About the Author:
Silvan Jongerius is the CEO and Founder of TechGDPR, a boutique consultancy for Data Protection and Privacy in tech-centric environments, such as Blockchain, AI and IoT. He has led Data Protection and security efforts since 2012, after spending 12 years in senior technology leadership, general management and innovation for large technology educators. In recent years, he has been particularly focused on Blockchain projects. He holds certifications from the Columbia Business School in Digital Strategies for Business, from the IAPP as Certified Information Privacy Professional (Europe/GDPR) and is TÜV certified Data Protection Officer (Datenschutzbeauftragter). He is the European Representative for DLT Labs, a Toronto-based blockchain development house. He is also a regular speaker, consultant and educator in GDPR, blockchain, innovation and technology, and is mentor and advisor for a number of innovative tech and blockchain projects.
3. European Convention on Human Rights
Article 8.1: Everyone has the right to
respect for his private and family life,
his home and his correspondence.
4. (CC) Brian Solis, www.briansolis.com / bub.blicio.us / CC-BY
2010: Privacy is no longer a social norm
5.
6. "Mark Zuckerberg F8 2018 Keynote (https://www.flickr.com/photos/quintanomedia/41118883004/)“ CC BY 2.0: (https://creativecommons.org/licenses/by/2.0/) by Anthony Quintano (https://www.flickr.com/people/quintanomedia/)
2018
7. 0
12,5
25
37,5
50
Long time ago 2010 April 2018 May 2018 June 2018 Now
GDPR
Introduced
Oh. nothing
exploded?
GDPR?
* by myself
Perceived privacy %*
11. 1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality — Positive-Sum, not Zero-Sum
5. End-to-End Security — Full Lifecycle Protection
6. Visibility and Transparency — Keep it Open
7. Respect for User Privacy — Keep it User-Centric
@techgdpr
Privacy by Design
https://bit.ly/2MNjubs
PDF: 7 foundation
principles of
Privacy by Design
(A. Cavoukian)
15. [..] the controller shall, both at the time of the determination of the
means for processing and at the time of the processing itself,
implement appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data-protection
principles, such as data minimisation, in an effective manner and to integrate
the necessary safeguards into the processing in order to meet the
requirements of this Regulation and protect the rights of data subjects.
Data Protection by Design Art. 25(1)
16. The controller shall implement appropriate technical and organisational
measures for ensuring that, by default, only personal data which are
necessary for each specific purpose of the processing are processed.
That obligation applies to the amount of personal data collected, the extent
of their processing, the period of their storage and their accessibility. In
particular, such measures shall ensure that by default personal data are
not made accessible without the individual's intervention to an
indefinite number of natural persons.
Data Protection by Default Art. 25(2)
17. […] the controller should adopt internal policies and implement
measures which meet in particular the principles of data protection by
design and data protection by default.
Such measures could consist, inter alia, of minimising the processing of
personal data, pseudonymising personal data as soon as possible,
transparency with regard to the functions and processing of personal data,
enabling the data subject to monitor the data processing, enabling the
controller to create and improve security features.
Recital 78
18. […] When developing, designing, selecting and using applications,
services and products that are based on the processing of personal data or
process personal data to fulfil their task, producers of the products,
services and applications should be encouraged to take into account
the right to data protection when developing and designing such
products, services and applications and, with due regard to the state of
the art, to make sure that controllers and processors are able to fulfil
their data protection obligations. […]
Recital 78
21. Privacy by Design Framework
1. Privacy must be proactive, not
reactive, and must anticipate privacy
issues before they reach the user.
Privacy must also be preventative,
not remedial.
@techgdpr
No direct personal data on
chain
Use hash pointers with a
key to actual records
Understand behaviour data
& pseudonymous data
22. Privacy by Design Framework
2. Privacy must be the default setting.
The user should not have to take
actions to secure their privacy, and
consent for data sharing should not
be assumed.
@techgdpr
The privacy friendly option
should be the default
Use private transactions
where possible
Encryption is not enough
23. Privacy by Design Framework
3. Privacy must be embedded into
design. It must be a core function of
the product or service, not an add-
on.
@techgdpr
Add on into blockchain will
not work
Careful with information
leakage and meta-data
Consider all layers of the
system
24. Privacy by Design Framework
4. Privacy must be positive sum and
should avoid dichotomies. For
example, PbD sees an achievable
balance between privacy and
security, not a zero-sum game of
privacy or security.
@techgdpr
Giving users full control
One problem: transparency.
No need to compromise on
security
25. Privacy by Design Framework
5. Privacy must offer end-to-end
lifecycle protection of user data. This
means engaging in proper data
minimization, retention and deletion
processes.
@techgdpr
Consider the full lifecycle of
data
Build in mechanisms for
the requirements of GDPR
Hash can also be
considered personal data
26. Privacy by Design Framework
6. Privacy standards must be visible,
transparent, open, documented and
independently verifiable. Your
processes, in other words, must
stand up to external scrutiny.
@techgdpr
Transparency is a default
feature of blockchain
Document your privacy
efforts and considerations
Make it easy to verify facts:
Mathematical verification
27. Privacy by Design Framework
7. Privacy must be user-centric. This
means giving users granular privacy
options, maximized privacy defaults,
detailed privacy information notices,
user-friendly options and clear
notification of changes.
@techgdpr
Put users in control of their
own data.
Self-sovereign identity only
needs proofs & verification
Developers: make storing
personal data hard.