SlideShare a Scribd company logo

[AIIM18] GDPR: whose job is it now? - Paul Lanois

AIIM International
AIIM International

The document discusses several key topics related to data privacy in the digital economy: - Challenges of safeguarding privacy rights with the rise of technology and data collection. - Assessing privacy maturity based on generally accepted privacy principles. - Implementing privacy enhancing technologies and practices like privacy by design. - Understanding consumer concerns about privacy and gaining their consent for data use.

Related slideshows

Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
1 of 32
Download to read offline
Can Privacy Thrive in the Digital Economy
• Challenges and Opportunities Associated with Safeguarding Privacy Rights • Privacy Maturity in the Context of Generally Accepted Privacy Principles • Privacy Enhancing Technologies and Best Practices – Privacy by Design
How does your organization perceive data privacy?
Consumer Attitudes Toward Privacy
The Challenge with Consent Based Privacy Law
Table 1: The OECD Fair Information Practices Principle Description Collection limitation The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the Data quality Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that Purpose specification The purposes for the collection for personal information should be disclosed before collection and upon any change to those purposes, and the use purposes and compatible purposes. Use limitation Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal Security safeguards Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, Openness The public should be informed about privacy policies and practices, and individuals should have ready means or learning about the use of personal Individual participation Individuals should have the following rights: to know about the collection of person information, to access that information, to request correction, Accountability Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these
Social Utility of the Digital Economy
[AIIM18] GDPR: whose job is it now? - Paul Lanois
De Identification
Study found that it is possible to re-identify 87% of the US population by simply combining three data points – zip code, gender and date of birth. Netflix study researchers were able to individual Netflix users in an anonymized dataset by knowing when and how users rated as few six movies” The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. Source; Carnegie Mellon University Source: Office of the Canadian Privacy Commission
Data breacheshave increased 40% from 2015 to 2016, an all-time high of 1,093 breaches in the US alone. The average costper breachin 2016is peggedat $4 million per breach, up 29% from the year prior Nearly 60% of organizations surveyed lack sufficient cyber security and privacy staff to handle the increasing demands to address legal compliance and supporting robust information security best practices. 30 percent of business information is stored in the cloud but of this, 35 percent is not visible to IT. Source: The Identity Theft Resource Center The 2016Telstra Cybersecurity Report Ponemon Institute
General Data Protection Regulation
Implications Higher bar for the protection of privacy rights2 1 Expanded jurisdiction 3 More onerous enforcement mechanisms 4 More rigorous accountability and compliance requirements
[AIIM18] GDPR: whose job is it now? - Paul Lanois
Privacy Readiness
[AIIM18] GDPR: whose job is it now? - Paul Lanois
Breach Response Readiness
Barriers
Stringent Enforcement This is the maximumfine that can be imposedfor the mostseriousinfringements e.g. not having sufficientcustomerconsentto processdata or violating the core of Privacy by Designconcepts. 2 1 UnderGDPR organizationsin breachof GDPR canbe fined up to 4% of annualglobalturnover or €20 Million (whichever is greater). 3 There is a tiered approachto fines e.g.a companycanbe fined 2% for not having their recordsin order (article28),not notifying the supervisingauthorityand data subject abouta breachor not conducting impactassessment.
Privacy by Design
Privacy by Design Foundational Principles Privacy Security Respect and protect personalinformation Enable and protectactivities and assets of bothpeople and enterprises 1. Proactive not Reactive; Preventative not Remedial Anticipate and prevent privacy-invasive events before wait for privacy risks to materlize Begin with the end in mind. Leverage enterprise the proactive implementation of security 2. Default Setting Build privacy measures directly into any given ICT system practice, by default Implement “Secure by Default” policies, including least least trust, mandatory access control and separation of 3. Embeddedinto Design Embed privacy into the design and architecture of ICT practices. Do not bolt it on after the fact. Apply Software Security Assurance practices. Use hardware Trusted Platform Module. 4. Positive-Sum Accommodate all legitimate interests and objectives in a win” manner, not through a zero-sum approach involving offs. Accommodate all stakeholders. Resolve conflicts to seek 5. End-to-EndSecurity Ensure cradle-to-grave, secure life-cycle management of end. Ensure confidentiality, integrityand availability of all stakeholders. 6. Visibility and Transparency Keep component parts of IT systems and operations of visible and transparent, to users and providers alike. Strengthen security through open standards, well-known validation. 7. Respect for the User Respect and protect interests of the individual, above all. Respect and protect the interests of all information owners. accommodate both individual and enterprise interests.
Information Governance Reference Model HOLD, DISCOVER CREATE,USE RETAIN ARCHVIE STORE, SECURE DISPOSE VALUE DUTY ASSET P R I V A C Y & S E C U R I T Y Risk L E G A L Risk I T Efficiency R I M Risk B U S I N E S S Profit
GDPR Readiness Source: AIIM 0% 5% 10% 15% 20% 25% 30% 35% Not at all We are thinking about it We are planning for it We have a project in place We are fully prepared On a scale of 1 to 5 (1 being fully prepared to meet the requirements) how would you rate the readiness of your organization in meeting GDPR requirements now?
0% 10% 20% 30% 40% 50% 60% A data loss or exposure due to staff negligence or bad practice A data breach involving internal staff or ex-staff Internal or HR incidents due to unathorized access A data breach from external hacking or intrusion Other Don't know Has your organization suffered any of the following in the last 12 months? Insight Into Privacy Vulnerabilities
De Identification
Study found that it is possible to re-identify 87% of the US population by simply combining three data points – zip code, gender and date of birth. Netflix study researchers were able to individual Netflix users in an anonymized dataset by knowing when and how users rated as few six movies” The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. Source; Carnegie Mellon University Source: Office of the Canadian Privacy Commission
De Identification Best Practices • The intended target audience • Classify Variables (direct and indirect identifiers) • Re-identification threshold (sensitivity of the information, the number of individuals, potential harms or injuries to individuals in the event of a breach or inappropriate use) • Determine probability of re-identification risk • De-identify the data (mask direct identifiers, modify the size of equivalence classes, generalization, suppression • Assess data utility (trade off between the amount of de-identification and utility of resulting information) Probabilityof re-identificationfor a givenrow = 1 Size of equivalentclass
Informed Consent • Data Tagging with embedded instructions as to how PII should be treated • Privacy policy language based on XACML (eXtensible Access Control Markup Language)
Data Minimization • Only to process the minimum amount of information in order to mitigate risk of compromising privacy rights • https://duckduckgo.com/about • Deleting browser history • Privacy Eraser: http://download.cnet.com/Privacy- Eraser/3000-2144_4-10078150.html
Key Takeaways
Resources
https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf https://www.oii.ox.ac.uk/archive/downloads/publications/Data_Protection_Principles_for_the_21st_Century.pdf https://www.kscpa.org/writable/files/AICPADocuments/10-229_aicpa_cica_privacy_maturity_model_finalebook.pdf https://info.nymity.com/resources https://info.nymity.com/gdpr-compliance-toolkit https://onetrust.com/ https://iapp.org/

More Related Content

[AIIM18] GDPR: whose job is it now? - Paul Lanois

  • 1. Can Privacy Thrive in the Digital Economy
  • 2. • Challenges and Opportunities Associated with Safeguarding Privacy Rights • Privacy Maturity in the Context of Generally Accepted Privacy Principles • Privacy Enhancing Technologies and Best Practices – Privacy by Design
  • 3. How does your organization perceive data privacy?
  • 5. The Challenge with Consent Based Privacy Law
  • 6. Table 1: The OECD Fair Information Practices Principle Description Collection limitation The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the Data quality Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that Purpose specification The purposes for the collection for personal information should be disclosed before collection and upon any change to those purposes, and the use purposes and compatible purposes. Use limitation Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal Security safeguards Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, Openness The public should be informed about privacy policies and practices, and individuals should have ready means or learning about the use of personal Individual participation Individuals should have the following rights: to know about the collection of person information, to access that information, to request correction, Accountability Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these
  • 7. Social Utility of the Digital Economy
  • 10. Study found that it is possible to re-identify 87% of the US population by simply combining three data points – zip code, gender and date of birth. Netflix study researchers were able to individual Netflix users in an anonymized dataset by knowing when and how users rated as few six movies” The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. Source; Carnegie Mellon University Source: Office of the Canadian Privacy Commission
  • 11. Data breacheshave increased 40% from 2015 to 2016, an all-time high of 1,093 breaches in the US alone. The average costper breachin 2016is peggedat $4 million per breach, up 29% from the year prior Nearly 60% of organizations surveyed lack sufficient cyber security and privacy staff to handle the increasing demands to address legal compliance and supporting robust information security best practices. 30 percent of business information is stored in the cloud but of this, 35 percent is not visible to IT. Source: The Identity Theft Resource Center The 2016Telstra Cybersecurity Report Ponemon Institute
  • 13. Implications Higher bar for the protection of privacy rights2 1 Expanded jurisdiction 3 More onerous enforcement mechanisms 4 More rigorous accountability and compliance requirements
  • 19. Stringent Enforcement This is the maximumfine that can be imposedfor the mostseriousinfringements e.g. not having sufficientcustomerconsentto processdata or violating the core of Privacy by Designconcepts. 2 1 UnderGDPR organizationsin breachof GDPR canbe fined up to 4% of annualglobalturnover or €20 Million (whichever is greater). 3 There is a tiered approachto fines e.g.a companycanbe fined 2% for not having their recordsin order (article28),not notifying the supervisingauthorityand data subject abouta breachor not conducting impactassessment.
  • 21. Privacy by Design Foundational Principles Privacy Security Respect and protect personalinformation Enable and protectactivities and assets of bothpeople and enterprises 1. Proactive not Reactive; Preventative not Remedial Anticipate and prevent privacy-invasive events before wait for privacy risks to materlize Begin with the end in mind. Leverage enterprise the proactive implementation of security 2. Default Setting Build privacy measures directly into any given ICT system practice, by default Implement “Secure by Default” policies, including least least trust, mandatory access control and separation of 3. Embeddedinto Design Embed privacy into the design and architecture of ICT practices. Do not bolt it on after the fact. Apply Software Security Assurance practices. Use hardware Trusted Platform Module. 4. Positive-Sum Accommodate all legitimate interests and objectives in a win” manner, not through a zero-sum approach involving offs. Accommodate all stakeholders. Resolve conflicts to seek 5. End-to-EndSecurity Ensure cradle-to-grave, secure life-cycle management of end. Ensure confidentiality, integrityand availability of all stakeholders. 6. Visibility and Transparency Keep component parts of IT systems and operations of visible and transparent, to users and providers alike. Strengthen security through open standards, well-known validation. 7. Respect for the User Respect and protect interests of the individual, above all. Respect and protect the interests of all information owners. accommodate both individual and enterprise interests.
  • 22. Information Governance Reference Model HOLD, DISCOVER CREATE,USE RETAIN ARCHVIE STORE, SECURE DISPOSE VALUE DUTY ASSET P R I V A C Y & S E C U R I T Y Risk L E G A L Risk I T Efficiency R I M Risk B U S I N E S S Profit
  • 23. GDPR Readiness Source: AIIM 0% 5% 10% 15% 20% 25% 30% 35% Not at all We are thinking about it We are planning for it We have a project in place We are fully prepared On a scale of 1 to 5 (1 being fully prepared to meet the requirements) how would you rate the readiness of your organization in meeting GDPR requirements now?
  • 24. 0% 10% 20% 30% 40% 50% 60% A data loss or exposure due to staff negligence or bad practice A data breach involving internal staff or ex-staff Internal or HR incidents due to unathorized access A data breach from external hacking or intrusion Other Don't know Has your organization suffered any of the following in the last 12 months? Insight Into Privacy Vulnerabilities
  • 26. Study found that it is possible to re-identify 87% of the US population by simply combining three data points – zip code, gender and date of birth. Netflix study researchers were able to individual Netflix users in an anonymized dataset by knowing when and how users rated as few six movies” The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. The New York Times were able to identify a single individual in a list of web search queries released by AOL, using the searches that the individual had made over a three month period. Source; Carnegie Mellon University Source: Office of the Canadian Privacy Commission
  • 27. De Identification Best Practices • The intended target audience • Classify Variables (direct and indirect identifiers) • Re-identification threshold (sensitivity of the information, the number of individuals, potential harms or injuries to individuals in the event of a breach or inappropriate use) • Determine probability of re-identification risk • De-identify the data (mask direct identifiers, modify the size of equivalence classes, generalization, suppression • Assess data utility (trade off between the amount of de-identification and utility of resulting information) Probabilityof re-identificationfor a givenrow = 1 Size of equivalentclass
  • 28. Informed Consent • Data Tagging with embedded instructions as to how PII should be treated • Privacy policy language based on XACML (eXtensible Access Control Markup Language)
  • 29. Data Minimization • Only to process the minimum amount of information in order to mitigate risk of compromising privacy rights • https://duckduckgo.com/about • Deleting browser history • Privacy Eraser: http://download.cnet.com/Privacy- Eraser/3000-2144_4-10078150.html