The document discusses several key topics related to data privacy in the digital economy: - Challenges of safeguarding privacy rights with the rise of technology and data collection. - Assessing privacy maturity based on generally accepted privacy principles. - Implementing privacy enhancing technologies and practices like privacy by design. - Understanding consumer concerns about privacy and gaining their consent for data use.

1. Can Privacy Thrive in the
Digital Economy

2. • Challenges and Opportunities Associated with Safeguarding Privacy Rights
• Privacy Maturity in the Context of Generally Accepted Privacy Principles
• Privacy Enhancing Technologies and Best Practices – Privacy by Design

3. How does your organization perceive data privacy?

4. Consumer Attitudes Toward Privacy

5. The Challenge with
Consent Based Privacy
Law

6. Table 1: The OECD Fair Information Practices
Principle Description
Collection limitation The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the
Data quality Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that
Purpose
specification
The purposes for the collection for personal information should be disclosed before collection and upon any change to those purposes, and the use
purposes and compatible purposes.
Use limitation Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal
Security safeguards Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use,
Openness The public should be informed about privacy policies and practices, and individuals should have ready means or learning about the use of personal
Individual
participation
Individuals should have the following rights: to know about the collection of person information, to access that information, to request correction,
Accountability Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these

7. Social Utility of the Digital Economy

9. De Identification

10. Study found that it is possible to
re-identify 87% of the US
population by simply combining
three data points – zip code,
gender and date of birth.
Netflix study researchers were able to individual Netflix
users in an anonymized dataset by knowing when and how
users rated as few six movies”
The New York Times were able to identify a
single individual in a list of web search
queries released by AOL, using the searches
that the individual had made over a three
month period.
The New York Times were able to
identify a single individual in a list of
web search queries released by AOL,
using the searches that the individual
had made over a three month period.
Source; Carnegie Mellon University
Source: Office of the Canadian Privacy Commission

11. Data breacheshave increased 40%
from 2015 to 2016, an all-time high of
1,093 breaches in the US alone. The
average costper breachin 2016is
peggedat $4 million per breach, up
29% from the year prior
Nearly 60% of organizations surveyed
lack sufficient cyber security and
privacy staff to handle the increasing
demands to address legal compliance
and supporting robust information
security best practices.
30 percent of business
information is stored in the cloud
but of this, 35 percent is not
visible to IT.
Source: The Identity Theft Resource Center The 2016Telstra Cybersecurity Report Ponemon Institute

12. General Data Protection Regulation

13. Implications
Higher bar for the protection of privacy rights2
1 Expanded jurisdiction
3 More onerous enforcement mechanisms
4 More rigorous accountability and compliance requirements

15. Privacy Readiness

17. Breach
Response
Readiness

18. Barriers

19. Stringent
Enforcement
This is the maximumfine that can be imposedfor the mostseriousinfringements e.g. not having
sufficientcustomerconsentto processdata or violating the core of Privacy by Designconcepts.
2
1 UnderGDPR organizationsin breachof GDPR canbe fined up to 4% of annualglobalturnover or €20
Million (whichever is greater).
3 There is a tiered approachto fines e.g.a companycanbe fined 2% for not having their recordsin order
(article28),not notifying the supervisingauthorityand data subject abouta breachor not conducting
impactassessment.

20. Privacy by Design

21. Privacy by Design
Foundational Principles
Privacy Security
Respect and protect personalinformation
Enable and protectactivities and assets
of bothpeople and enterprises
1. Proactive not Reactive; Preventative not Remedial
Anticipate and prevent privacy-invasive events before
wait for privacy risks to materlize
Begin with the end in mind. Leverage enterprise
the proactive implementation of security
2. Default Setting
Build privacy measures directly into any given ICT system
practice, by default
Implement “Secure by Default” policies, including least
least trust, mandatory access control and separation of
3. Embeddedinto Design
Embed privacy into the design and architecture of ICT
practices. Do not bolt it on after the fact.
Apply Software Security Assurance practices. Use hardware
Trusted Platform Module.
4. Positive-Sum
Accommodate all legitimate interests and objectives in a
win” manner, not through a zero-sum approach involving
offs.
Accommodate all stakeholders. Resolve conflicts to seek
5. End-to-EndSecurity
Ensure cradle-to-grave, secure life-cycle management of
end.
Ensure confidentiality, integrityand availability of all
stakeholders.
6. Visibility and Transparency
Keep component parts of IT systems and operations of
visible and transparent, to users and providers alike.
Strengthen security through open standards, well-known
validation.
7. Respect for the User Respect and protect interests of the individual, above all.
Respect and protect the interests of all information owners.
accommodate both individual and enterprise interests.

22. Information
Governance
Reference
Model
HOLD,
DISCOVER
CREATE,USE
RETAIN
ARCHVIE
STORE,
SECURE
DISPOSE
VALUE
DUTY ASSET
P R I V A C Y &
S E C U R I T Y
Risk
L E G A L
Risk
I T
Efficiency
R I M
Risk
B U S I N E S S
Profit

23. GDPR
Readiness
Source: AIIM
0%
5%
10%
15%
20%
25%
30%
35%
Not at all We are thinking about it We are planning for it We have a project in place We are fully prepared
On a scale of 1 to 5 (1 being fully prepared to meet the
requirements) how would you rate the readiness of your
organization in meeting GDPR requirements now?

24. 0% 10% 20% 30% 40% 50% 60%
A data loss or exposure due to staff negligence or bad practice
A data breach involving internal staff or ex-staff
Internal or HR incidents due to unathorized access
A data breach from external hacking or intrusion
Other
Don't know
Has your organization suffered any of the following in the last 12 months?
Insight Into Privacy Vulnerabilities

25. De Identification

26. Study found that it is possible to
re-identify 87% of the US
population by simply combining
three data points – zip code,
gender and date of birth.
Netflix study researchers were able to individual Netflix
users in an anonymized dataset by knowing when and how
users rated as few six movies”
The New York Times were able to identify a
single individual in a list of web search
queries released by AOL, using the searches
that the individual had made over a three
month period.
The New York Times were able to
identify a single individual in a list of
web search queries released by AOL,
using the searches that the individual
had made over a three month period.
Source; Carnegie Mellon University
Source: Office of the Canadian Privacy Commission

27. De
Identification
Best Practices
• The intended target audience
• Classify Variables (direct and indirect identifiers)
• Re-identification threshold (sensitivity of the information, the number of
individuals, potential harms or injuries to individuals in the event of a breach
or inappropriate use)
• Determine probability of re-identification risk
• De-identify the data (mask direct identifiers, modify the size of equivalence
classes, generalization, suppression
• Assess data utility (trade off between the amount of de-identification and
utility of resulting information)
Probabilityof re-identificationfor a givenrow =
1
Size of equivalentclass

28. Informed
Consent
• Data Tagging with embedded instructions as to how PII
should be treated
• Privacy policy language based on XACML (eXtensible Access
Control Markup Language)

29. Data
Minimization
• Only to process the minimum amount of information in order
to mitigate risk of compromising privacy rights
• https://duckduckgo.com/about
• Deleting browser history
• Privacy Eraser: http://download.cnet.com/Privacy-
Eraser/3000-2144_4-10078150.html

30. Key Takeaways

31. Resources

32. https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf
https://www.oii.ox.ac.uk/archive/downloads/publications/Data_Protection_Principles_for_the_21st_Century.pdf
https://www.kscpa.org/writable/files/AICPADocuments/10-229_aicpa_cica_privacy_maturity_model_finalebook.pdf
https://info.nymity.com/resources
https://info.nymity.com/gdpr-compliance-toolkit
https://onetrust.com/
https://iapp.org/