reputation - the falls in the share price that saw over $70 billion knocked off the company’s market capitalisation - shows how data privacy and respecting customer’s data is not just about trying to avoid fines, but protecting reputation too - something that can be worth far more than a few per cent of turnover. So, while the threat of a fine, may be seen as a stick to ensure data protection is taken more seriously, the reputational damage that can arise from a data breach, or allegations that governance is not what it should be, is potentially a much more fearsome stick. But privacy by design and default can provide a carrot too, it can help a company manage costs by making more efficient use of data, but above all can be a superb communication message to the customer. Privacy policies say: “we take your privacy seriously” but do people believe it? Do they just assume the policy is there to provide legal protection? By contrast, if privacy can become a core part of a product, if it screams out at the customer ‘you can trust us, we are on your side, protecting your privacy is fundamental to who we are, a human right’ then all of a sudden your image is transformed - the customer will be more willing to agree to their data being processed, and your reputation is given the kind of boost that can make the difference between success and failure, that can give you a decisive edge over rivals. That is why privacy by design has transformed the data protection and privacy officer - from grim reaper, who was seen as a hurdle that could prove impossible to pass, to hero - someone whose insights can transform the reputation of a company, or public service, creating a bold, empowering and successful relationship with the customer. by michael baxter 24.
  • 27. SPEAKERS INCLUDE: WWW.DATAPROTECTIONWORLDFORUM.COM 20TH & 21ST November 2018, ExCeL London JAM IE BARTLETT PERN ILLE TRAN BERG RO H IT TALW AR ARD IKO LAH 2018 WILL BE A LANDMARK YEAR FOR DATA PROTECTION AND PRIVACY LEON@DATAPROTECTIONWORLDFORUM.COM 0203 515 3015 Pre-register for the data protection event of the year here
  • 28. The Canadian experience... By Michael Baxter Don’t miss the data protection event of the year – pre-register here
  • 29. “We exported privacy by design to the rest of the world” says Sylvia Kingsmill, a Partner at KPMG Canada, and the Canadian Digital Privacy & Compliance Leader, “now we are importing it back.” But the Canadian experience is illuminating - unlike in the EU, where under GDPR, privacy by design and default is a requirement, in Canada it has been voluntary. But companies and other organisations still apply it. The Canadian view and the Dr Ann Cavoukian view is that it is just common sense. “We in Canada,” she says “took Ann’s seven foundational principles which are the lynchpin. It is one thing to have it as a philosophy, another to actually do it and operationally track it.” Ms Kingsmill worked with Dr Ann Cavoukian and her team at Ryerson University in developing privacy by design methodology and framework to assess new technology and services against the principles of privacy by design. What does this mean? “What do controls look like from the perspective of a company or entity? How do we bake in the right controls, so they can demonstrate, whether it is in the EU or Canada, that they are taking the right steps to directionally protect our consumer rights and freedoms?” In Canada, you “can get certified to say look we are doing the right things to your data, we are listening, we are following best practice, we are following guidelines, we are listening to regulators, we don’t want to just appease them.” There is another way of putting it that really does sum it all up: “We satisfied a market need, and that need is to re-assure the public.” She cites as an example CANTATICS, a Canadian organisation that produce an anti-insurance fraud solution. Privacy by design is a core part of the product. The data generated by insurance claims across companies can be used to spot fraud, regular insurance claimants, who, in order to avoid detection, spread their fraudulent claims across multiple companies. But the result of this is higher insurance premiums, so it is very much in the interests of customers to come up with a fix. So CANTATICS applied privacy by design. They showed how processing customer’s data worked to their benefit, promoted how the data would only be used for the specific purpose stated and kept no longer than necessary. In short, privacy by design became a feature, a key part of what CANTATICS is about. There was no need for an enforcement body - it was there because it was important, a key part of creating trust, building and maintaining a reputation. But rules are being introduced. “We had a Parliamentaryreportrecommending19 areas toreformtomaintainouradequacystandards and the main topic is privacy by design.” ButthenSylviaKingsmillreckonsthisishow things are going worldwide. “International regulators are collaborating, there is a global privacy enforcement network,” she says. GDPR then, or at least Privacy by design anddefault,mayhavehaditsrootsinCanada, but now it is being applied worldwide. GDPR is about “transparency, accountability and control.” “It is actually pretty brilliant the way they have put together GDPR, as awful as it looks, I just wish they had used clear concise intelligible language like they say we should. The architecture of that law is really quite impressive, and I say this as someone who has read a lot of laws.” Abigail Dubiniecki, is an Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer. To put it mildly, she knows her GDPR. And, like so many experts on GDPR and advocates of privacy by design and default, she is Canadian. When she talks about GDPR her passion shines through, she tells it like privacy is one of the most important issues of the day - of the digital world, but then given how data and personal data is shaping the economy, business and impacting upon us all, it probably is. “Before I came here, I was already doing privacy by design without calling it that,” she says, referring back to when she was the privacy lead on an in-house counsel team for a Canadian crown corporation. We in Canada took Ann’s seven foundational principles which are the lynchpin. It is one thing to have it as a philosophy, another to actually do it and operationally track it. 27. “
  • 30. The Canadian take Cardinal rule “Under GDPR, one of the cardinal rules is ‘know the data”. She explains: • what data you have • why you have it • what you are doing with it • do you have a lawful basis for having it • how long you need to keep it • who you are sharing it with • and for what purpose But then, look at the detail, the devil may not emerge, but you must be devilishly careful: • Are there secondary purposes for which you are using it? • if so, are they sufficiently linked? • is this something that requires you to go back to the drawing board? “It’s not a legal obligation in Canada to apply privacy by design, but those basic principles are there.” Says Dubiniecki. “She adds: “what GDPR does and what privacy by design asks you to do is take data cycle life management practices, cyber security best practices and fair information principles and make that a legal obligation.” She turns to the public sector. We had this constant interaction with our regulators, so when something comes up, we are supposed to report that, not just to the regulators and privacy commissioner’s office, but there is also the Treasury Board Secretariat, so accountability has been built in; it’s just a reflex. “And although no one would say it’s a legal obligation to apply privacy by design, much of that is already there, if not articulated.” Shakespeare said it well, “that which we call ‘privacy by design’ by any other phrase smells so sweet.” Not to mention helps confer a human right. In Canada there is no formal right to be forgotten law, but there is the Right to Rectify. “You can correct something that is wrong, and if something is unlawfully processed that’s a problem, but where we differ is that we don’t have the same teeth for enforcement.” Privacy by design may have been invented in Canada, but she says “we only started to take it seriously once the EU adopted it”, but that seems to be the Canadian way. If you are a Canadian rock star, or Canadian hip hop artist or painter, no one is going to care about you in Canada until you go somewhere else and become really popular, then they call you Canadian. “It is being looked at in many other countries, such as in Latin America and in countries that are eager to trade with the EU, such as Japan where there is a lot of interest and now finally Canadians are paying attention to it too. As they seek to reap the benefits of greater trade with Europe under the Canada- EU comprehensive and economic trade agreement (CETA).” Examples of privacy by design and default Dubiniecki cites as an example: Securekey and its product, SecureKey Concierge, technology that enables you to ‘bring your own credentials’ to prove your identity. Abigail explained: “You can access 80 government services using banking credentials” and it’s a service in which privacy by design is an integral part. “The idea is that you don’t have to have loads and loads of different data, in different treasure troves, my company and your company, and government so that you can be attacked from any angle. Now we have this system to verify when you need to be verified This has been a big trend, putting control in the hands of the individual, giving them greater security because there are fewer places where your identity is spread about, creating a richer, more reliable way to confirm someone’s identity, because you have much richer dataset than you would have if you just have passwords, and date of birth and other things that someone could steal.” 1. 2. 3. 28. GDPR is about transparency, accountability and control: Interview with Abigail Dubiniecki, Associate at Henley Business School’s GDPR Transition Programme and Specialist in data privacy at My Inhouse Lawyer
  • 31. End-to-end and the seven foundation principles With privacy by design, we talk about end to end protection, rights, and putting the user first, all those things are baked into GDPR. So as a starting point, you have to meet the seven personal data processing principles, in every activity that you do. You have to make sure that your default choice is the most privacy preserving choice. So if it is social media, the default is to share information with the people ‘I want to share with, not share with the public,’ you can’t ‘default to share with the public’ and roll it back, you have to default to something more defensible that makes sense in the light of our exchange, and the reason why ‘I am coming to your platform.’ You have to meet those principles. It must be lawful. You have to choose which lawful basis you are relying on. If you are relying on consent, you have to be able to let someone withdraw consent as easily as they give it, and ensure it is freely given. In an employment situation you cannot rely on consent, because it can’t be freely given. Therefore, you have to look at other lawful bases. Then you have to go through all the principles which must be baked into everything you are doing. People have these seven rights under GDPR and you have to make good on them, which means however you design those systems you have to find that needle in a haystack, so if, say Rob Lowe makes a subject access request, when you are designing your system, you have to make it so that you can find everything that is said about Rob Lowe in everything you have done or shared with his data. Be warned “Lots of companies are doing back flips, ‘oh this does not apply to me because of Brexit’, ‘it does not apply to me because I amjustaprocessorforatelecomscompany and I don’t actually see anything’, ‘I am not even interested in what’s coming in there’, but it absolutely does, if there is personal data in there, if you don’t need it, then don’t have it. Or anonymise it so you reduce your compliance footprint. “If they say, ‘I am not going to do anything with it, so I should be okay,’ They will be in trouble. If not under GDPR, then under ePrivacy regulation and the Cyber Security Act that is being proposed. Or under the ‘Directive on the Security of Networks and Information Systems’. There is something in that digital single market strategy that will hit you. So, pay attention.” 4. 5.
  • 32. GDPRandthefourthindustrialrevolution by Michael Baxter Subscribe for free here and get the next issue to your inbox
  • 33. There is a nice analogy with a chess board that illustrates the point. Put a grain of rice on the top left-hand square. Moving to the right, put two on the one next to it, then four, doubling, with each square working your way across and down the square until you reach square 64, at the bottom right hand corner. At the end of the first row, you would have 128 grains of rice. At the end of row two, 32,000 grains of rice, eight million by the end of row three, and by the last square 128 trillion grains of rice. This, goes the idea, serves as a metaphor for the way technology is accelerating. Whether this is accurate or not, one can say, without doubt, that technology is developing at an extraordinary pace. Moore’s Law Moore’s Law, relates to words spoken by Gordon Moore, co- founder of Intel, in 1965, that the number of transistors on an integrated circuit double every two years. Today, Moore’s Law is said to refer to computers doubling in speed every 18 months to two years. It’s the classic example of accelerating technology, the chess board analogy seems to describe this perfectly. The economist Brad de Long estimated that if someone had built a computer with the kind of processing power of the iPhone X in 1957, it would have cost 150 trillion of today’s dollars, the device would have taken up a hundred-storey square building, 300 meters high, and 3 kilometres long and wide and would have drawn 150 terawatts of power—30 times the world’s generating capacity at that time. There is a view that Moore’s Law is now slowing down, because of the physical limits in cramming more transistors on a chip. But newer technologies, such as quantum computers, applying the super material graphene instead of silicon, or photonic chips could give Moore’s Law a new lease of life. Metaphorical Moore’s Law But the idea of Moore’s Law can be applied to other applications - not literally Moore’s Law, but following a similar trajectory. Examples include Butter’s Law, which predicts a doubling of data transmission over a fibre optic cable every nine months, or genome sequencing, which has seen the cost of sequencing the human genome fall from $2.7 billion when it was first sequenced as part of the human genome project, at the start of the century, to less than $1,000 today. Renewable energy also seems to be falling in cost at an exponential pace - although the factor here seems to be the learning rate - a doubling in the user base leads to a proportional fall in cost, or lithium ion batteries which have fallen in cost from $1,000 a kilowatt hour in 2008 to around $200 in 2016. Convergence But it’s when we take into account convergence that things get exciting. Technologies to watch include: • The Internet of Things • Robotics • Artificial Intelligence (AI) • Augmented reality • Virtual reality • Super materials such as graphene • Quantum computing • 3D printing/additive manufacturing • 5G and faster internet speeds • Genome sequencing • CRISPR/cas-9 - DNA editing • Mobile computing/the cloud • Blockchain • Drones • Energy storage • Renewable energies Convergence, combined with Moore’s Law and metaphorical Moore’s Law, are causing things to develop at an extraordinary pace. Faster computers are helping to support advances in AI, developments in screen technology, advances in processing power, and in the components that make up smart phones such as accelerometers - which tell a phone which way it is being held - are supporting advances in virtual reality. The combination of AI, with sensors that make up the Internet of Things inside wearable devices, and genome sequencing is set to create a revolution in health tech. Data But data is a key part of the revolution. Aggregation of data from genomesequencingandsensorsmonitoringthebody,whenanalysed by AI, may create new insights on the treatment of diseases. According to a study by IBM, 90 per cent of the information on the internet has been created since 2016. Eric Schmidt, chair at Alphabet, once said that every two days we create as much information as we did up to 2003. But it seems to be getting quicker. Another way to put it is to say technology has never changed so fast, but it will never again change as slowly as it is now. Fourth Industrial Revolution The ‘Fourth Industrial Revolution’ was so named by Klaus Schwab, founderoftheWorldEconomicForumwhichfamouslymeetsinDavos every January. In 2016, it was the theme of the Davos conference. It follows the first industrial revolution of the 18th century, dominated by steam power and textiles, the period from the mid-19th century to 1914, led by the use of electricity, the rise of the motor car, flight, mass production, and then the more recent IT revolution. Personal data It is clear that personal data will be part of this revolution and the processing of it may create extraordinary insight and make incredible efficiencies. But there is risk. Will it lead to a surveillance state? The end of secrets does not sound so bad, but the end of privacy does. Maybe we are heading for a time when we sell our data? Can AI take our data, even anonymous data, and by comparison with our data streams de-anonymise it? These are among the biggest issues of the day. GDPR takes us the heart of this matter. It has its critics, but the regulation may represent a key moment in the battle to ensure the results of the Fourth Industrial Revolution are benign. Technology,astheysay,isaccelerating. Moretothepoint,itisalsoconverging. 31.
  • 34. “Our research shows that around two thirds of people are conformable with the data exchange part of a modern economy” says Chris Combemale. The Direct Marketing Association (DMA) recently published research into what the consumer really thinks about data privacy. Data isn’t the only thing that is making the Fourth Industrial Revolution possible, but without it, the Revolution could flitter out and die. And the DMA research finds that more needs to be done to create the trust that is required so that consumers are comfortable with their data being processed. The DMA survey also found that 54 per cent say “trust in an organisation is the single most important reason why they will share data,” but 78 per cent say that “the company gets the best value of the exchange, 86 per cent say they want more control over what companies do with their data, and 88 per cent of companies say they would like more transparency. “Unless there is trust; that data is held securely and trust that companies will only do with it what they say they are going to do, tell you openly and honesty, then we will have a real issue going forward,” suggests Chris. Chris began his working life in TV production before entering the world of advertising and marketing, joining Young and Rubicam in New York. He worked for the famous advertising and marketing agency for 12 years, with a stint in Asia, working in Hong Kong and Singapore. Today, he is CEO of the DMA Group, comprising the DMA, IDM (Institute of Direct and Digital Marketing) and TPS (Telephone Preference Service). He sees a parallel between GDPR and the Advertising Standards Authority. “The ASA, ensures that, on a voluntary self-regulated basis, ads are truthful and meet societal standards. If ads are found to be untruthful they have to be removed. This is really important as it means that the consumer can trust that the ads they see are truthful, and don’t have to worry about deciding which ones are telling lies and which ones are not. The same applies to data, companies have to have open honest and transparent in their communications about what they are doing with their data. GDPR will mandate this.” Referring to the DMA survey, he said “we have some way to go if we are going to create the eco system and environment that is right for the modern future. “GDPR can play an important role, as it mandates that companies, and government for that matter, give people more control and greater transparency. “If companies do a good job, they will articulate the benefits in a better way than they have done, so that people start to see the value exchange as a balance between the great benefit they get, and the benefit the company gets.” Yet, in some respects, he says that this perception that the company achieves the greater benefit from the value exchange is almost inexplicable. “When you think of some of the value we get every day in our lives, so if you think of the number of people who use Google maps for free, several times a day, it is not only free it contains minimal advertising.” “Do we just take it for granted, is that why we won’t see value, why 78 per cent say the company benefits from the value exchange?” “GDPR is going to be helpful, not perfect, but was drafted with the idea of increasing consumer confidence in the future technological and data driven economy. In a similar way to how self-regulated watch dogs such as the ASA have created confidence in the traditional advertising market.” Advertising and the Fourth Industrial Revolution The media is not like it used to be. There was a time when we instinctively knew the difference between the media and, say, a ChrisCombemale,CEOattheDMA:FourthIndustrialRevolution 32. trust in an organisation is the single most important reason why they will sharedata. Anyone who is wholly worried or wholly optimistic, is missing the point. optimismandworrymustbeinbalance. And the benefits cannot accrue if you don’tmitigateagainsttherisks.
  • 35. retailer or taxi operator. “But,” suggests Chris, “technology has evolved such that new products and services that have become available, that make is easier and more efficient to live their lives, are all essentially media channels that rely on the use of data to deliver them. So that is true; whether it be an Uber, who use data to work out where to collect you from and drop you off somewhere, or websites that sell you products or access to services providing content. “And increasingly, as we move into a world of AI and big data analytics, more and more we will combine technology and data to create new services of the future. But it is really important, that people trust the technologies and how they use the data. “ 33. “GDPRcanplayanimportantrole,asitmandatesthatcompanies, and government for that matter, give people more control and greater transparency. The opportunity and threat from data So, the point is hammered home. Trust is vital, and GDPR can be a key part of creating that trust. “Big data could be the new oil or the new asbestos. There is a huge amount of opportunity for businesses, people and society in the era of big data, but there is an equal amount of risk. That is why it is important we have a set of rules on our playing field which help us mitigate the risk and empower the opportunity. “And that is what GDPR is trying to do. It is important we think about the risk as well as the opportunities. “At the DMA, we say we need to move from responsible marketing and codes of practice, to ethical marketing, where people think about the impact on society of these technologies that are coming forward and understand how your business can use them for positive purposes and mitigate the risk. “Anyone who is wholly worried or wholly optimistic, is missing the point, optimism and worry must be in balance. And the benefits cannot accrue if you don’t mitigate against the risks.” And that is why GDPR may prove to be a vital tool or even weapon in the battle to ensure that the final outcome of the Fourth Industrial Revolution is benign. SUBSCRIBE FOR FREE TODAY HERE