Practical Privacy - GDPR Explained

Transcript

1. Practical Privacy – GDPR Explained By Marcus Bointon Technical director,

   Synchromedia Limited & Smartmessages.net Maintainer of PHPMailer

2. Data protection history EU Directive 95/46/EC 1995 Implemented by each

   EU member UK Data Protection Act 1998 French CNIL Data Processing Act 78-18, amended by 2004-801 Safe Harbour: 2000 - October 2015 RIP Privacy Shield: July 2016

3. General Data Protection Regulation – GDPR New EU Regulation 2016/679;

   Replaces old Directive Adopted April 2016, enforced from 25th May 2018 UK government has said they will support it, Brexit or not Largely about protecting individual rights Massively increased fines up to 4% of global turnover Under GDPR, Tesco bank’s fine would be around £1.9Bn!

4. – Tim Walters, Ph.D. (via LinkedIn) “Why is the GDPR

   so disruptive? Because it requires firms to follow principles that are in many cases the exact opposite of prevailing practices around data collection and processing” “The heart and soul of data-driven marketing – mass data aggregation, algorithmic processing, profile building – is fundamentally challenged – and, to be frank, largely banned – by the GDPR.”

5. By i — happy!! from NY, NY (Flickr) CC BY

   2.0

6. Data protection principles Processing must be lawful, fair, and transparent

   Data collected & processed for specific, explicit, and legitimate purposes Adequate, relevant, and limited to the stated purposes Stores identifiable subjects no longer than necessary Data processed in a way that protects accuracy, integrity, and access

7. Access Confidentiality Notice Choice Use Availability Integrity IT concerns Privacy

   concerns

8. GDPR transition Rights are largely the same, but better defined

   Biggest change: Accountability - must be able to demonstrate compliance Tries to address information asymmetry Requires ISO-style defined procedures - e.g. data breach plan

9. Privacy by design Put yourself in the user’s position Retain

   records of changes in personal data processing - facilitates accountability Privacy Impact Assessments “PIA” Data Protection Impact Assessments “DPIA” Possible need for a Data Protection Officer “DPO”

10. Data flavours Pseudonymous Personal Sensitive Hashed email Truncated IP “Anonymised”

    data Name, address, phone number, email address Any unique identifiers - includes IP address, location, cookie values, mobile IMEI, browser fingerprinting Ethnicity, political affiliation, religion, sexual orientation, credit cards, criminal record, trade union membership, biometric, genetic

11. e-Privacy Regulation Not just GDPR… The end of the cookie

    law! Third party cookies blocked by default (as Safari has always done) “Do Not Track” becomes enforceable

12. Personal Privacy Rights Consent not always required Subject access Correct

    inaccuracies Erase data Object to marketing use To restrict processing – how, where, for what purpose To be able to move data (portability)

13. Reporting Data Breaches Report to your country’s data protection commissioner

    Within 72 hours Unless data was encrypted Breaches of sensitive data must also notify the subjects Fines for breaches - also for not reporting!

14. Examples with implications Create an account, also post to a

    CRM Facebook “Like” buttons Google analytics OAuth / social logins Buying a mailing list (don’t!)

15. Ironic counter example Requiring unnecessary data Requiring personal data Handling

    data inappropriately Requiring pointless data! From a law firm specialising in privacy?

16. GDPR Resources Full GDPR text for reference https://gdpr-info.eu UK Information

    Commissioner: https://ico.org.uk http://www.eudataprotectionlaw.com/ http://privacylawblog.fieldfisher.com/ http://www.out-law.com/ https://www.privacyshield.gov/list Twitter: @1DavidClarke, @CILCONSULTING, @PrivacyMatters, @WebDevLaw, @MissIG_Geek

17. Thank you! Marcus Bointon [email protected] @SynchroM Synchro on GitHub &

    StackExchange Feedback please! joind.in/talk/8cf69