GDPR FTW! Or, How I Learned to Stop Worrying and Love Privacy By Design

Transcript

1. G D P R F T W ! O R

   , H OW I L E A R N E D TO STO P WO R RY I N G A N D LOV E P R I VACY BY D E S I G N @jeckman

2. N OT E : I A M N OT A

   L AW Y E R @jeckman

3. I N T H E B E G I N

   N I N G @jeckman

4. C O O K I E S Photo by John

   Dancy on Unsplash @jeckman

5. “One day in June 1994, Lou Montulli sat down at

   his keyboard to fix one of the biggest problems facing the fledgling World Wide Web -- and, as so often happens in the world of technology, he created another one. At 24, Mr. Montulli was the ninth employee [at] Netscape Communications. . . he quickly came up with an ingenious idea to address the problem and hammered out a five-page document describing the technology that he and co-workers would design to give the Web a memory. The solution called for each Web site's computer to place a small file on each visitor's machine that would track what the visitor's computer did at that site. . . . It was a turning point in the history of computing: at a stroke, cookies changed the Web from a place of discontinuous visits into a rich environment in which to shop, to play -- even, for some people, to live. Cookies fundamentally altered the nature of surfing the Web from being a relatively anonymous activity, like wandering the streets of a large city, to the kind of environment where records of one's transactions, movements and even desires could be stored, sorted, mined and sold.” - John Schwartz https://www.nytimes.com/2001/09/04/business/giving-web-a-memory-cost-its-users-privacy.html @jeckman

6. P 3 P https://www.w3.org/P3P/brochure.html @jeckman

7. P 3 P The Platform for Privacy Preferences Project (P3P)

   is an obsolete protocol allowing websites to declare their intended use of information they collect about web browser users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002. Development ceased shortly thereafter and there have been very few implementations of P3P. https://en.wikipedia.org/wiki/P3P https://www.w3.org/P3P/brochure.html @jeckman

8. D O N OT T R AC K ( D

   N T ) https://www.eff.org/issues/do-not-track @jeckman

9. D O N OT T R AC K ( D

   N T ) https://allaboutdnt.com/ @jeckman

10. @jeckman

11. John Eckman • @jeckman • #wcpub – J O H

    N N Y A P P L E S E E D “Type a quote here.” https://www.betterads.org/ @jeckman

12. @jeckman

13. E N T E R T H E G D

    P R @jeckman

14. R E M E M B E R : I

    A M N OT A L AW Y E R @jeckman

15. https://twitter.com/RebelEmG/status/988442580902989824 The General Data Protection Regulation (GDPR) is an EU

    regulation that went into effect on May 25th, 2018. GDPR aims to give individuals (EU citizens) more control over their personal data, by requiring that businesses gain more explicit consent from them to collect and use it. @jeckman

16. https://twitter.com/lesteph/status/988401663810723840 Understanding: At its core, GDPR is designed to protect

    user data and empower users to have a better understanding of: 1. What data is being collected about them. 2. How and why their data is being used. Control: GDPR is also designed to give users better control over their data. Users must be able to: 1. Tell companies what they can/cannot do with their data. 2. Request a record of all data stored about them. 3. Amend any data stored about them if it is not correct. 4. Request the deletion of any/all data stored about them. @jeckman

17. https://twitter.com/samnickerson/status/988673113109028864 Reach: GDPR is designed to protect all EU citizens

    and residents. It doesn’t matter whether the company capturing/ processing data is based in the EU, the only thing that matters is that the data you are capturing belongs to an EU Citizen.
 
 @jeckman

18. https://twitter.com/AlbFreeman/status/988678211998449665 Individual Rights: All EU Citizens are entitled to a

    series of individual rights under GDPR. 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling @jeckman

19. https://twitter.com/everylilbreeze/status/997381429322571776 5 Areas of Focus: There are 5 areas that

    the GDPR focuses on. These provide a framework for data capture: 1. Purpose 2. Limited 3. Accurate 4. Time Limited 5. Secure @jeckman

20. https://twitter.com/klillington/status/997063126322434049 Purpose: there are six legally acceptable reasons that a

    company can process user data. All data processing needs to fit into one of these categories and should be documented. 1. Consent: a user has given clear consent for you to process their personal data for a specific purpose. 2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. 3. Legal obligation: the processing is necessary for you to comply with the law. 4. Vital interests: the processing is necessary to protect someone’s life. 5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. @jeckman

21. https://twitter.com/CamHamTT/status/99994671805256 Limited: No data should be captured or stored unless

    it is specifically required for an approved data processing activity. Accurate: All data that is captured should be accurate and kept up to date for as long as it is stored. Users should be able to submit amendments to any data and records should then be updated accordingly. @jeckman

22. https://twitter.com/evankirstel/status/1000344045221228544 Time Limited: Data should only be stored for as

    long as required to process the data. Once you are no longer processing the data, it should be deleted. Secure: All data processing and storage needs to be secure by design and security practices should be well documented. This includes both technical infrastructure as well as access rights/policies. @jeckman

23. https://open.spotify.com/playlist/5Pe51v0sHLybSEkX0m0JRf Data principles: 1. Capture/store as little data as possible.

    2. Document what data you are capturing/ storing, why where it is being stored and for how long. 3. Encrypt data wherever possible. 4. Use anonymised data wherever possible. 5. Make sure that any data you are capturing has an explicit opt-in. 6. Make it easy for users to make requests of their data. 7. Make sure to keep your data up-to-date and accurate. @jeckman

24. P R I VACY BY D E S I G

    N Photo by Dayne Topkin on Unsplash @jeckman

25. https://gdpr-info.eu/art-25-gdpr/ @jeckman

26. ST I L L N OT A L AW Y

    E R @jeckman

27. W H AT D O I D O? @jeckman Photo

    by rawpixel on Unsplash

28. Assess & Document: What data do we collect about visitors

    and customers? How is that data collected, stored, and used? What is the purpose for which that data is collected and used? How do we inform users of the purpose, intent, retention, and permissions with respect to their data? TA K E OW N E R S H I P Plan: What features on our site need to be revisited? Where can we limit our use of data, in scope, in timeline, or in purpose? Where can we limit our data gathering? How long will it take to get us into compliance? @jeckman

29. D I V E R S I F Y R

    E V E N U E ST R E A M S Photo by Maria Imelda on Unsplash @jeckman

30. C U LT I VAT E T R A N

    S PA R E N CY & H O N E ST Y Photo by Kelli Dougal on Unsplash @jeckman

31. Don’t Panic: Enforcement of the GDPR will most likely first

    impact businesses with significant financial interests and assets in the EU. If you have enough financial presence in the EU, you can afford a GDPR compliance consultant. B U T I J U ST P U B L I S H A B LO G ! Have a Privacy Policy Be clear about what data you collect, how, and why Most Likely Impact: Third-party tools: • Analytics • Comments • Newsletters @jeckman

32. F O C U S O N T H E

    S P I R I T O F T H E L AW, N OT J U ST T H E L E T T E R Photo by Maria Freyenbacher on Unsplash @jeckman

33. D I D I M E N T I O

    N I A M N OT A L AW Y E R ? @jeckman

34. https://10up.com/about/ https://10up.com/careers/ @jeckman

35. Thank You! Feedback Welcome: @jeckman or [email protected]