Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR FTW! Or, How I Learned to Stop Worrying and Love Privacy By Design

John Eckman
September 16, 2018

GDPR FTW! Or, How I Learned to Stop Worrying and Love Privacy By Design

At the start, the web was purely stateless – every request was the beginning (and every response the end) of a new conversation. Then we got cookies, so that servers could remember clients, and SSL so we could share information with servers that wasn't seen by all the servers it passed through en route. These two technologies enabled e-commerce and are so foundational now it is hard to imagine the web without them. The problem is the way we've evolved the web has been down a path of increasingly aggressive data collection and reduced transparency for users.

We should have always been doing privacy by design, data portability, data transparency, and the right to be forgotten. We should not have become dependent on invasive ad tech and aggregated third-party data; we should not have handed over ownership of our own social graphs and connections so cheaply to private commercial interests.

While many (particularly in the US) may be uncomfortable with the legalistic and regulatory approach, preferring a more laissez-faire, self-governing model for virtually everything, the GDPR can be seen as an opportunity to start doing things right – applying the core principles of privacy by design not just where mandated by regulation but as a standard business practice.

John Eckman

September 16, 2018

More Decks by John Eckman

Other Decks in Business


  1. G D P R F T W ! O R

    , H OW I L E A R N E D TO STO P WO R RY I N G A N D LOV E P R I VACY BY D E S I G N @jeckman
  2. N OT E : I A M N OT A

    L AW Y E R @jeckman
  3. I N T H E B E G I N

    N I N G @jeckman
  4. C O O K I E S Photo by John

    Dancy on Unsplash @jeckman
  5. “One day in June 1994, Lou Montulli sat down at

    his keyboard to fix one of the biggest problems facing the fledgling World Wide Web -- and, as so often happens in the world of technology, he created another one. At 24, Mr. Montulli was the ninth employee [at] Netscape Communications. . . he quickly came up with an ingenious idea to address the problem and hammered out a five-page document describing the technology that he and co-workers would design to give the Web a memory. The solution called for each Web site's computer to place a small file on each visitor's machine that would track what the visitor's computer did at that site. . . . It was a turning point in the history of computing: at a stroke, cookies changed the Web from a place of discontinuous visits into a rich environment in which to shop, to play -- even, for some people, to live. Cookies fundamentally altered the nature of surfing the Web from being a relatively anonymous activity, like wandering the streets of a large city, to the kind of environment where records of one's transactions, movements and even desires could be stored, sorted, mined and sold.” - John Schwartz https://www.nytimes.com/2001/09/04/business/giving-web-a-memory-cost-its-users-privacy.html @jeckman
  6. P 3 P The Platform for Privacy Preferences Project (P3P)

    is an obsolete protocol allowing websites to declare their intended use of information they collect about web browser users. Designed to give users more control of their personal information when browsing, P3P was developed by the World Wide Web Consortium (W3C) and officially recommended on April 16, 2002. Development ceased shortly thereafter and there have been very few implementations of P3P. https://en.wikipedia.org/wiki/P3P https://www.w3.org/P3P/brochure.html @jeckman
  7. D O N OT T R AC K ( D

    N T ) https://www.eff.org/issues/do-not-track @jeckman
  8. D O N OT T R AC K ( D

    N T ) https://allaboutdnt.com/ @jeckman
  9. John Eckman • @jeckman • #wcpub – J O H

    N N Y A P P L E S E E D “Type a quote here.” https://www.betterads.org/ @jeckman
  10. E N T E R T H E G D

    P R @jeckman
  11. R E M E M B E R : I

    A M N OT A L AW Y E R @jeckman
  12. https://twitter.com/RebelEmG/status/988442580902989824 The General Data Protection Regulation (GDPR) is an EU

    regulation that went into effect on May 25th, 2018. GDPR aims to give individuals (EU citizens) more control over their personal data, by requiring that businesses gain more explicit consent from them to collect and use it. @jeckman
  13. https://twitter.com/lesteph/status/988401663810723840 Understanding: At its core, GDPR is designed to protect

    user data and empower users to have a better understanding of: 1. What data is being collected about them. 2. How and why their data is being used. Control: GDPR is also designed to give users better control over their data. Users must be able to: 1. Tell companies what they can/cannot do with their data. 2. Request a record of all data stored about them. 3. Amend any data stored about them if it is not correct. 4. Request the deletion of any/all data stored about them. @jeckman
  14. https://twitter.com/samnickerson/status/988673113109028864 Reach: GDPR is designed to protect all EU citizens

    and residents. It doesn’t matter whether the company capturing/ processing data is based in the EU, the only thing that matters is that the data you are capturing belongs to an EU Citizen.
  15. https://twitter.com/AlbFreeman/status/988678211998449665 Individual Rights: All EU Citizens are entitled to a

    series of individual rights under GDPR. 1. The right to be informed 2. The right of access 3. The right to rectification 4. The right to erasure 5. The right to restrict processing 6. The right to data portability 7. The right to object 8. Rights in relation to automated decision making and profiling @jeckman
  16. https://twitter.com/everylilbreeze/status/997381429322571776 5 Areas of Focus: There are 5 areas that

    the GDPR focuses on. These provide a framework for data capture: 1. Purpose 2. Limited 3. Accurate 4. Time Limited 5. Secure @jeckman
  17. https://twitter.com/klillington/status/997063126322434049 Purpose: there are six legally acceptable reasons that a

    company can process user data. All data processing needs to fit into one of these categories and should be documented. 1. Consent: a user has given clear consent for you to process their personal data for a specific purpose. 2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. 3. Legal obligation: the processing is necessary for you to comply with the law. 4. Vital interests: the processing is necessary to protect someone’s life. 5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. @jeckman
  18. https://twitter.com/CamHamTT/status/99994671805256 Limited: No data should be captured or stored unless

    it is specifically required for an approved data processing activity. Accurate: All data that is captured should be accurate and kept up to date for as long as it is stored. Users should be able to submit amendments to any data and records should then be updated accordingly. @jeckman
  19. https://twitter.com/evankirstel/status/1000344045221228544 Time Limited: Data should only be stored for as

    long as required to process the data. Once you are no longer processing the data, it should be deleted. Secure: All data processing and storage needs to be secure by design and security practices should be well documented. This includes both technical infrastructure as well as access rights/policies. @jeckman
  20. https://open.spotify.com/playlist/5Pe51v0sHLybSEkX0m0JRf Data principles: 1. Capture/store as little data as possible.

    2. Document what data you are capturing/ storing, why where it is being stored and for how long. 3. Encrypt data wherever possible. 4. Use anonymised data wherever possible. 5. Make sure that any data you are capturing has an explicit opt-in. 6. Make it easy for users to make requests of their data. 7. Make sure to keep your data up-to-date and accurate. @jeckman
  21. P R I VACY BY D E S I G

    N Photo by Dayne Topkin on Unsplash @jeckman
  22. ST I L L N OT A L AW Y

    E R @jeckman
  23. W H AT D O I D O? @jeckman Photo

    by rawpixel on Unsplash
  24. Assess & Document: What data do we collect about visitors

    and customers? How is that data collected, stored, and used? What is the purpose for which that data is collected and used? How do we inform users of the purpose, intent, retention, and permissions with respect to their data? TA K E OW N E R S H I P Plan: What features on our site need to be revisited? Where can we limit our use of data, in scope, in timeline, or in purpose? Where can we limit our data gathering? How long will it take to get us into compliance? @jeckman
  25. D I V E R S I F Y R

    E V E N U E ST R E A M S Photo by Maria Imelda on Unsplash @jeckman
  26. C U LT I VAT E T R A N

    S PA R E N CY & H O N E ST Y Photo by Kelli Dougal on Unsplash @jeckman
  27. Don’t Panic: Enforcement of the GDPR will most likely first

    impact businesses with significant financial interests and assets in the EU. If you have enough financial presence in the EU, you can afford a GDPR compliance consultant. B U T I J U ST P U B L I S H A B LO G ! Have a Privacy Policy Be clear about what data you collect, how, and why Most Likely Impact: Third-party tools: • Analytics • Comments • Newsletters @jeckman
  28. F O C U S O N T H E

    S P I R I T O F T H E L AW, N OT J U ST T H E L E T T E R Photo by Maria Freyenbacher on Unsplash @jeckman
  29. D I D I M E N T I O

    N I A M N OT A L AW Y E R ? @jeckman