Storm on the Horizon: Data Governance & Security vs. Employee Privacy

Data Governance and Security
vs. Employee Privacy
Storm on the Horizon
October 21 2014
SAM Summit London
Aurélie Pols
@aureliepols

Aurélie Pols
Chief Visionary Officer
& co-founder
Mind Your Privacy
@aureliepols
Presented by: Aurélie Pols
@AureliePols
• Grew up in the Netherlands, Dutch passport
• French mother tongue
• Most of my friends are bilingual at least
• Have Polish & Russian origins
• Co-founded 1st start-up in Belgium in 2003
• Sold it to Digitas LBi (Publicis) UK in 2008
• Moved to Spain in 2009
• Created 2 other start-ups in Spain in 2012
Mind Your Group, Putting Your Data to Work
Mind Your Privacy, Data Science Protected
Yes, a “law firm” but we prefer to say
a bunch of Data Scientists working with
a bunch of Lawyers

SUN on Privacy: Get over It!
“You have zero privacy
anyway, get over it”,
Scott McNealy, CEO of
Sun Microsystems,
January 1999
At eMetrics in Boston in 2006, this turned into
“Privacy is Dead Aurélie, get over it!”
@AureliePols

EU fines?
Spain: responsible for 80% of data protection fines in the EU
Source: http://i0.kym-cdn.
com/photos/images/newsfeed/00
0/242/381/63a.jpg
@AureliePols
Source:
http://www.mindyourprivacy.com/downlo
ad/privacy-infographic.pdf

Data: 3 types vs. Privacy
1. Customer data
Visitor, prospect, citizen, voter, …
2. Competitive data
Market share, IP, …
3. Employee data
@AureliePols
Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg

(mere)
Server access control
- $ / € / £
- License
compliance
SERVER
Soft.
Licenc.
Mang.
Corporate
use only COPE BYOD
(multi) device control
user profiling ↵
CLOUD
[SaaS]
A B C

Summary
• How to reconcile Privacy viewpoints on a
Global Level (US, EU, APEC)
• Key Legal concepts to collaborate with Legal
Council
• The current challenge for SAM & employee
data
• 7 Rules to collect employees’ data without
invading their privacy
• Q&A
@AureliePols

US, EU, APEC
RECONCILING GLOBAL PRIVACY
VIEWPOINTS
@AureliePols

National Security vs. Privacy
@AureliePols
Data
Retention
vs.
Data
Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK,
passed), SOPA (US:
Stop Online Piracy
Act, similar to
French HADOPI) &
PIPA (US: Protect IP
Act)

Complicated?
Source: https://www.forrestertools.com/heatmap/
@AureliePols

Regulatory Law
“Every country is a little different.
You run into different regulatory regimes and you need
to make sure you have the right tools so that people
can implement the right policies they are required to
by law…
They aren’t that different”
Source: Bloomberg Singapore Sessions
April 23rd 2014
http://www.bloomberg.com/video/big-data-big-results-singapore-
sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html
@AureliePols

A Global Perspective
@AureliePols
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Patchwork of sector based
legislations: HIPPA, COPPA,
VPPA, …
Over-arching EU Directives &
Regulations
PII: varies per state Risk levels: low, medium, high,
extremely high

If you collect PII… then
@AureliePols
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector
Over-arching EU Directives &
based legislations:
Regulations
HIPPA, COPPA, VPPA,
…
PII: varies per state Risk levels: low, medium, high,
extremely high

PII vs. Risk levels
@AureliePols
Low
Medium
(profiling)
High
(sensitive)
Risk
level
Extremely high
(profiling of sensitive data)
Data type
Information Security Measures
PII

Where to start?
Compliance?
Privacy?
Security?
@AureliePols
Moving targets

The “Magnum” Plan
• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures
(data protection)
• Risk Management: Adopt global & sustainable
Privacy best practices
@AureliePols

Or in a nutshell: steps 1-2-3
1 2 3
Which
legislation(s)
does your
company need
to respect?
Region/country,
sector,
type/groups of
data
@AureliePols
What are the
risks?
Fines, class
actions, customer
complaints,
security breaches
What is the
trade off?
Compliance vs.
data, business
needs and
technology
Competences:
Legal/Compliance
(matrix)
Competences:
Risk management
Competences:
Business, understanding
risks vs. rewards, for data
and technology

Employee Privacy legislation?
@AureliePols
Source:
http://4.bp.blogspot.com
/_DhwcCqGFPe4/TH46Nx
sIYqI/AAAAAAAAAKY/mU
5osFaYQII/s1600/WWbuf
falobillP.jpg

What an employer should tell an
employee – UK legislation
An employee has the right to be told:
• What records are being kept and how they’re used
• The confidentiality of the records
• How these records can help with their training and
development at work
If an employee asks to find out what data is kept on them, the
employer will have 40 days to provide a copy of the information.
An employer shouldn’t keep data any longer than is necessary
and they must follow the rules on data protection.
Source: https://www.gov.uk/personal-data-my-employer-can-keep-about-me
@AureliePols

Privacy cheat sheet
LEGAL CONCEPTS TO EFFICIENTLY
COLLABORATE WITH LEGAL COUNCIL
@AureliePols

Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
@AureliePols

Fair Information Privacy
Practices (FIPPs)
@AureliePols
Source:
https://security.berkeley.edu/sites/default/files
/uploads/FIPPSimage.jpg

FIPPs: Fair Information Practice Principles
These principles are not laws, they form the backbone of privacy law and provide
guidance in the collection, use and protection of personal information
Transparency ensures no secrete data collection; provides information about the
collection of personal data to allow users to make an informed choice
Choice gives individuals a choice as to how their information will be used
Information review & correction allows individuals the right to review and
correct personal information
Information protection requires organizations to protect the quality and
integrity of personal information
Accountability holds organizations accountable for complying with FIPPs
@AureliePols

Purpose, Consent & Data Uses
From:
@AureliePols
Purpose
Consent
FIPPs
Data for
approved
use
Purpose
Consent
FIPPs
To:
New
business
opportunity
Data analysis
or merging
Big Data is Killing the Privacy Framework

@AureliePols
Entreprise goal
User goals
Privacy Policy
Requirements
Privacy
Mechanisms
Procedures
& Processes
Privacy Awareness
Training
Quality Assurance
Quality
Assurance
Feedback

Privacy by Design (PbD)
7 Fundamental Principles
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents
Privacy-invasive events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of
Privacy by ensuring that personal data are automatically protected in any given IT
system or business practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s
an essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false
dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle
management of information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated
promises and objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults,
appropriate notice, and empowering user-friendly options
@AureliePols

Respect Employee Privacy
THE EVOLUTION OF SAM
@AureliePols

The good old days
Uber simplified
@AureliePols
(mere)
Server access control
$ / € / £
License compliance
SERVER
Soft.
Licenc.
Mang.

Corporate use only, COPE or BYOD?
Corporate Owned, Personally Enabled (COPE)
– IT defines supported devices
– (Remote) Control over devices
@AureliePols
• Wipe clean when theft
• Access management
The company chooses between A, B or C
And follows up with controls and processes
(here out of scope)

Consequences for SAM
Changes to take into consideration:
1. Multi user device control
2. Create & manage user profiles
3. Increased use of SaaS & the cloud
Typical example for (digital) marketing:
Source: http://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1
@AureliePols

It’s about the data exhaust
Changes to take into consideration:
1. Multi user device control
2. Create & manage user profiles
3. Increased use of SaaS & the cloud
Creating a data exhaust your company will want
to leverage
@AureliePols

What does this mean?
Issues to be tackled:
1. Purpose definition
@AureliePols
• Consent? Opt-in, opt-out
2. Data ownership
3. Local compliance
• For your company with respect to your employees
• For the SaaS/cloud provider used with respect to
Privacy right
4. Security
Accountability

[EU Cookie Directive: implicit consent]
Opt-in vs. Opt-out strategies & consequences on data collection
Source: http://chinwag.com/files/images/photos/ico-traffic-post-cookie-graph.gif
@AureliePols

@AureliePols
HQ LOCAL
SUBSIDIARY
1
Employee
Terms &
Conditions
Applicable Security Measures???
LOCAL
SUBSIDIARY
1
LOCAL
SUBSIDIARY
2
LOCAL
SUBSIDIARY
3
LOCAL
SUBSIDIARY
4
Moving to the cloud/SaaS

Security (technical)
@AureliePols
Data Collection
Processes
Resources

Purpose, Consent & Data Uses
From:
@AureliePols
Purpose
Consent
FIPPs
Data for
approved
use
Purpose
Consent
To:
New
business
opportunity
Data analysis FIPPs
or merging

Respect Employee Privacy
7 RULES TO COLLECT EMPLOYEES’
DATA WITHOUT INVADING THEIR
PRIVACY
@AureliePols

1. Find a sponsor, often HR
2. Have an hypothesis
• Purpose
3. Default to anonymity and aggregation
4. If you can’t let employees be anonymous, let
them choose how you use their data
• Consent: opt-out vs. opt-in
5. Screen for confidential information
6. Don’t dig for personal information
7. For additional protection, consider using a
third party
@AureliePols
Source: http://blogs.hbr.org/2014/09/collect-your-employees-data-without-invading-their-privacy/

Legal base lines
Germany:
– Probably the strictest, start here if required
UK:
– Quick guide to the employment practices code,
@AureliePols
chapter 5
http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_app
lication/quick_guide_to_the_employment_practices_code.pdf
US:
– Use California as a reference to start with:
http://oag.ca.gov/privacy/workplace-privacy

Reminder: steps 1-2-3
1 2 3
Which
legislation(s)
does your
company need
to respect?
Region/country,
sector,
type/groups of
data
@AureliePols
What are the
risks?
Fines, class
actions, customer
complaints,
security breaches
What is the
trade off?
Compliance vs.
data, business
needs and
technology
Competences:
Legal/Compliance
(matrix)
Competences:
SAM + manager
who wants to use
the employee data
exhaust?
Competences:
HR, legal, manager, SAM?

Q&A / discussion
@AureliePols

Storm on the Horizon: Data Governance & Security vs. Employee Privacy

Recommended

More Related Content

What's hot

What's hot (13)

Viewers also liked

Viewers also liked (6)

Similar to Storm on the Horizon: Data Governance & Security vs. Employee Privacy

Similar to Storm on the Horizon: Data Governance & Security vs. Employee Privacy (20)

More from Aurélie Pols

More from Aurélie Pols (17)

Recently uploaded

Recently uploaded (17)

Storm on the Horizon: Data Governance & Security vs. Employee Privacy