Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Practical privacy - GDPR explained (ConFoo Montreal 2019)

Practical privacy - GDPR explained (ConFoo Montreal 2019)

The EU's General Data Protection Regulation (GDPR) came into force in May 2018, significantly raising privacy & data protection standards. Its effects are being felt around the world, helping users to regain control of their own data outside of Europe too. As part of this, privacy by design provides a primary line of defence between companies and terrible headlines. Learn what developers & project managers need to know about GDPR in this talk.

Marcus Bointon

March 13, 2019

More Decks by Marcus Bointon

Other Decks in Technology


  1. The Girl, Anon (Netflix) It’s that I have nothing I

    want you to see. It’s not that I have something to hide;
  2. Privacy Laws CoE Global Data Protection Convention 108 — 1981!

    EU Data Protection Directive 95/46/EC 1995 EU e-Privacy Directive 2002/58 — The cookie law EEA — US Safe Harbour: 2000 — 2015 EEA — US Privacy Shield: 2016 Canada: Privacy act, PIPEDA US: HIPAA, CIPA — no overall framework CoE Convention 108+ 2018 EU Article 29 working party ➜ EDPB
  3. – Tim Walters, Ph.D. (via LinkedIn) “Why is the GDPR

    so disruptive? Because it requires firms to follow principles that are in many cases the exact opposite of prevailing practices around data collection and processing” “The heart and soul of data-driven marketing – mass data aggregation, algorithmic processing, profile building – is fundamentally challenged – and, to be frank, largely banned – by the GDPR.”
  4. Processing must be lawful, fair, and transparent Store identifiable subjects

    no longer than necessary Process data so as to protect accuracy, integrity, and confidentiality Collect & process data for specific, explicit, and legitimate purposes Controller must be able to demonstrate compliance
 with all principles Data adequate, relevant, and limited to the stated purposes Data Protection Principles
  5. Individual Rights To be informed Subject access Correct inaccuracies Erase

    data To restrict processing To be able to move data (portability) To object (e.g. to profiling)
  6. Personal Data Data associated with a person No such thing

    as personally identifiable information (PII) in GDPR Personal Pseudonymous “Special Category” Name, address, phone number,
 email address Purchases, contacts,
 usage history, preferences IP address, location, cookie values, mobile IMEI, browser fingerprinting Hashed email, truncated IP, “Anonymised” data, proxy data, differential privacy Beware mosaic effect! Health, ethnicity, political affiliation, religion, sexual orientation, credit cards, criminal record, trade union membership, biometric, genetic
  7. Basis for Processing Contract “We need your address to send

    you this thing you bought” Legal obligation Vital interest Legitimate interest Public interest Consent “This person has a penicillin allergy” “This person has measles” “We want your data” “Please can we send you our newsletter?” “Keep employee insurance data for 40 years”
  8. Rob Sherman, deputy chief privacy officer for Facebook “I think

    it's a mistake to equate invasion of privacy with data use.” Upton Sinclair “It is difficult to get a man to understand something when his salary depends on his not understanding it.”
  9. Data Breaches Exposure of data likely to impact data subject(s)

    Report to host country’s supervisory authority Within 72 hours Unless data was encrypted Breaches of special category data must notify subjects Fines for breaches - also for not reporting! By Robert Kruk @robertkruk
  10. Privacy By Design Build privacy controls into your tools, frameworks,

    processes, and deployments - compliance as code Retain records of changes in personal data processing Data Protection Impact Assessments “DPIA” Privacy Impact Assessments “PIA” Possible need for a Data Protection Officer “DPO” Outside EU? May need a local representative
  11. GDPR Resources Full GDPR text for reference https://gdpr-info.eu Irish information

    commissioner: https://www.oic.ie French information commissioner: https://www.cnil.fr http://privacylawblog.fieldfisher.com/ http://www.out-law.com/ https://www.privacyshield.gov/list Twitter: @AnnCavoukian, @PrivacyCDN, @CILCONSULTING, @PrivacyMatters, @WebDevLaw, @MissIG_Geek @Tim2040
  12. Summary Know your data principles Personal data Be a Privacy

    Superhero Be aware of data rights Controllers & processors Basis for processing Practice privacy by design