$30 off During Our Annual Pro Sale. View Details »

Practical privacy - GDPR explained (ConFoo Montreal 2019)

Practical privacy - GDPR explained (ConFoo Montreal 2019)

The EU's General Data Protection Regulation (GDPR) came into force in May 2018, significantly raising privacy & data protection standards. Its effects are being felt around the world, helping users to regain control of their own data outside of Europe too. As part of this, privacy by design provides a primary line of defence between companies and terrible headlines. Learn what developers & project managers need to know about GDPR in this talk.

Marcus Bointon

March 13, 2019

More Decks by Marcus Bointon

Other Decks in Technology


  1. Practical Privacy -
    GDPR Explained
    Starring: Privacy Spiderman!

    View Slide

  2. A Common Superpower

    View Slide

  3. Security Privacy
    Freedom from being
    Observed or Disturbed
    Appropriate use of data

    View Slide

  4. Privacy vs
    That’s a false

    View Slide

  5. The Girl, Anon (Netflix)
    It’s that I have nothing I want you to see.
    It’s not that I have something to hide;

    View Slide

  6. Privacy Laws
    CoE Global Data Protection Convention 108 — 1981!

    EU Data Protection Directive 95/46/EC 1995

    EU e-Privacy Directive 2002/58 — The cookie law

    EEA — US Safe Harbour: 2000 — 2015

    EEA — US Privacy Shield: 2016

    Canada: Privacy act, PIPEDA

    US: HIPAA, CIPA — no overall framework

    CoE Convention 108+ 2018

    EU Article 29 working party ➜ EDPB

    View Slide

  7. GDPR
    General Data Protection Regulation

    View Slide

  8. – Tim Walters, Ph.D. (via LinkedIn)
    “Why is the GDPR so disruptive? Because it requires
    firms to follow principles that are in many cases the
    exact opposite of prevailing practices around data
    collection and processing”
    “The heart and soul of data-driven marketing – mass
    data aggregation, algorithmic processing, profile
    building – is fundamentally challenged – and, to be
    frank, largely banned – by the GDPR.”

    View Slide

  9. Mmmmm…

    View Slide

  10. Controller
    Data owner
    Acts on behalf of controller
    Who the data is about

    View Slide

  11. The scale of the problem

    View Slide

  12. Processing must be lawful, fair,
    and transparent
    Store identifiable subjects no
    longer than necessary
    Process data so as to protect
    accuracy, integrity, and
    Collect & process data for specific,
    explicit, and legitimate purposes
    Controller must be able to
    demonstrate compliance

    with all principles
    Data adequate, relevant, and
    limited to the stated purposes
    Data Protection Principles

    View Slide

  13. Individual Rights
    To be informed

    Subject access

    Correct inaccuracies

    Erase data
    To restrict processing

    To be able to move
    data (portability)

    To object (e.g. to

    View Slide

  14. Personal Data
    Data associated with a person

    No such thing as personally identifiable information (PII) in GDPR
    Personal Pseudonymous “Special Category”
    Name, address, phone number,

    email address
    Purchases, contacts,

    usage history, preferences
    IP address, location, cookie values,
    mobile IMEI, browser fingerprinting
    Hashed email,
    truncated IP,
    “Anonymised” data,
    proxy data,
    differential privacy
    Beware mosaic effect!
    Health, ethnicity, political
    affiliation, religion, sexual
    orientation, credit cards,
    criminal record, trade
    union membership,
    biometric, genetic

    View Slide

  15. Basis for Processing
    Contract “We need your address to send you this thing you bought”
    Legal obligation
    Vital interest
    Legitimate interest
    Public interest
    “This person has a penicillin allergy”
    “This person has measles”
    “We want your data”
    “Please can we send you our newsletter?”
    “Keep employee insurance data for 40 years”

    View Slide

  16. Rob Sherman, deputy chief privacy officer for Facebook
    “I think it's a mistake to equate
    invasion of privacy with data use.”
    Upton Sinclair
    “It is difficult to get a man to understand
    something when his salary depends on
    his not understanding it.”

    View Slide

  17. Data Breaches
    Exposure of data likely to impact data subject(s)

    Report to host country’s supervisory authority

    Within 72 hours

    Unless data was encrypted

    Breaches of special category data must notify subjects

    Fines for breaches - also for not reporting!
    By Robert Kruk @robertkruk

    View Slide

  18. By i — happy!! from NY, NY (Flickr) CC BY 2.0
    Your Database

    View Slide

  19. Privacy By Design
    Build privacy controls into your tools, frameworks,

    processes, and deployments - compliance as code
    Retain records of changes in personal data processing

    Data Protection Impact Assessments “DPIA”

    Privacy Impact Assessments “PIA”

    Possible need for a Data Protection Officer “DPO”

    Outside EU? May need a local representative

    View Slide

  20. GDPR Resources
    Full GDPR text for reference https://gdpr-info.eu

    Irish information commissioner: https://www.oic.ie

    French information commissioner: https://www.cnil.fr




    Twitter: @AnnCavoukian, @PrivacyCDN, @CILCONSULTING,
    @PrivacyMatters, @WebDevLaw, @MissIG_Geek @Tim2040

    View Slide

  21. Summary
    Know your data principles Personal data
    Be a Privacy Superhero
    Be aware of data rights
    Controllers & processors
    Basis for processing
    Practice privacy by design

    View Slide

  22. Thank You!
    Marcus Bointon a.k.a. Privacy Spiderman

    [email protected]

    @SynchroM @PrivacySpider

    Synchro on GitHub & Stack Exchange

    Feedback please!

    View Slide