#smartercommerce

Aurélie PolsCo-founder & Chief Visionary Officer

Mind Your Privacy & Mind Your Groupaurelie@mindyourprivacy.com

@aureliepols

The Future of PrivacyData is the New Oil, Privacy is the New GreenUnlocking Value & Controlling Risk

@AureliePols

About me

Aurélie PolsChief Visionary OfficerMind Your Privacy

• Grew up in the Netherlands, Dutch passport• French mother tongue• Most of my friends are bilingual at least• Have Polish & Russian origins• Set-up my 1st start-up in Belgium in 2003• Sold it to Digitas LBi (Publicis), in 2008• Moved to Spain in 2009• Created 2 other start-ups in Spain in 2012

Mind Your Group, Putting Your Data to WorkMind Your Privacy, Data Science Protected

Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with a bunch of Lawyers

@AureliePols

Context: Privacy tri-partiteJoint effort by:

1. Governments &/or international Associations => legislation, guidelines, …

2. Citizens/voters/consumers3. Businesses

Each party wanting to defend: – Personal Data Protection & the Rule of

Law through respect of Fundamental Rights vs.

– Profits & hopefully Sustainability

Governments

Citizens/voters/

consumers

OUR GLOBAL SOCIETY

Businesses

Analytics vendors / Agencies / Data Users

@AureliePols

About Mind Your Privacy

Boutique consultancy firm providing security consultancy services and legal Privacy advice

Our typical international clients manage sensitive data within an international landscape

Pluricultural and multi-skilled profiles - legal, data scientists and technical

Providing complete solutions to complex data and privacy issues

@AureliePols

This presentation is for Data Users

Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg

@AureliePols

Privacy, the Word

From our Wikipedia friends:From Latin: privatus "separated from the rest, deprived of something, esp. office, participation in the government", from privo "to deprive”

The ability of an individual or group to seclude themselves or information about themselves and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share common themes. When something is private to a person, it usually means there is something to them inherently special or sensitive. The domain of privacy partially overlaps security, including for instance the concepts of appropriate use, as well as protection of information. Privacy may also take the form of bodily integrity.

Source: https://en.wikipedia.org/wiki/Privacy

@AureliePols

Privacy, nothing to hide?

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”Eric Schmidt, 2009 https://www.youtube.com/watch?v=A6e7wfDHzew

If you've got nothing to hide,

you've got nothing to fear!

Tip: Follow Daniel Solove on LindedIn!

@AureliePols

An Anglo-Saxon term?

Source: http://web.mit.edu/bigdata-priv/

http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf

@AureliePols

Blame?

Source: http://mobile.nytimes.com/blogs/bits/2014/05/05/white-house-tech-advisers-online-privacy-is-a-market-failure/

@AureliePols

Solution?

@AureliePols

Is this complicated?

Source: https://www.forrestertools.com/heatmap/

@AureliePols

Regulatory law

“Every country is a little different. You run into different regulatory regimes and you need to make sure you have the right tools so that people can implement the right policies they are required to by law… They aren’t that different”

Source: Bloomberg Singapore Sessions April 23rd 2014http://www.bloomberg.com/video/big-data-big-results-singapore-sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html

@AureliePols

A global perspectiveUS & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)Business focused Citizen focused: data belongs to the

visitor/prospect/consumer/citizenPatchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high

@AureliePols

Democracy & the rule of lawUS & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)Business focused Citizen focused: data belongs to the

visitor/prospect/consumer/citizenPatchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high

@AureliePols

Data Protection

In light of fuzzy interpretations of Privacy, could we agree upon• Thinking of it as data protection• Protecting the data we are entrusted with• While respecting the Right to “Privacy”• Taking into consideration information security

measures

@AureliePols

Democracy & the rule of lawUS & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)Business focused Citizen focused: data belongs to the

visitor/prospect/consumer/citizenPatchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high

@AureliePols

PII: ah but we don’t collect it!

Medical information as PII

California

Arkansas

Missouri

New Hampshire

North Dakota

Texas

Virginia

Financial information as PII

Alaska North Carolina

Iowa North Dakota

Kansas Oregon

Massachusetts South Carolina

Missouri Vermont

Nevada Wisconsin

New York* Wyoming

Passwords as PII

Georgia

Maine

Nebraska

Biometric information as PII

Iowa

Nebraska

North Carolina

Wisconsin

Source: information based on current ongoing analysis

(partial results)

@AureliePols

So what is considered PII?Personal Information (based on the definition commonly used by most US states)

i Name, such as full name, maiden name, mother‘s maiden name, or alias

ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number

iii Address information, such as street address or email address

iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)

v Telephone numbers, including mobile, business, and personal numbers.Information identifying personally owned property, such as vehicle registration number or title number and related information

Source: information based on current ongoing analysis

(partial results)

@AureliePols

If you collect PII… thenUS & UK EU APEC

Common Law Continental Law Continental law influenced

Class actions Fines (by DPAs: Data Protection Agencies)

Privacy Personal Data Protection (PDP)Business focused Citizen focused

Patchwork of sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII: varies per state Risk levels: low, medium, high, extremely high

@AureliePols

PII & legislation questions

• Who knows their Chief Privacy Officer?According to the DMA (US), CMOs should abide to an average # of 300 pieces of legislation

• Is PII really PII?Zip code + gender + date of birth can uniquely identify 87% of the US populationSource: Microsoft Latanya Sweeney (2000) http://dataprivacylab.org/projects/identifiability/paper1.pdf

@AureliePols

PII vs. Risk levels

Low

Medium(profiling)

High(sensitive)

Risk level

Data typeInformation Security Measures

Extremely high(profiling of sensitive data)

PII

@AureliePols

Data lifecycles

Analytics => Follow the Money

Information Security & Compliance => Follow the Data

@AureliePols

The Privacy framework 1

User consent

Fair & Legal process: FIPPs

Information for approved use

Data diving analysis / Big Data

New business opportunity through data

Purpose

@AureliePols

The Privacy framework 2

User consent

Fair & Legal process: FIPPs

Information for approved use

Data diving analysis / Big Data

New business opportunity through data

Purpose

@AureliePols

Fair Information Practice Principles - FIPPs

Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg

@AureliePols

Data collection

• Purpose – Consent– Reason for data collection: • Website improvement, better User Experience• Marketing communication

• Opt-in? Opt-out? Double opt-in?– Depends upon:• Type of data: PII, sensitive data• Type of sector: financial, health, …• Geography: US vs. EU vs. ???

@AureliePols

Examples: US vs. Spain

US: no purpose, no consent

Spain: consent, purpose, opt-in & opt-out

@AureliePols

Trust & creepiness

Consent is about a reasonable expectation of the use of data– There’s a fine line

between feeling charmed vs. feeling invaded

– Create win-win situations: • Customers give company information• Customers get better service/value for money

@AureliePols

Consent & Trust for Telcos

Slide borrowed from Stephen John Deadman from Vodafone Group Services Limited, IAPP congress Brussels, November 2013

@AureliePols

Typical personal data misconceptions

Very often present in technology companies– We do not identify the user while using the data, so we have no

issues with Privacy law– We only use the serial # of the users device, so the data is

anonymous and we have no issues with Privacy laws– We encrypt the data so we are no longer using/sending/receiving

personal data– We use hashes to replace all serial #, so the data is now

anonymous and we have no issues with Privacy laws– We anonymize the data, so we are not using personal data– We can use the user’s data for anything we want, as long as we

keep the data to ourselves– Look: big name companies are doing the same, so we are ok

Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013

@AureliePols

EU fines?Spain: responsible for 80% of data protection fines in the EU

Source: http://i0.kym-cdn.com/photos/images/newsfeed/000/242/381/63a

.jpg

Source: http://www.mindyourprivacy.com/download/privacy-infographic.pdf

@AureliePols

Security (technical)

Data Collection

TechnologicalPr

oces

ses Resources

security

@AureliePols

Who has access?

Source: Mind Your Privacy seal, specific audit for analytics tools & data agencies

@AureliePols

Supplier reviews - CloudTypical international company set-up

Cloud:• SaaS• PaaS• IaaS

@AureliePols

Data flows = shared responsibility

Source: http://cdn2-b.examiner.com/sites/default/files/styles/image_content_width/hash/6e/54/6e54dfaa644b1fe589e4462b6f2a20b7.jpeg?itok=OIAVYOR1

@AureliePols

As secure as the weakest link

Source: http://www.lebsontech.com/images/ChainLight.jpg

@AureliePols

WHERE TO START?

@AureliePols

Balancing Risks & Benefits

Risks SaaS PIAs: Privacy

Impact Assessment Security evaluation of

your own information Nature of your own

data

BenefitsPriceTransfer of

responsibility?Availability (BYOD,

strike, natural disaster, …)

Source: http://www.labeshops.com/image/cache/data/summitcollection/7918l-lady-justice-3-feet-statue-800x800.jpg

@AureliePols

Compliance vs. Risk Assessments• Achieving 100% compliance is a chimera– Compliance is a journey, not a destination– Level of required compliance linked to

• Sector• Personal internal management• Company risk profile

• Risk is a moving target– Risk of being fined– Risk of being breached– Brand perception => subjective

@AureliePols

A simple examplePII viewer for Google Analyticshttp://davidsimpson.me/pii-viewer-for-google-analytics/

Customer DBData Collection

Data Visualization

Privacy Policy Hosting Security Terms of Use Access

Consent FIPPs Data

retention period

(Hosting) Security Access

What data is Chrome sending?Is your company accountable?

@AureliePols

Other ex.: BBVA Commerce 360

26M transactions/day

25% of marketshare for Spain

Source: http://www.slideshare.net/cibbva/juan-carlos-plaza-explica-los-proyectos-sobre-big-data-de-bbva

@AureliePols

Data transformations

Consent & purpose Through which pipes? Data (transfer) security? Data access? …

From granular to aggregated

@AureliePols

What to do?

1. Know your information structure (cloud)– Can you exactly draw the Cloud supplier slide?

2. Cloud inventory (PIA)– Provider (& sub-contractors)– Location

• Cloud service HQ• Servers

– Applicable law: our friend Snowden– Physical location: earthquakes?

• Any incidents to report?• In-house control access (risk)• Terms & Conditions

– Information Security measures– Related to Privacy

@AureliePols

What to do?

3. Know your Data structure: data inventory (cloud)– (Do you know which data can be found where)?– Have you reviewed your information security

measures?– What happens in case of a breach?

4. Authorization required?– Approval International Data Transfers (IDT)– Safe Harbor– Binding Corporate Rules (BCR)– User consent

@AureliePols

Moving to the cloud1. List your departments2. What type of data needs to be moved?3. What are your data risk levels?– Low / Medium / High / Extremely High

4. What do you need for compliance?

Have a list of questions ready to ask your cloud provider except for the price!

@AureliePols

Note: slides blurred for confidentiality reasons

@AureliePols

Note: slides blurred for confidentiality reasons

@AureliePols

MYP Information Security Framework

@AureliePols

MYP ServicesFor Data Users

Risk Assessment to define maturity model (COBIT) and roadmap Define processes to establish proper security measures and create policies to

structure these process Audit the level of compliance of security measures that are in place Train staff to align them with security plan while reducing the risk of suffering

a data breach Define KPIs to adequately deploy a data governance program

@AureliePols

MYP ServicesAnalytics SaaS Providers

Advice during the procurement process to define the best provider in terms of data security management and privacy compliance

Audit providers´ management of data and privacy

For Analytics vendors & agenciesWEMindYourPrivacy Seal

THANKSFor listening

Aurélie PolsCo-founder & Chief Visionary Officer

Mind Your Privacy & Mind Your Groupaurelie@mindyourprivacy.com@aureliepols

Privacy in Digital Marketing:Regulatory Threats vs. Data OpportunitiesBerlin - June 2nd 2014 http://digitalanalyticshub.com/berlin2014/workshops/#ND68

Next full day workshop