Practical privacy - GDPR explained (ConFoo Montreal 2019)

Transcript

1. Practical Privacy -
   GDPR Explained
   Starring: Privacy Spiderman!
   

   View Slide

2. A Common Superpower
   

   View Slide

3. Security Privacy
   Confidentiality
   Availability
   Integrity
   Freedom from being
   Observed or Disturbed
   Appropriate use of data
   

   View Slide

4. Privacy vs
   Security?
   That’s a false
   dichotomy!
   

   View Slide

5. The Girl, Anon (Netflix)
   It’s that I have nothing I want you to see.
   It’s not that I have something to hide;
   

   View Slide

6. Privacy Laws
   CoE Global Data Protection Convention 108 — 1981!
   
   EU Data Protection Directive 95/46/EC 1995
   
   EU e-Privacy Directive 2002/58 — The cookie law
   
   EEA — US Safe Harbour: 2000 — 2015
   
   EEA — US Privacy Shield: 2016
   
   Canada: Privacy act, PIPEDA
   
   US: HIPAA, CIPA — no overall framework
   
   CoE Convention 108+ 2018
   
   EU Article 29 working party ➜ EDPB
   

   View Slide

7. GDPR
   General Data Protection Regulation
   

   View Slide

8. – Tim Walters, Ph.D. (via LinkedIn)
   “Why is the GDPR so disruptive? Because it requires
   firms to follow principles that are in many cases the
   exact opposite of prevailing practices around data
   collection and processing”
   “The heart and soul of data-driven marketing – mass
   data aggregation, algorithmic processing, profile
   building – is fundamentally challenged – and, to be
   frank, largely banned – by the GDPR.”
   

   View Slide

9. Mmmmm…
   Fines!
   

   View Slide

10. Controller
    Processor
    Data owner
    Acts on behalf of controller
    Subject
    Who the data is about
    

    View Slide

11. The scale of the problem
    

    View Slide

12. Processing must be lawful, fair,
    and transparent
    Store identifiable subjects no
    longer than necessary
    Process data so as to protect
    accuracy, integrity, and
    confidentiality
    Collect & process data for specific,
    explicit, and legitimate purposes
    Controller must be able to
    demonstrate compliance

    with all principles
    Data adequate, relevant, and
    limited to the stated purposes
    Data Protection Principles
    

    View Slide

13. Individual Rights
    To be informed
    
    Subject access
    
    Correct inaccuracies
    
    Erase data
    To restrict processing
    
    To be able to move
    data (portability)
    
    To object (e.g. to
    profiling)
    

    View Slide

14. Personal Data
    Data associated with a person
    
    No such thing as personally identifiable information (PII) in GDPR
    Personal Pseudonymous “Special Category”
    Name, address, phone number,

    email address
    Purchases, contacts,

    usage history, preferences
    IP address, location, cookie values,
    mobile IMEI, browser fingerprinting
    Hashed email,
    truncated IP,
    “Anonymised” data,
    proxy data,
    differential privacy
    Beware mosaic effect!
    Health, ethnicity, political
    affiliation, religion, sexual
    orientation, credit cards,
    criminal record, trade
    union membership,
    biometric, genetic
    

    View Slide

15. Basis for Processing
    Contract “We need your address to send you this thing you bought”
    Legal obligation
    Vital interest
    Legitimate interest
    Public interest
    Consent
    “This person has a penicillin allergy”
    “This person has measles”
    “We want your data”
    “Please can we send you our newsletter?”
    “Keep employee insurance data for 40 years”
    

    View Slide

16. Rob Sherman, deputy chief privacy officer for Facebook
    “I think it's a mistake to equate
    invasion of privacy with data use.”
    Upton Sinclair
    “It is difficult to get a man to understand
    something when his salary depends on
    his not understanding it.”
    

    View Slide

17. Data Breaches
    Exposure of data likely to impact data subject(s)
    
    Report to host country’s supervisory authority
    
    Within 72 hours
    
    Unless data was encrypted
    
    Breaches of special category data must notify subjects
    
    Fines for breaches - also for not reporting!
    By Robert Kruk @robertkruk
    

    View Slide

18. By i — happy!! from NY, NY (Flickr) CC BY 2.0
    Your Database
    

    View Slide

19. Privacy By Design
    Build privacy controls into your tools, frameworks,

    processes, and deployments - compliance as code
    Retain records of changes in personal data processing
    
    Data Protection Impact Assessments “DPIA”
    
    Privacy Impact Assessments “PIA”
    
    Possible need for a Data Protection Officer “DPO”
    
    Outside EU? May need a local representative
    

    View Slide

20. GDPR Resources
    Full GDPR text for reference https://gdpr-info.eu
    
    Irish information commissioner: https://www.oic.ie
    
    French information commissioner: https://www.cnil.fr
    
    http://privacylawblog.fieldfisher.com/
    
    http://www.out-law.com/
    
    https://www.privacyshield.gov/list
    
    Twitter: @AnnCavoukian, @PrivacyCDN, @CILCONSULTING,
    @PrivacyMatters, @WebDevLaw, @MissIG_Geek @Tim2040
    

    View Slide

21. Summary
    Know your data principles Personal data
    Be a Privacy Superhero
    Be aware of data rights
    Controllers & processors
    Basis for processing
    Practice privacy by design
    

    View Slide

22. Thank You!
    Marcus Bointon a.k.a. Privacy Spiderman
    
    [email protected]
    
    @SynchroM @PrivacySpider
    
    Synchro on GitHub & Stack Exchange
    
    Feedback please!
    

    View Slide