Practical Privacy - GDPR Explained Starring: Privacy Spiderman! 

A Common Superpower 

Security Privacy Confidentiality Availability Integrity Freedom from being Observed or Disturbed Appropriate use of data 

Privacy vs Security? That’s a false dichotomy! 

The Girl, Anon (Netflix) It’s that I have nothing I want you to see. It’s not that I have something to hide; 

Privacy Laws CoE Global Data Protection Convention 108 — 1981! EU Data Protection Directive 95/46/EC 1995 EU e-Privacy Directive 2002/58 — The cookie law EEA — US Safe Harbour: 2000 — 2015 EEA — US Privacy Shield: 2016 Canada: Privacy act, PIPEDA US: HIPAA, CIPA — no overall framework CoE Convention 108+ 2018 EU Article 29 working party ➜ EDPB 

GDPR General Data Protection Regulation 

– Tim Walters, Ph.D. (via LinkedIn) “Why is the GDPR so disruptive? Because it requires firms to follow principles that are in many cases the exact opposite of prevailing practices around data collection and processing” “The heart and soul of data-driven marketing – mass data aggregation, algorithmic processing, profile building – is fundamentally challenged – and, to be frank, largely banned – by the GDPR.” 

Mmmmm… Fines! 

Controller Processor Data owner Acts on behalf of controller Subject Who the data is about 

The scale of the problem 

Processing must be lawful, fair, and transparent Store identifiable subjects no longer than necessary Process data so as to protect accuracy, integrity, and confidentiality Collect & process data for specific, explicit, and legitimate purposes Controller must be able to demonstrate compliance
 with all principles Data adequate, relevant, and limited to the stated purposes Data Protection Principles 

Individual Rights To be informed Subject access Correct inaccuracies Erase data To restrict processing To be able to move data (portability) To object (e.g. to profiling) 

Personal Data Data associated with a person No such thing as personally identifiable information (PII) in GDPR Personal Pseudonymous “Special Category” Name, address, phone number,
 email address Purchases, contacts,
 usage history, preferences IP address, location, cookie values, mobile IMEI, browser fingerprinting Hashed email, truncated IP, “Anonymised” data, proxy data, differential privacy Beware mosaic effect! Health, ethnicity, political affiliation, religion, sexual orientation, credit cards, criminal record, trade union membership, biometric, genetic 

Basis for Processing Contract “We need your address to send you this thing you bought” Legal obligation Vital interest Legitimate interest Public interest Consent “This person has a penicillin allergy” “This person has measles” “We want your data” “Please can we send you our newsletter?” “Keep employee insurance data for 40 years” 

Rob Sherman, deputy chief privacy officer for Facebook “I think it's a mistake to equate invasion of privacy with data use.” Upton Sinclair “It is difficult to get a man to understand something when his salary depends on his not understanding it.” 

Data Breaches Exposure of data likely to impact data subject(s) Report to host country’s supervisory authority Within 72 hours Unless data was encrypted Breaches of special category data must notify subjects Fines for breaches - also for not reporting! By Robert Kruk @robertkruk 

By i — happy!! from NY, NY (Flickr) CC BY 2.0 Your Database 

Privacy By Design Build privacy controls into your tools, frameworks,
 processes, and deployments - compliance as code Retain records of changes in personal data processing Data Protection Impact Assessments “DPIA” Privacy Impact Assessments “PIA” Possible need for a Data Protection Officer “DPO” Outside EU? May need a local representative 

GDPR Resources Full GDPR text for reference https://gdpr-info.eu Irish information commissioner: https://www.oic.ie French information commissioner: https://www.cnil.fr http://privacylawblog.fieldfisher.com/ http://www.out-law.com/ https://www.privacyshield.gov/list Twitter: @AnnCavoukian, @PrivacyCDN, @CILCONSULTING, @PrivacyMatters, @WebDevLaw, @MissIG_Geek @Tim2040 

Summary Know your data principles Personal data Be a Privacy Superhero Be aware of data rights Controllers & processors Basis for processing Practice privacy by design 

Thank You! Marcus Bointon a.k.a. Privacy Spiderman [email protected] @SynchroM @PrivacySpider Synchro on GitHub & Stack Exchange Feedback please!