#agilitytour
Risk Adverse for My Children
Ø My most precious assets Ø We share common goals Ø And speak the same language Could you say the same of your Legal Council?
#agilitytour
Consider Before Crucifying the Rule of Law
1. The specifics of data as an Economic Asset: ² Data in infinitely transferable without decay
2. OPen forgoQen LegislaRve Challenges ² Defining and recognising Data Harms
3. Related to evolving Privacy LegislaRon ² Compliance is a Risk Exercise
4. Minimizing Privacy related Risks ² YOUR liability within the Data Ecosystem
#agilitytour
Fact Remains: RACI Matrices
Ø Legal council will be held accountable
Ø Legal council should be consulted
• Responsible • Who is/will be doing this task? • Who is assigned to work on this task? R
• Accountable • Who’s head will roll if this goes wrong? • Who has the authority? to take decision? A
• Consulted • Anyone who can tell me more about this task? • Any stakeholders already idenRfied? C
• Informed • Anyone whose work depends on this task? • Who has to be kept updated about the progress? I
#agilitytour
In a World of Dynamic RegulaMon
Two fundamental Data Privacy quesRons: 1. How far is too far (for data use & transparency)? 2. Who will decide (what is acceptable)?
#agilitytour
If I Had 1 £ for Every Time I Heard…
1. Yes but we don’t collect PII 2. InternaRonal data transfers? Safe Harbour!
#agilitytour
So What to Do? 1 Rules Them All
FIPPs: Fair informaRon PracRce Principles 1. Transparency
• NoRce/awareness & Purpose => how transparent? 2. Choice
• Consent => opt-‐in or opt-‐out, ex-‐ or implicit? 3. InformaRon Review & CorrecRon
• Access & parRcipaRon in (data) accuracy 4. InformaRon ProtecRon
• Data integrity & security 5. Accountability
• Enforcement and redress: I. Self-‐regulaRon, II. Private remedies through civil acRons (Germany) III. Government enforcement (FTC, European Data ProtecRon Agencies, …)
Transparency
Choice
InformaMon review & correcMon
InformaMon protecMon
Accountabil ity
#agilitytour
PII vs. Risk Levels
DIGITAL EXHAUST Low Risk
OBA Medium Risk (profiling)
HIPAA HEALTH DATA High Risk (sensiRve)
Risk Level
Data type InformaRon Security Measures
Gehng closer to uniquely idenRfying an individual
FCRA CREDIT SCORING Extremely High Risk (profiling of sensiRve data)
US: if/then exercises PII
#agilitytour
Where to Start?
1. Define yourself
• Who are you in the data ecosystem?
• What are your obligaRons?
• What is expected of you?
• (Who can find out?)
#agilitytour
Where to Start?
2. Document your Digital Entanglement
High-‐level mock-‐up of exisRng client.
Next steps:
ü Terms & sovereignRes
ü Data points & access/sharing ü Purpose & Consent ü Data retenRon periods
#agilitytour
Where to Start?
3. Align your liabiliOes: Ø What do the terms allow?
Ø Which data points are you collecRng?
Ø Which clauses are being used (InternaRonal data transfer mechanisms: SafeHarbour)?
Ø Who has access? Data sharing
Ø …
#agilitytour
Where to Start?
Purpose Consent 4. Don’t drop the ball on Purpose and Consent!
What happens if opt-‐out of email list, ? hQps://support.google.com/adwords/answer/6276125?hl=en
UK: OpRcal Express bought “consented” data from Thomas Cook See ICO PECR: hQps://ico.org.uk/for-‐organisaRons/guide-‐to-‐pecr/introducRon/what-‐are-‐pecr/ z
#agilitytour
Where to Start?
5. Understand your risk Ø Of legal issues: fines, class acRons
Schleswig-‐Holstein DPA considers SafeHarbour clauses today unacceptable + can’t be replaced by model clauses either => is this a risk for your company?
Ø Of customer backlashes: unexpected/creepy data uses Target: using shopping behavior to define pregnancy state (sensiRve data) => consent!
#agilitytour
Where to Start?
6. Document, train & communicate
• If asked, be able to show you’ve done your homework
• Define accountability (data stewards) & escalaRon procedures
• Explain & ask for help: your company is the paOent!
#agilitytour
We All Hated the “Cookie DirecMve”, Right?
Thank you for listening!
Gracias por su atención!
Top Related