Practical privacy - GDPR explained (ConFoo Montreal 2019)

Transcript

1. Practical Privacy - GDPR Explained Starring: Privacy Spiderman!

2. A Common Superpower

3. Security Privacy Confidentiality Availability Integrity Freedom from being Observed or

   Disturbed Appropriate use of data

4. Privacy vs Security? That’s a false dichotomy!

5. The Girl, Anon (Netflix) It’s that I have nothing I

   want you to see. It’s not that I have something to hide;

6. Privacy Laws CoE Global Data Protection Convention 108 — 1981!

   EU Data Protection Directive 95/46/EC 1995 EU e-Privacy Directive 2002/58 — The cookie law EEA — US Safe Harbour: 2000 — 2015 EEA — US Privacy Shield: 2016 Canada: Privacy act, PIPEDA US: HIPAA, CIPA — no overall framework CoE Convention 108+ 2018 EU Article 29 working party ➜ EDPB

7. GDPR General Data Protection Regulation

8. – Tim Walters, Ph.D. (via LinkedIn) “Why is the GDPR

   so disruptive? Because it requires firms to follow principles that are in many cases the exact opposite of prevailing practices around data collection and processing” “The heart and soul of data-driven marketing – mass data aggregation, algorithmic processing, profile building – is fundamentally challenged – and, to be frank, largely banned – by the GDPR.”

9. Mmmmm… Fines!

10. Controller Processor Data owner Acts on behalf of controller Subject

    Who the data is about

11. The scale of the problem

12. Processing must be lawful, fair, and transparent Store identifiable subjects

    no longer than necessary Process data so as to protect accuracy, integrity, and confidentiality Collect & process data for specific, explicit, and legitimate purposes Controller must be able to demonstrate compliance
 with all principles Data adequate, relevant, and limited to the stated purposes Data Protection Principles

13. Individual Rights To be informed Subject access Correct inaccuracies Erase

    data To restrict processing To be able to move data (portability) To object (e.g. to profiling)

14. Personal Data Data associated with a person No such thing

    as personally identifiable information (PII) in GDPR Personal Pseudonymous “Special Category” Name, address, phone number,
 email address Purchases, contacts,
 usage history, preferences IP address, location, cookie values, mobile IMEI, browser fingerprinting Hashed email, truncated IP, “Anonymised” data, proxy data, differential privacy Beware mosaic effect! Health, ethnicity, political affiliation, religion, sexual orientation, credit cards, criminal record, trade union membership, biometric, genetic

15. Basis for Processing Contract “We need your address to send

    you this thing you bought” Legal obligation Vital interest Legitimate interest Public interest Consent “This person has a penicillin allergy” “This person has measles” “We want your data” “Please can we send you our newsletter?” “Keep employee insurance data for 40 years”

16. Rob Sherman, deputy chief privacy officer for Facebook “I think

    it's a mistake to equate invasion of privacy with data use.” Upton Sinclair “It is difficult to get a man to understand something when his salary depends on his not understanding it.”

17. Data Breaches Exposure of data likely to impact data subject(s)

    Report to host country’s supervisory authority Within 72 hours Unless data was encrypted Breaches of special category data must notify subjects Fines for breaches - also for not reporting! By Robert Kruk @robertkruk

18. By i — happy!! from NY, NY (Flickr) CC BY

    2.0 Your Database

19. Privacy By Design Build privacy controls into your tools, frameworks,


    processes, and deployments - compliance as code Retain records of changes in personal data processing Data Protection Impact Assessments “DPIA” Privacy Impact Assessments “PIA” Possible need for a Data Protection Officer “DPO” Outside EU? May need a local representative

20. GDPR Resources Full GDPR text for reference https://gdpr-info.eu Irish information

    commissioner: https://www.oic.ie French information commissioner: https://www.cnil.fr http://privacylawblog.fieldfisher.com/ http://www.out-law.com/ https://www.privacyshield.gov/list Twitter: @AnnCavoukian, @PrivacyCDN, @CILCONSULTING, @PrivacyMatters, @WebDevLaw, @MissIG_Geek @Tim2040

21. Summary Know your data principles Personal data Be a Privacy

    Superhero Be aware of data rights Controllers & processors Basis for processing Practice privacy by design

22. Thank You! Marcus Bointon a.k.a. Privacy Spiderman [email protected] @SynchroM @PrivacySpider

    Synchro on GitHub & Stack Exchange Feedback please!