Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data...
Transcript of Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data...
![Page 1: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/1.jpg)
Ann Cavoukian, Ph.D.Distinguished Expert-in-Residence
Privacy by Design Centre of ExcellenceRyerson University
PrivacyandSecuritybyDesign:RegulatoryComplianceWillNotbeEnoughtoPreserveourPrivacy
Ryerson CSR Institute / PPOCIR Privacy Protection in 2018
December 7th, 2018
![Page 2: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/2.jpg)
Let’sDispelTheMyths
![Page 3: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/3.jpg)
Privacy≠Secrecy
Privacy is not about having something to hide
![Page 4: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/4.jpg)
Privacy=Control
![Page 5: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/5.jpg)
Privacy=PersonalControl
• Usercontroliscritical• Freedomofchoice• Informationalself-determination
Contextiskey!
![Page 6: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/6.jpg)
PrivacyisEssentialtoFreedom:ANecessaryConditionforSocietalProsperity
andWell-Being• Innovation,creativity,andtheresultantprosperityofasocietyrequiresfreedom;
• Privacyistheessenceoffreedom:Withoutprivacy,individualhumanrights,propertyrightsandcivilliberties–theconceptualenginesofinnovationandcreativity,couldnotexistinameaningfulmanner;
• Surveillanceistheantithesisofprivacy:Anegativeconsequenceofsurveillanceistheusurpationofaperson’slimitedcognitivebandwidth,awayfrominnovationandcreativity.
![Page 7: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/7.jpg)
The Decade of Privacy by Design
![Page 8: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/8.jpg)
Landmark Resolution Passed to Preserve the Future of Privacy By Anna Ohlden – October 29th 2010 - http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
JERUSALEM, October 29, 2010 – A landmark Resolution by Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, was approved by international Data Protection and Privacy Commissioners in Jerusalem today at their annual conference. The resolution recognizes Commissioner Cavoukian's concept of Privacy by Design - which ensures that privacy is embedded into new technologies and business practices, right from the outset - as an essential component of fundamental privacy protection.
Full Article: http://www.science20.com/newswire/landmark_resolution_passed_preserve_future_privacy
Adoption of “Privacy by Design” as an International Standard
![Page 9: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/9.jpg)
Why We Need Privacy by Design Most privacy breaches remain undetected – as regulators, we only see the tip of the iceberg
The majority of privacy breaches remain unchallenged, unregulated ... unknown
Regulatory compliance alone, is unsustainable as the sole model for ensuring the future of privacy
![Page 10: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/10.jpg)
1. English 2. French 3. German 4. Spanish 5. Italian 6. Czech 7. Dutch 8. Estonian 9. Hebrew 10. Hindi 11. Chinese 12. Japanese 13. Arabic 14.Armenian
15.Ukrainian 16.Korean 17.Russian 18.Romanian 19.Portuguese 20.Maltese 21.Greek 22.Macedonian 23.Bulgarian 24. Croatian 25.Polish 26.Turkish 27.Malaysian 28.Indonesian
29.Danish 30.Hungarian 31.Norwegian 32.Serbian 33.Lithuanian 34.Farsi 35.Finnish 36.Albanian 37.Catalan 38. Georgian 39. Urdu 40. Tamil 41. Afrikaans (pending)
Privacy by Design: Proactive in 40 Languages!
![Page 11: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/11.jpg)
GetRidoftheDatedWin/Lose,Zero-SumModels!
![Page 12: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/12.jpg)
Positive-SumModel:ThePowerof“And”
Change the paradigm from a zero-sum to
a “positive-sum” model: Create a win-win scenario,
not an either/or (vs.) involving unnecessary trade-offs
and false dichotomies …
replace “vs.” with “and”
![Page 13: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/13.jpg)
PrivacybyDesign:The7FoundationalPrinciples
1. Proactive not Reactive: Preventative, not Remedial;
2. Privacy as the Default setting; 3. Privacy Embedded into Design; 4. Full Functionality:
Positive-Sum, not Zero-Sum; 5. End-to-End Security:
Full Lifecycle Protection; 6. Visibility and Transparency:
Keep it Open; 7. Respect for User Privacy:
Keep it User-Centric. http://www.ryerson.ca/pbdce/papers/ http://www.ontla.on.ca/library/repository/mon/24005/301946.pdf
![Page 14: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/14.jpg)
OperationalizingPrivacybyDesign11PbDApplicationAreas• CCTV/Surveillancecamerasinmasstransitsystems;
• Biometricsusedincasinosandgamingfacilities;
• SmartMetersandtheSmartGrid;• MobileCommunications;• NearFieldCommunications;• RFIDsandsensortechnologies;• RedesigningIPGeolocation;• RemoteHomeHealthCare;• BigDataandDataAnalytics;• PrivacyProtectiveSurveillance;• SmartData.http://www.ryerson.ca/pbdce/papers/ http://www.ontla.on.ca/library/repository/mon/26012/320221.pdf
![Page 15: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/15.jpg)
“Privacy by Design is considered one of the most important concepts by members of the Japanese Information Processing Development Center …
We have heard from Japan’s private sector companies that we need to insist on the principle of Positive-Sum, not Zero-Sum and become enlightened with Privacy by Design.”
— Tamotsu Nomura, Japan Information Processing Development Center,
May 28, 2014
LetterfromJIPDEC–May28,2014
![Page 16: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/16.jpg)
GDPRGeneralDataProtectionRegulation
– StrengthensandunifiesdataprotectionforindividualswithintheEuropeanUnion
– GivescitizenscontrolovertheirpersonaldataandsimplifiesregulationsacrosstheEUbyunifyingregulations
• Proposed–January25th2012
• Passed-December17,2015
• Adoption–Spring2016
• Enforcement–Spring2018
![Page 17: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/17.jpg)
E.U.GeneralDataProtectionRegulation
• Thelanguageof“Privacy/DataProtectionbyDesign”and“PrivacyastheDefault”willnowbeappearingforthefirsttimeinaprivacystatute,thatwasrecentlypassedintheE.U.– PrivacybyDesign– DataProtectionbyDesign– PrivacyastheDefault
![Page 18: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/18.jpg)
TheSimilaritiesBetweenPbDandtheGDPR
“DevelopedbyformerOnt.Information&PrivacyCommissioner,AnnCavoukian,PrivacybyDesignhashadalargeinfluenceonsecurityexperts,
policymarkers,andregulators…TheEUlikesPbD…it’sreferencedheavilyinArticle25,andinmanyotherplacesinthenewregulation.It’snottoomuchofastretchtosaythatifyouimplement
PbD,you’vemasteredtheGDPR.”Information Age
September 24, 2015
![Page 19: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/19.jpg)
PrivacyCommissionerofCanada:AnnualReport
“Organizationsmustalsobemoretransparentandaccountablefortheirprivacypractices.Becausetheyknowtheirbusinessbest,itisonlyrightthatweexpectthemtofindeffectiveways,withintheirownspecificcontext,toprotecttheprivacyoftheirclients,notablybyintegratingapproachessuchasPrivacybyDesign.”
https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201617/ar_201617/#heading-0-0-3-1
September 21, 2017
![Page 20: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/20.jpg)
42nd Parliament, First Session February, 2018
https://www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP9690701/ethirp12/ethirp12-e.pdf
![Page 21: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/21.jpg)
PrivacybyDesignasanISOStandard
- NewISOProjectCommitteeonPrivacybyDesignforConsumerGoodsandServices(ISOPC317);
- TheStandardsCouncilofCanada(SCC)isthemirrorcommitteefortheInternationalPC317committee.
![Page 22: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/22.jpg)
PrivacybyDesignCertification
Wehavenowre-launchedPrivacybyDesignCertificationleadbyDr.AnnCavoukian,partneringwithKPMG
www.ryerson.ca/pbdce/certification
![Page 23: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/23.jpg)
PrivacybyDesignCertification
- WechosetopartnerwithSylviaKingsmill,SeniorPartneratKPMG,forourre-launchofPrivacybyDesignCertification,toensurethatourupgradedCertificationsealprovidesproofofcompliancewiththeGDPR;
- WehavealsoalignedwithISO,aleadingaccreditedcertificationbody,inourinternationalre-launchofPrivacybyDesignCertification.
![Page 24: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/24.jpg)
CanadianCompaniesHaveTakentheLeadwithPbDCertification
- Leadingcompanieshavetakenaproactiveriskmanagementapproachtoprotectingtheircustomers’privacybygettingcertified,asopposedtodoingtheleastrequiredviaregulatorycompliance;
- Atatimewhentrustisatanall-timelow,anddatabreachesareproliferating,companiesrealizethatingettingcertified,it’sareputationalexercisetoenhanceone’sbrand,nota“tick-the-box”complianceexercise.
![Page 25: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/25.jpg)
PrivacybyDesign:TheGlobalPrivacyFrameworkDr.Cavoukianisofferingthedefinitive
PrivacybyDesignOnlineCourseatRyersonUniversity
ShouldyouwishtosignupfortheFall2018registrationlist,visit:https://www.ryerson.ca/pbdce/privacy-by-design-chang-school-course/
![Page 26: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/26.jpg)
Privacy:TheBusinessCase
![Page 27: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/27.jpg)
PrivacyisGoodforBusiness!
![Page 28: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/28.jpg)
TheBottomLine
Privacyshouldbeviewedasabusinessissue,notacomplianceissue
Thinkstrategicallyandtransformprivacyintoacompetitivebusinessadvantage
![Page 29: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/29.jpg)
CostofTakingtheReactiveApproachtoPrivacyBreaches
Proactive
Reactive
Class-ActionLawsuits
DamagetoOne’sBrand
LossofConsumerConfidenceandTrust
![Page 30: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/30.jpg)
First“PrivacyMarketplace”attheInternationalConsumerElectronicsShow
inVegas“Privacyisahotissuerightnow.It’soneveryone’sradar…
Consumersaskingaboutprivacy–thatwasthebigtakeaway.Thesecompaniesintheprivacymarketplace,inlargepartaren’t
advocates.They’reentrepreneurslookingtocapitalizeonmarketopportunity.Theyexpectalargerprivacymarketplacenextyearandforbrandstoincorporate“privacy”intotheirmarketing…Anyone,everyone,canunderstandtheneedfor
privacy.”
VictorCocchiaCEO,Vysk
SpeakingatCES:Jan,2015
![Page 31: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/31.jpg)
“Trusttakesyearstobuild,secondstodestroy,andforever
torepair.”
…Andtrustamongthepublicisatanall-timelowtoday
GuardYourReputation
![Page 32: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/32.jpg)
PewResearchInternetProject• PublicPerceptionsofPrivacyandSecurityinthePost-SnowdenEra:November2014– Thereiswidespreadconcernaboutsurveillancebybothgovernmentandbusiness:• 91%ofadultsagreethatconsumershavelostcontrolovertheirpersonalinformation;
• 80%ofsocialnetworkusersareconcernedaboutthirdpartiesaccessingtheirdata;
• 80%ofadultsagreethatAmericansshouldbeconcernedaboutgovernmentsurveillance;
![Page 33: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/33.jpg)
TheOnline“PrivacyLie”IsUnraveling
“Alargemajorityofwebusersarenotatallhappy…theyfeelpowerlesstostoptheirdatabeingharvestedandusedbymarketers.”91%disagreethat“Ifcompaniesgivemeadiscount,itisafairexchangeforthemtocollectinformationaboutmewithoutmyknowing.”
TechCrunch http://techcrunch.com/2015/06/06/the-online-privacy-lie-is-unraveling/
Joseph Turow and Michael Hennessy, University of Pennsylvania Nora Draper, University of New Hampshire
June 6, 2015
![Page 34: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/34.jpg)
2014SurveyofCanadiansonPrivacyOfficeofthePrivacyCommissionerofCanada
• 90%ofCanadiansexpressedconcernabouttheprotectionoftheirprivacy;
• 78%feelatleastsomewhatlikelythattheirprivacymaybebreachedbysomeoneusingtheirCredit/DebitCardorstealingtheiridentity;
• 70%ofCanadiansareconcernedabouttheuseofgenetictestingfornon-medicalpurposes;
• 73%feeltheyhavelessprotectionoftheirpersonalinformationthantenyearsago;
• 60%havelittleexpectationofprivacybecausetherearesomanywaysitcanbecompromised.
![Page 35: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/35.jpg)
TrendsandChallenges:ConsumerConfidence
• Peoplechoosetogivetheirbusinesstofirmswithgood“datahygiene”–newevidencesuggeststhatconsumersareseekingoutcompaniesthatwillprotecttheirprivacy.
—ForresterResearch
![Page 36: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/36.jpg)
PrivacyandMarketing
![Page 37: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/37.jpg)
“PrivacybyDesignIsaStartingPointThatLeadstoLong-TermBenefits”
JessicaKernanAdvertisingAge
Oct,282014
![Page 38: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/38.jpg)
“Byadoptingaprivacy-by-designmentality,wecanbeginto
transformideasliketheseintobestpracticesthathavelong-term
benefitsforbothconsumersandbrands.
Let'sleadtheway.”JessicaKernanAdvertisingAge
Oct,282014
![Page 39: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/39.jpg)
ThreeKeyPointstoHelpMarketers:
1. Integratedataplanningasanupstreamdesigndiscipline;
2. Evolvefromfineprinttomoretransparentdisclosurestrategies;
3. MakePrivacyapositivepartofthebrandexperience.
JessicaKernanAdvertisingAge
Oct,282014
![Page 40: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/40.jpg)
10Take-AwaysfromDr.Cavoukian’sTalk• Privacyisnotaboutsecrecy,it'saboutcontrol.• Manybelieveyoucaneitherhaveprivacyorsecurity,butsecurityand
privacycanco-exist.• Sixoutof10Americansaredistrustfuloftheirgovernment.• Zero-sumthinkingwillonlyholdyouback.Embracedoubly-enabling
systems:marketingandprivacy.• Focusonintegratingdataplanningasanupstreamdesigndiscipline.• Evolvefromfineprinttomoretransparentdisclosurestrategies.• Makeprivacyapositivepartofthebrandexperience.• Increaseconsumertrustrightoutofthegates.Privacycanbeyour
competitiveadvantage.• Bedeliberateandproactive:leadwithPrivacybyDesignratherthan
privacybychance.• Privacyisgoodforbusiness!
Canadian Marketing Association
![Page 41: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/41.jpg)
TheUnintendedConsequencesofData
“Theincreasingavailabilityof‘datafumes’–dataproducedasaby-productofpeople’suseoftechnologicaldevicesandservices–hasbothpoliticalandpracticalimplicationsforthewaypeopleareseenandtreatedbythestateandbytheprivatesector.”
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2918779
Linnet Taylor, TILT, Tilburg University
February 16, 2017
![Page 42: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/42.jpg)
IoTAttacks:“When”not“IF”
“ThequestioncompaniesshouldbeaskingisnolongerwhethertherewillbeanattackinvolvingInternetofThings(IoT)devicesandinfrastructure,butwhen.”
Hogan Lovells HL Chronicle of Data Protection May 8, 2017 http://www.hldataprotection.com/2017/05/articles/news-events/upcoming-webinar-on-cybersecurity-and-the-internet-of-things/?
utm_source=dlvr.it&utm_medium=twitter
![Page 43: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/43.jpg)
SecurityDeservesFarGreaterAttention
- CyberSecuritythreatsaremountingonadailybasis;
- Andtheyarealsoleadingtomassivelawsuits–classactionlawsuits.
![Page 44: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/44.jpg)
IAPP,April26,2017
1.1BillionIdentitiesStolenin2016
![Page 45: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/45.jpg)
DataBreachStatistics
Datarecordslostorstolensince2013:
9,053,156,308
http://breachlevelindex.com/
Breach Level Index, 2017
![Page 46: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/46.jpg)
DataBreachStatistics(cont’d)
Only4%ofbreacheswere“SecureBreaches”
whereencryptionwasusedandthestolendatawasrendereduseless.
http://breachlevelindex.com/
Breach Level Index, 2017
![Page 47: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/47.jpg)
TheVitalNeedforEncryption!
![Page 48: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/48.jpg)
DataMinimizationand
De-Identification
![Page 49: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/49.jpg)
DataMinimization
• Dataminimizationisthemostimportantsafeguardinprotectingpersonallyidentifiableinformation,includingforavarietyofresearchpurposesanddataanalysis;
• Theuseofstrongde-identificationtechniques,dataaggregationandencryptiontechniques,areabsolutelycritical.
![Page 50: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/50.jpg)
DispellingtheMythsaboutDe-Identification…
• Theclaimthatde-identificationhasnovalueinprotectingprivacyduetotheeaseofre-identification,isamyth;
• Ifproperde-identificationtechniquesandre-identificationriskmanagementproceduresareused,re-identificationbecomesaverydifficulttask;
• Whiletheremaybearesidualriskofre-identification,inthevastmajorityofcases,de-identificationwillstronglyprotecttheprivacyofindividualswhenadditionalsafeguardsareinplace.
www.ipc.on.ca/English/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=1084
![Page 51: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/51.jpg)
EssentialNeedforstrongDe-Identification
• Personallyidentifiabledatamustberenderednon-identifiable,therebyenablinguseofdataforresearchpurposes;
• Strongde-identificationprotocolsmustbeusedinconjunctionwithariskofre-identificationframework.
![Page 52: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/52.jpg)
TheMythofZero-Risk
![Page 53: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/53.jpg)
5StandardsonDe-Identification,TakingaRisk-BasedApproach,Cont’d.
1. InstituteofMedicine:SharingClinicalTrialData:MaximizingBenefits,MinimizingRiskCommitteeonStrategiesforResponsibleSharingofClinicalTrialData
2.HITrust:HealthInformationTrustAlliance:De-IdentificationFramework:AConsistent,ManagedMethodologyfortheDe-IdentificationofPersonalDataandtheSharingofComplianceandRiskInformation
![Page 54: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/54.jpg)
5StandardsonDe-Identification,TakingaRisk-BasedApproach,Cont’d.
3.CouncilofCanadianAcademies:AccessingHealthandHealth-RelatedDatainCanadaTheExpertPanelonTimelyAccesstoHealthandSocialDataforHealthResearchandHealthSystemInnovation
4.PhUSEPharmaceuticalUsersSoftwareExchange:De-IdentificationStandardforCDISCSDTM3.2PhUSEDe-IdentificationWorkingGroup
5.NISTIR8053De-IdentificationofPersonalInformationNationalInstituteofStandardsandTechnology
![Page 55: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/55.jpg)
RiskMitigationStrategies
“Boardsreallywanttounderstandtheoperationalrisktotheircompany,alongwiththeplansforhowonewantstohandleriskandreducetheimpact.”
-Jim Anderson BAE Systems Applied Intelligence
![Page 56: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/56.jpg)
DoyouhaveaDataMap?
• Doyouknowhowpersonallyidentifiabledataflowsthroughoutyourorganization?
• Doyouknowifthenecessarypermissionshavebeenobtained?
• Doyouknowifthedataflowsoutsideyourorganizationtothirdparities?(authorizedornot)
• Doyouhaveariskmitigationstrategy?
![Page 57: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/57.jpg)
PrivacyImpactAssessments(IntendedtobeanAnalyticalProcess)
“ThegoalofaPIAistoidentifyandaddressprivacyriskswhenplanning,designing,acquiring
andimplementingnewprograms,systems,processes,practices,services,technology,
applicationsthatinvolvepersonalinformation.”
Eric Lawton, Privacy and Access Council of Canada,
![Page 58: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/58.jpg)
DataBreachResponse
• DoyouhaveaDataBreachProtocolinplace,thatkicksintheminuteyougetadatabreach?
• Haveallyourstaffbeentrainedtofollowtheprotocol?
• Dotheyknowexactlywhattodoassoonastheyarealertedofadatabreach?
![Page 59: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/59.jpg)
“PrivacybyDesign–ReadyforTakeoff”
“ThepassageoftheEU’sGDPR…isbringingPbDtotopofmindaspersonaloperationsareadjustedtocomplywithnewGDPRrules…Inshort,theGDPRhasalreadygivenPbDnewvisibilityandvigor.Positive-sumchangeisonitsway–notjusttoEurope,butacrosstheworld.”
“Dr.Cavoukianiskeepingupwithchangeaswell,havingrecentlyfoundedGPSbyDesign,Afollow-uptoPbD,nowexpandedtoaglobalprivacyandsecurityfocus.PrivacyCheqsupportsGPSbyDesign,andworkstopromoteitsacceptance.”
http://privacyelephant.blogspot.ca/2016/11/privacy-by-design-ready-for-takeoff.html
Privacy Elephant November 4, 2016
![Page 60: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/60.jpg)
GlobalPrivacyandSecurityExpertsLaunchtheInternationalCouncilonGlobalPrivacyandSecurity,byDesign
Neworganizationcreatedtoeducategovernmentsandbusinessesonhowtodeveloppoliciesand
technologieswhereprivacy,publicsafetyandBigDataworktogetherforpositive-sum,win-winoutcomes
FoundingMembersinclude:- DarrenEntwistle,CEOofTELUSInc.- MichaelChertoff,2ndSecretaryofU.S.HomelandSecurity- GillesdeKerchove,DirectorofE.U.CounterTerrorism- GregWolfond,CEOofSecureKey- JosephSimitian,SupervisorofSantaClaraCounty,CAandFormerChairofthe
CaliforniaStateSenateSelectCommitteeonPrivacy
PressRelease:http://m.marketwired.com/press-release/-2167023.htm
![Page 61: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/61.jpg)
InternationalCouncilonGlobalPrivacyandSecurity,byDesign
• NewlycreatedextensionofPrivacybyDesign,focusingonbothPrivacyandsecurity!
• Essentialneedtoabandonzero-sum,either/orpropositionsinvolvingoneinterestvs.another:privacyvs.publicsafety;
• Changethistoadoubly-enablingpositive-sumapproach,withbothprivacyANDpublicsafetygaininginpositiveincrements.
gpsbydesign.org
![Page 62: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/62.jpg)
MyResignationfromSidewalkLabs
![Page 63: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/63.jpg)
ConcludingThoughts
• PrivacyandsecurityrisksarebestmanagedbyproactivelyembeddingtheprinciplesofPrivacybyDesign–preventtheharmfromarising–avoidthedatabreach;
• Focusonprevention:Itismucheasierandfarmorecost-effectivetobuildinprivacyandsecurity,up-front,ratherthanafter-the-fact,reflectingthemostethicaltreatmentofpersonaldata;
• Abandonzero-sumthinking–embracedoubly-enablingsystems:PrivacyandSecurity;PrivacyandDataUtility;
• Getsmart–leadwithPrivacybyDesignCertification,notprivacybychanceor,worse,PrivacybyDisaster!
![Page 64: Privacy and Security by Design: Regulatory Compliance Will Not … · 2021. 3. 2. · General Data Protection Regulation – Strengthens and unifies data protection for individuals](https://reader035.fdocuments.in/reader035/viewer/2022071411/61070a7adb0e0729b00c8ae5/html5/thumbnails/64.jpg)
ContactInformation
AnnCavoukian,Ph.D.,LL.D(Hon.)M.S.M.DistinguishedExpert-in-ResidencePrivacybyDesignCentreofExcellenceRyersonUniversity
1DundasSt.West,25thFloorToronto,OntarioM5G1Z3
Phone:(416)[email protected]
twitter.com/AnnCavoukian