IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves
Upcoming SlideShare
Loading in...5
×
 

IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves

on

  • 275 views

In a data driven economy, analysts must be concerned with how data is collected, processed and subsequently used to improve online customer experiences, during those moments that matter. ...

In a data driven economy, analysts must be concerned with how data is collected, processed and subsequently used to improve online customer experiences, during those moments that matter.

Unlocking Value & Controlling Risk by #MindYourPrivacy


Does your company adequately manage and control the Data Life Cycle? Are you aware of European Privacy fines? Did the Target security breach that emanated through a 3rd party worry you and make you wonder about where to start?

Statistics

Views

Total Views
275
Views on SlideShare
239
Embed Views
36

Actions

Likes
1
Downloads
4
Comments
0

3 Embeds 36

http://mindyourweek.com 24
http://www.slideee.com 6
http://www.mindyourgroup.com 6

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves IBM Smarter Commerce Florida 2014 The Furture of Privacy by Aurélie Pols & Blair Reeves Presentation Transcript

  • The Future of Privacy Blair Reeves Product Manager, IBM Digital Analytics Aurelie Pols Chief Visionary Officer, Mind Your Privacy @BlairReeves @AureliePols
  • @BlairReeves Privacy is Perception … but do another. 66% of Americans say they do not want to receive targeted ads 53% of Americans want websites they visit to offer discounts tailored to their interests 64% of Americans say they are less likely to vote for a political candidate who buys information about their online behavior 92% of U.S. internet users say they worry about privacy online Behaviorally-targeted ads have 240%+ higher conversion rates 80% of internet users do not “always” read privacy policies, and only half bother logging out
  • Privacy is Perception What   informa,on   am  I  giving   away?   Do  I   know?   Do  I  care?   User-supplied: •  Name •  Date of birth •  Sex •  Location (City, State) Inferred: •  Mobile device type •  Login frequency •  Clickstream •  Browsing history •  Purchase history •  Social connections •  Etc. @BlairReeves
  • Consumers rely more and more on free cloud services @BlairReeves 0 200,000,000 400,000,000 600,000,000 800,000,000 1,000,000,000 1,200,000,000 1,400,000,000 Search Gmail Google Plus Drive Google Services MAUs Extrapolated Confirmed by Google
  • What the future looks like @BlairReeves
  • @BlairReeves More and more of our lives will be lived digitally Cloud ● Mobile ● Connected Citizens ● Consumers ● Humans
  • About me Aurélie  Pols   Chief  Visionary  Officer   Mind  Your  Privacy   •  Grew up in the Netherlands, Dutch passport •  French mother tongue •  Most of my friends are bilingual at least •  Have Polish & Russian origins •  Set-up my 1st start-up in Belgium in 2003 •  Sold it to Digitas LBi (Publicis), in 2008 •  Moved to Spain in 2009 •  Created 2 other start-ups in Spain in 2012 Mind Your Group, Putting Your Data to Work Mind Your Privacy, Data Science Protected Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with a bunch of Lawyers @AureliePols
  • Context: Privacy tri-partite Joint effort by: 1.  Governments &/or international Associations => legislation, guidelines, … 2.  Citizens/voters/consumers 3.  Businesses Each party wanting to defend: o  Personal Data Protection & the Rule of Law through respect of Fundamental Rights vs. o  Profits & hopefully Sustainability Governments Citizens/ voters/ consumers OUR GLOBAL SOCIETY Businesses Analytics vendors / Agencies / Data Users @AureliePols
  • About Mind Your Privacy  Boutique consultancy firm providing security consultancy services and legal Privacy advice  Our typical international clients manage sensitive data within an international landscape  Pluricultural and multi-skilled profiles - legal, data scientists and technical  Providing complete solutions to complex data and privacy issues @AureliePols
  • This presentation is for Data Users Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg @AureliePols
  • Privacy, the Word From our Wikipedia friends: From Latin: privatus "separated from the rest, deprived of something, esp. office, participation in the government", from privo "to deprive” The ability of an individual or group to seclude themselves or information about themselves and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share common themes. When something is private to a person, it usually means there is something to them inherently special or sensitive. The domain of privacy partially overlaps security, including for instance the concepts of appropriate use, as well as protection of information. Privacy may also take the form of bodily integrity. Source: https://en.wikipedia.org/wiki/Privacy @AureliePols
  • Privacy, nothing to hide? “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Eric Schmidt, 2009 https://www.youtube.com/watch? v=A6e7wfDHzew Tip: Follow Daniel Solove on LindedIn! @AureliePols
  • An Anglo-Saxon term? Source: http://web.mit.edu/bigdata-priv/ http://www.whitehouse.gov/sites/default/files/docs/ big_data_privacy_report_may_1_2014.pdf @AureliePols
  • Blame? Source: http://mobile.nytimes.com/blogs/bits/2014/05/05/white-house-tech-advisers-online- privacy-is-a-market-failure/ @AureliePols
  • Solution? @AureliePols
  • Is this complicated? Source: https://www.forrestertools.com/heatmap/ @AureliePols
  • Regulatory law “Every country is a little different. You run into different regulatory regimes and you need to make sure you have the right tools so that people can implement the right policies they are required to by law… They aren’t that different” Source: Bloomberg Singapore Sessions April 23rd 2014 http://www.bloomberg.com/video/big-data- big-results-singapore-sessions-4-23- kHN5zrGbR_Wq6hbmV9~aXQ.html @AureliePols
  • A global perspective US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high @AureliePols
  • Democracy & the rule of law US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high @AureliePols
  • Data Protection In light of fuzzy interpretations of Privacy, could we agree upon • Thinking of it as data protection • Protecting the data we are entrusted with • While respecting the Right to “Privacy” • Taking into consideration information security measures @AureliePols
  • Democracy & the rule of law US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high @AureliePols
  • PII: ah but we don’t collect it! Medical information as PII California Arkansas Missouri New Hampshire North Dakota Texas Virginia Financial information as PII Alaska North Carolina Iowa North Dakota Kansas Oregon Massachusetts South Carolina Missouri Vermont Nevada Wisconsin New York* Wyoming Passwords as PII Georgia Maine Nebraska Biometric information as PII Iowa Nebraska North Carolina Wisconsin Source: information based on current ongoing analysis (partial results) @AureliePols
  • So what is considered PII? Personal Information (based on the definition commonly used by most US states) i Name, such as full name, maiden name, mother‘s maiden name, or alias ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number iii Address information, such as street address or email address iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) v Telephone numbers, including mobile, business, and personal numbers. Information identifying personally owned property, such as vehicle registration number or title number and related information Source: information based on current ongoing analysis (partial results) @AureliePols
  • If you collect PII… then US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high @AureliePols
  • PII & legislation questions •  Who knows their Chief Privacy Officer? According to the DMA (US), CMOs should abide to an average # of 300 pieces of legislation •  Is PII really PII? Zip code + gender + date of birth can uniquely identify 87% of the US population Source: Microsoft Latanya Sweeney (2000) http://dataprivacylab.org/projects/identifiability/paper1.pdf @AureliePols
  • PII vs. Risk levels Low Medium (profiling) High (sensitive) Risk level Data type Information Security Measures Extremely high (profiling of sensitive data) PII @AureliePols
  • Data lifecycles Analytics => Follow the Money Information Security & Compliance => Follow the Data @AureliePols
  • The Privacy framework 1 User consent Fair & Legal process: FIPPs Information for approved use Data diving analysis / Big Data New business opportunity through data Purpose @AureliePols
  • The Privacy framework 2 User consent Fair & Legal process: FIPPs Information for approved use Data diving analysis / Big Data New business opportunity through data Purpose @AureliePols
  • Fair Information Practice Principles - FIPPs Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg @AureliePols
  • Data collection •  Purpose – Consent o  Reason for data collection: •  Website improvement, better User Experience •  Marketing communication •  Opt-in? Opt-out? Double opt-in? o  Depends upon: •  Type of data: PII, sensitive data •  Type of sector: financial, health, … •  Geography: US vs. EU vs. ??? @AureliePols
  • Examples: US vs. Spain US: no purpose, no consent Spain: consent, purpose, opt-in & opt- out @AureliePols
  • Trust & creepiness Consent is about a reasonable expectation of the use of data o  There’s a fine line between feeling charmed vs. feeling invaded o  Create win-win situations: •  Customers give company information •  Customers get better service/value for money @AureliePols
  • Consent & Trust for Telcos Slide borrowed from Stephen John Deadman fromVodafone Group Services Limited, IAPP congress Brussels, November 2013 @AureliePols
  • Typical personal data misconceptions Very often present in technology companies o  We do not identify the user while using the data, so we have no issues with Privacy law o  We only use the serial # of the users device, so the data is anonymous and we have no issues with Privacy laws o  We encrypt the data so we are no longer using/sending/receiving personal data o  We use hashes to replace all serial #, so the data is now anonymous and we have no issues with Privacy laws o  We anonymize the data, so we are not using personal data o  We can use the user’s data for anything we want, as long as we keep the data to ourselves o  Look: big name companies are doing the same, so we are ok Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013 @AureliePols
  • EU fines? Spain: responsible for 80% of data protection fines in the EU Source: http://i0.kym-cdn.com/photos/ images/newsfeed/000/242/381/63a.jpg Source: http://www.mindyourprivacy.com/ download/privacy-infographic.pdf @AureliePols
  • Security (technical) Data Collection Processes Resources security @AureliePols
  • Who has access? Source: Mind Your Privacy seal, specific audit for analytics tools & data agencies @AureliePols
  • Supplier reviews - Cloud Typical international company set-up Cloud: •  SaaS •  PaaS •  IaaS @AureliePols
  • Data flows = shared responsibility Source: http://cdn2-b.examiner.com/sites/default/files/styles/image_content_width/ hash/6e/54/6e54dfaa644b1fe589e4462b6f2a20b7.jpeg?itok=OIAVYOR1 @AureliePols
  • As secure as the weakest link Source: http://www.lebsontech.com/images/ChainLight.jpg @AureliePols
  • WHERE TO START? @AureliePols
  • Balancing Risks & Benefits Risks   SaaS PIAs: Privacy Impact Assessment   Security evaluation of your own information   Nature of your own data Benefits  Price  Transfer of responsibility?  Availability (BYOD, strike, natural disaster, …) Source: http://www.labeshops.com/image/cache/data/summitcollection/7918l- lady-justice-3-feet-statue-800x800.jpg @AureliePols
  • Compliance vs. Risk Assessments •  Achieving 100% compliance is a chimera o  Compliance is a journey, not a destination o  Level of required compliance linked to •  Sector •  Personal internal management •  Company risk profile •  Risk is a moving target o  Risk of being fined o  Risk of being breached o  Brand perception => subjective @AureliePols
  • A simple example PII viewer for Google Analytics http://davidsimpson.me/pii-viewer-for-google-analytics/ Customer DBData Collection Data Visualization   Privacy Policy   Hosting   Security   Terms of Use   Access   Consent   FIPPs   Data retention period   (Hosting)   Security   Access What data is Chrome sending Is your company accountable @AureliePols
  • Other ex.: BBVA Commerce 360 26M transactions/ day 25% of marketshare for Spain Source: http:// www.slideshare.net/cibbva/ juan-carlos-plaza-explica- los-proyectos-sobre-big- data-de-bbva @AureliePols
  • Data transformations   Consent & purpose   Through which pipes?   Data (transfer) security?   Data access?   … From granular to aggregated @AureliePols
  • What to do? 1.  Know your information structure (cloud) o  Can you exactly draw the Cloud supplier slide? 2.  Cloud inventory (PIA) o  Provider (& sub-contractors) o  Location •  Cloud service HQ •  Servers •  Applicable law: our friend Snowden •  Physical location: earthquakes? •  Any incidents to report? •  In-house control access (risk) •  Terms & Conditions •  Information Security measures •  Related to Privacy @AureliePols
  • What to do? 3.  Know your Data structure: data inventory (cloud) o  (Do you know which data can be found where)? o  Have you reviewed your information security measures? o  What happens in case of a breach? 4.  Authorization required? o  Approval International Data Transfers (IDT) o  Safe Harbor o  Binding Corporate Rules (BCR) o  User consent @AureliePols
  • Moving to the cloud 1.  List your departments 2.  What type of data needs to be moved? 3.  What are your data risk levels? o  Low / Medium / High / Extremely High 4.  What do you need for compliance? Have a list of questions ready to ask your cloud provider except for the price! @AureliePols
  • Note: slides blurred for confidentiality reasons @AureliePols
  • Note: slides blurred for confidentiality reasons @AureliePols
  • MYP Information Security Framework @AureliePols
  • MYP Services For Data Users   Risk Assessment to define maturity model (COBIT) and roadmap   Define processes to establish proper security measures and create policies to structure these process   Audit the level of compliance of security measures that are in place   Train staff to align them with security plan while reducing the risk of suffering a data breach   Define KPIs to adequately deploy a data governance program @AureliePols
  • MYP Services Analytics SaaS Providers   Advice during the procurement process to define the best provider in terms of data security management and privacy compliance   Audit providers´ management of data and privacy For Analytics vendors & agencies  PrivacyGreen Seal
  • THANKS For listening
  • •  Visit the Smarter Commerce demos in the Solutions Center (East/Central Hall of TCC) •  Schedule an Executive One-on-One (Grand Ballroom of Marriott) •  Spend time with a subject matter expert at Meet the Experts (Solution Center) •  Set up your Twitter account at the Social Media Command Center (Rotunda of TCC) •  Sign up to be a reference at our Client Reference Lounge (Rooms 1- 2 of TCC) •  Participate in our Hands-on Labs (Rooms 7-8 of TCC) and Certification Testing (Room 9 of TCC) © 2014 IBM Corporation 59 Find out more… Check Summit Conference Connect from your phone, computer, or on-site kiosks for details on these programs and more.
  • © IBM Corporation 2014. All Rights Reserved. IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml. © 2014 IBM Corporation 60 Copyright and Trademarks