#smartercommerce
Aurélie Pols
Co-founder & Chief Visionary Officer
Mind Your Privacy & Mind Your Group
aurelie@mindyourpri...
@AureliePols
About me
Aurélie Pols
Chief Visionary Officer
Mind Your Privacy
• Grew up in the Netherlands, Dutch passport
...
@AureliePols
Context: Privacy tri-partite
Joint effort by:
1. Governments &/or international
Associations => legislation,
...
@AureliePols
About Mind Your Privacy
Boutique consultancy firm providing security
consultancy services and legal Privacy ...
@AureliePols
This presentation is for Data Users
Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg
@AureliePols
Privacy, the Word
From our Wikipedia friends:
From Latin: privatus "separated from the rest, deprived of some...
@AureliePols
Privacy, nothing to hide?
“If you have something that you don’t want
anyone to know, maybe you shouldn’t be d...
@AureliePols
An Anglo-Saxon term?
Source: http://web.mit.edu/bigdata-priv/
http://www.whitehouse.gov/sites/default/files/d...
@AureliePols
Blame?
Source: http://mobile.nytimes.com/blogs/bits/2014/05/05/white-house-tech-advisers-online-
privacy-is-a...
@AureliePols
Solution?
@AureliePols
Is this complicated?
Source: https://www.forrestertools.com/heatmap/
@AureliePols
Regulatory law
“Every country is a little different.
You run into different regulatory regimes and you need
t...
@AureliePols
A global perspective
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fine...
@AureliePols
Democracy & the rule of law
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actio...
@AureliePols
Data Protection
In light of fuzzy interpretations of Privacy, could
we agree upon
• Thinking of it as data pr...
@AureliePols
Democracy & the rule of law
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actio...
@AureliePols
PII: ah but we don’t collect it!
Medical information as PII
California
Arkansas
Missouri
New Hampshire
North ...
@AureliePols
So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i N...
@AureliePols
If you collect PII… then
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions ...
@AureliePols
PII & legislation questions
• Who knows their Chief Privacy Officer?
According to the DMA (US), CMOs should a...
@AureliePols
PII vs. Risk levels
Low
Medium
(profiling)
High
(sensitive)
Risk
level
Data type
Information Security Measure...
@AureliePols
Data lifecycles
Analytics => Follow the Money
Information Security & Compliance => Follow
the Data
@AureliePols
The Privacy framework 1
User consent
Fair & Legal process:
FIPPs
Information for approved
use
Data diving ana...
@AureliePols
The Privacy framework 2
User consent
Fair & Legal process:
FIPPs
Information for approved
use
Data diving ana...
@AureliePols
Fair Information Practice Principles - FIPPs
Source: https://security.berkeley.edu/sites/default/files/upload...
@AureliePols
Data collection
• Purpose – Consent
– Reason for data collection:
• Website improvement, better User Experien...
@AureliePols
Examples: US vs. Spain
US: no purpose,
no consent
Spain: consent, purpose,
opt-in & opt-out
@AureliePols
Trust & creepiness
Consent is about a reasonable expectation of the use of data
– There’s a fine line
between...
@AureliePols
Consent & Trust for Telcos
Slide borrowed from Stephen John Deadman from Vodafone Group Services Limited, IAP...
@AureliePols
Typical personal data misconceptions
Very often present in technology companies
– We do not identify the user...
@AureliePols
EU fines?
Spain: responsible for 80% of data protection fines in the EU
Source: http://i0.kym-
cdn.com/photos...
@AureliePols
Security (technical)
Data Collection
Processes
Resources
@AureliePols
Who has access?
Source: Mind Your Privacy seal, specific audit for analytics tools & data agencies
@AureliePols
Supplier reviews - Cloud
Typical international company set-up
Cloud:
• SaaS
• PaaS
• IaaS
@AureliePols
Data flows = shared responsibility
Source: http://cdn2-
b.examiner.com/sites/default/files/styles/image_conte...
@AureliePols
As secure as the weakest link
Source: http://www.lebsontech.com/images/ChainLight.jpg
@AureliePols
WHERE TO START?
@AureliePols
Balancing Risks & Benefits
Risks
 SaaS PIAs: Privacy
Impact Assessment
 Security evaluation of
your own inf...
@AureliePols
Compliance vs. Risk Assessments
• Achieving 100% compliance is a chimera
– Compliance is a journey, not a des...
@AureliePols
A simple example
PII viewer for Google Analytics
http://davidsimpson.me/pii-viewer-for-google-analytics/
Cust...
@AureliePols
Other ex.: BBVA Commerce 360
26M
transactions/day
25% of
marketshare for
Spain
Source:
http://www.slideshare....
@AureliePols
Data transformations
 Consent & purpose
 Through which pipes?
 Data (transfer) security?
 Data access?
 ...
@AureliePols
What to do?
1. Know your information structure (cloud)
– Can you exactly draw the Cloud supplier slide?
2. Cl...
@AureliePols
What to do?
3. Know your Data structure: data inventory (cloud)
– (Do you know which data can be found where)...
@AureliePols
Moving to the cloud
1. List your departments
2. What type of data needs to be moved?
3. What are your data ri...
@AureliePols
Note: slides blurred for confidentiality reasons
@AureliePols
Note: slides blurred for confidentiality reasons
@AureliePols
MYP Information Security Framework
@AureliePols
MYP Services
For Data Users
 Risk Assessment to define maturity model (COBIT) and roadmap
 Define processes...
@AureliePols
MYP Services
Analytics SaaS Providers
 Advice during the procurement process to define the best provider in ...
THANKS
For listening
Aurélie Pols
Co-founder & Chief Visionary Officer
Mind Your Privacy & Mind Your Group
aurelie@mindyourprivacy.com
@aurelie...
Smarter comm"The Future of Privacy". Aurélie Pols at IBM Smarter Commerce Global Summit 2014erce future privacy aurelie pols
Upcoming SlideShare
Loading in …5
×

Smarter comm"The Future of Privacy". Aurélie Pols at IBM Smarter Commerce Global Summit 2014erce future privacy aurelie pols

553 views

Published on

In a data driven economy, analysts must be concerned with how data is collected, processed and subsequently used to improve online customer experiences, during those moments that matter.

Unlocking Value & Controlling Risk by #MindYourPrivacy

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
553
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Smarter comm"The Future of Privacy". Aurélie Pols at IBM Smarter Commerce Global Summit 2014erce future privacy aurelie pols

  1. 1. #smartercommerce Aurélie Pols Co-founder & Chief Visionary Officer Mind Your Privacy & Mind Your Group aurelie@mindyourprivacy.com @aureliepols The Future of Privacy Data is the New Oil, Privacy is the New Green Unlocking Value & Controlling Risk
  2. 2. @AureliePols About me Aurélie Pols Chief Visionary Officer Mind Your Privacy • Grew up in the Netherlands, Dutch passport • French mother tongue • Most of my friends are bilingual at least • Have Polish & Russian origins • Set-up my 1st start-up in Belgium in 2003 • Sold it to Digitas LBi (Publicis), in 2008 • Moved to Spain in 2009 • Created 2 other start-ups in Spain in 2012 Mind Your Group, Putting Your Data to Work Mind Your Privacy, Data Science Protected Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with a bunch of Lawyers
  3. 3. @AureliePols Context: Privacy tri-partite Joint effort by: 1. Governments &/or international Associations => legislation, guidelines, … 2. Citizens/voters/consumers 3. Businesses Each party wanting to defend: – Personal Data Protection & the Rule of Law through respect of Fundamental Rights vs. – Profits & hopefully Sustainability Governments Citizens/vot ers/consum ers OUR GLOBAL SOCIETY Businesses Analytics vendors / Agencies / Data Users
  4. 4. @AureliePols About Mind Your Privacy Boutique consultancy firm providing security consultancy services and legal Privacy advice Our typical international clients manage sensitive data within an international landscape Pluricultural and multi-skilled profiles - legal, data scientists and technical Providing complete solutions to complex data and privacy issues
  5. 5. @AureliePols This presentation is for Data Users Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg
  6. 6. @AureliePols Privacy, the Word From our Wikipedia friends: From Latin: privatus "separated from the rest, deprived of something, esp. office, participation in the government", from privo "to deprive” The ability of an individual or group to seclude themselves or information about themselves and thereby express themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share common themes. When something is private to a person, it usually means there is something to them inherently special or sensitive. The domain of privacy partially overlaps security, including for instance the concepts of appropriate use, as well as protection of information. Privacy may also take the form of bodily integrity. Source: https://en.wikipedia.org/wiki/Privacy
  7. 7. @AureliePols Privacy, nothing to hide? “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Eric Schmidt, 2009 https://www.youtube.com/watch?v=A6e7wfDHze w Tip: Follow Daniel Solove on LindedIn!
  8. 8. @AureliePols An Anglo-Saxon term? Source: http://web.mit.edu/bigdata-priv/ http://www.whitehouse.gov/sites/default/files/docs/big_ data_privacy_report_may_1_2014.pdf
  9. 9. @AureliePols Blame? Source: http://mobile.nytimes.com/blogs/bits/2014/05/05/white-house-tech-advisers-online- privacy-is-a-market-failure/
  10. 10. @AureliePols Solution?
  11. 11. @AureliePols Is this complicated? Source: https://www.forrestertools.com/heatmap/
  12. 12. @AureliePols Regulatory law “Every country is a little different. You run into different regulatory regimes and you need to make sure you have the right tools so that people can implement the right policies they are required to by law… They aren’t that different” Source: Bloomberg Singapore Sessions April 23rd 2014 http://www.bloomberg.com/video/big- data-big-results-singapore-sessions-4-23- kHN5zrGbR_Wq6hbmV9~aXQ.html
  13. 13. @AureliePols A global perspective US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high
  14. 14. @AureliePols Democracy & the rule of law US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high
  15. 15. @AureliePols Data Protection In light of fuzzy interpretations of Privacy, could we agree upon • Thinking of it as data protection • Protecting the data we are entrusted with • While respecting the Right to “Privacy” • Taking into consideration information security measures
  16. 16. @AureliePols Democracy & the rule of law US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high
  17. 17. @AureliePols PII: ah but we don’t collect it! Medical information as PII California Arkansas Missouri New Hampshire North Dakota Texas Virginia Financial information as PII Alaska North Carolina Iowa North Dakota Kansas Oregon Massachusetts South Carolina Missouri Vermont Nevada Wisconsin New York* Wyoming Passwords as PII Georgia Maine Nebraska Biometric information as PII Iowa Nebraska North Carolina Wisconsin Source: information based on current ongoing analysis (partial results)
  18. 18. @AureliePols So what is considered PII? Personal Information (based on the definition commonly used by most US states) i Name, such as full name, maiden name, mother‘s maiden name, or alias ii Personal identification number, such as social security number (SSN), passport number, driver‘s license number, account and credit card number iii Address information, such as street address or email address iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) v Telephone numbers, including mobile, business, and personal numbers. Information identifying personally owned property, such as vehicle registration number or title number and related information Source: information based on current ongoing analysis (partial results)
  19. 19. @AureliePols If you collect PII… then US & UK EU APEC Common Law Continental Law Continental law influenced Class actions Fines (by DPAs: Data Protection Agencies) Privacy Personal Data Protection (PDP) Business focused Citizen focused Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … Over-arching EU Directives & Regulations PII: varies per state Risk levels: low, medium, high, extremely high
  20. 20. @AureliePols PII & legislation questions • Who knows their Chief Privacy Officer? According to the DMA (US), CMOs should abide to an average # of 300 pieces of legislation • Is PII really PII? Zip code + gender + date of birth can uniquely identify 87% of the US population Source: Microsoft Latanya Sweeney (2000) http://dataprivacylab.org/projects/identifiability/paper1.pdf
  21. 21. @AureliePols PII vs. Risk levels Low Medium (profiling) High (sensitive) Risk level Data type Information Security Measures Extremely high (profiling of sensitive data) PII
  22. 22. @AureliePols Data lifecycles Analytics => Follow the Money Information Security & Compliance => Follow the Data
  23. 23. @AureliePols The Privacy framework 1 User consent Fair & Legal process: FIPPs Information for approved use Data diving analysis / Big Data New business opportunity through data Purpose
  24. 24. @AureliePols The Privacy framework 2 User consent Fair & Legal process: FIPPs Information for approved use Data diving analysis / Big Data New business opportunity through data Purpose
  25. 25. @AureliePols Fair Information Practice Principles - FIPPs Source: https://security.berkeley.edu/sites/default/files/uploads/FIPPSimage.jpg
  26. 26. @AureliePols Data collection • Purpose – Consent – Reason for data collection: • Website improvement, better User Experience • Marketing communication • Opt-in? Opt-out? Double opt-in? – Depends upon: • Type of data: PII, sensitive data • Type of sector: financial, health, … • Geography: US vs. EU vs. ???
  27. 27. @AureliePols Examples: US vs. Spain US: no purpose, no consent Spain: consent, purpose, opt-in & opt-out
  28. 28. @AureliePols Trust & creepiness Consent is about a reasonable expectation of the use of data – There’s a fine line between feeling charmed vs. feeling invaded – Create win-win situations: • Customers give company information • Customers get better service/value for money
  29. 29. @AureliePols Consent & Trust for Telcos Slide borrowed from Stephen John Deadman from Vodafone Group Services Limited, IAPP congress Brussels, November 2013
  30. 30. @AureliePols Typical personal data misconceptions Very often present in technology companies – We do not identify the user while using the data, so we have no issues with Privacy law – We only use the serial # of the users device, so the data is anonymous and we have no issues with Privacy laws – We encrypt the data so we are no longer using/sending/receiving personal data – We use hashes to replace all serial #, so the data is now anonymous and we have no issues with Privacy laws – We anonymize the data, so we are not using personal data – We can use the user’s data for anything we want, as long as we keep the data to ourselves – Look: big name companies are doing the same, so we are ok Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013
  31. 31. @AureliePols EU fines? Spain: responsible for 80% of data protection fines in the EU Source: http://i0.kym- cdn.com/photos/images/newsfeed/00 0/242/381/63a.jpg Source: http://www.mindyourprivacy.com/downlo ad/privacy-infographic.pdf
  32. 32. @AureliePols Security (technical) Data Collection Processes Resources
  33. 33. @AureliePols Who has access? Source: Mind Your Privacy seal, specific audit for analytics tools & data agencies
  34. 34. @AureliePols Supplier reviews - Cloud Typical international company set-up Cloud: • SaaS • PaaS • IaaS
  35. 35. @AureliePols Data flows = shared responsibility Source: http://cdn2- b.examiner.com/sites/default/files/styles/image_content_width/hash/6e/54/6e 54dfaa644b1fe589e4462b6f2a20b7.jpeg?itok=OIAVYOR1
  36. 36. @AureliePols As secure as the weakest link Source: http://www.lebsontech.com/images/ChainLight.jpg
  37. 37. @AureliePols WHERE TO START?
  38. 38. @AureliePols Balancing Risks & Benefits Risks  SaaS PIAs: Privacy Impact Assessment  Security evaluation of your own information  Nature of your own data Benefits  Price  Transfer of responsibility?  Availability (BYOD, strike, natural disaster, …) Source: http://www.labeshops.com/image/cache/data/summitcollection/7918l- lady-justice-3-feet-statue-800x800.jpg
  39. 39. @AureliePols Compliance vs. Risk Assessments • Achieving 100% compliance is a chimera – Compliance is a journey, not a destination – Level of required compliance linked to • Sector • Personal internal management • Company risk profile • Risk is a moving target – Risk of being fined – Risk of being breached – Brand perception => subjective
  40. 40. @AureliePols A simple example PII viewer for Google Analytics http://davidsimpson.me/pii-viewer-for-google-analytics/ Customer DBData Collection Data Visualization  Privacy Policy  Hosting  Security  Terms of Use  Access  Consent  FIPPs  Data retention period  (Hosting)  Security  Access What data is Chrome sending? Is your company accountable?
  41. 41. @AureliePols Other ex.: BBVA Commerce 360 26M transactions/day 25% of marketshare for Spain Source: http://www.slideshare.net/cib bva/juan-carlos-plaza-explica- los-proyectos-sobre-big-data- de-bbva
  42. 42. @AureliePols Data transformations  Consent & purpose  Through which pipes?  Data (transfer) security?  Data access?  … From granular to aggregated
  43. 43. @AureliePols What to do? 1. Know your information structure (cloud) – Can you exactly draw the Cloud supplier slide? 2. Cloud inventory (PIA) – Provider (& sub-contractors) – Location • Cloud service HQ • Servers – Applicable law: our friend Snowden – Physical location: earthquakes? • Any incidents to report? • In-house control access (risk) • Terms & Conditions – Information Security measures – Related to Privacy
  44. 44. @AureliePols What to do? 3. Know your Data structure: data inventory (cloud) – (Do you know which data can be found where)? – Have you reviewed your information security measures? – What happens in case of a breach? 4. Authorization required? – Approval International Data Transfers (IDT) – Safe Harbor – Binding Corporate Rules (BCR) – User consent
  45. 45. @AureliePols Moving to the cloud 1. List your departments 2. What type of data needs to be moved? 3. What are your data risk levels? – Low / Medium / High / Extremely High 4. What do you need for compliance? Have a list of questions ready to ask your cloud provider except for the price!
  46. 46. @AureliePols Note: slides blurred for confidentiality reasons
  47. 47. @AureliePols Note: slides blurred for confidentiality reasons
  48. 48. @AureliePols MYP Information Security Framework
  49. 49. @AureliePols MYP Services For Data Users  Risk Assessment to define maturity model (COBIT) and roadmap  Define processes to establish proper security measures and create policies to structure these process  Audit the level of compliance of security measures that are in place  Train staff to align them with security plan while reducing the risk of suffering a data breach  Define KPIs to adequately deploy a data governance program
  50. 50. @AureliePols MYP Services Analytics SaaS Providers  Advice during the procurement process to define the best provider in terms of data security management and privacy compliance  Audit providers´ management of data and privacy For Analytics vendors & agencies WEMindYourPrivacy Seal
  51. 51. THANKS For listening
  52. 52. Aurélie Pols Co-founder & Chief Visionary Officer Mind Your Privacy & Mind Your Group aurelie@mindyourprivacy.com @aureliepols Privacy in Digital Marketing: Regulatory Threats vs. Data Opportunities Berlin - June 2nd 2014  http://digitalanalyticshub.com/berlin2014/workshops/#ND68 Next full day workshop

×