1. Data privacy & GDPR
Jacques Folon
Partner
Edge Consulting
Maître de conférences
Université de Liège
Professeur
ICHEC
Professeur invité
Université de Lorraine (Metz)
Visiting professor
ESC Rennes School of Business
12. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the first place.
Eric Schmidt
26. 1
Privacy statement confusion
• 53% of consumers consider that a privacy statement
means that data will never be sell or give
• 43% only have read a privacy statement
• 45% only use different email addresses
• 33% changed passwords regularly
• 71% decide not to register or purchase due to a
request of unneeded information
• 41% provide fake info
112
Source: TRUSTe survey
28. The person who took the photo
is a real friend
28
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg
59. IN 3 WORDS
!59
• GDPR IS A "REGULATION" ><
"DIRECTIVE"
• WORLDWIDE INFLUENCE
• CONSEQUENCES FOR COMPANIES
AND PUBLIC SECTOR
60. !60
MAY 2018
ENTRY INTO FORCE MAY
25,2018
DISCUSSED SINCE 2014
VOTED IN 2016
RISKS
PENALTIES
4% ANNUAL TO
20 M €
COMPENSATION IN COURT
REPUTATION
IMPACT
CONTRACT
PROCESSES
MARKETING
ORGANISATION
62. PERSONAL DATA
!62
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;
63. PROCESSING
!63
‘processing’ means any operation or set of
operations which is performed on personal data or
on sets of personal data, whether or not by
automated means, such as collection, recording,
organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making
available, alignment or combination, restriction,
erasure or destruction;
64. CONTROLLER
!64
controller’ means the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State
law;
65. processor or sub-contractor
!65
processor means a natural or legal
person, public authority, agency or other
body which processes personal data on
behalf of the controller
66. Sub-contractor
129
The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing
to be carried out, and must ensure compliance with those
measures
67. 67
The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State in
which the processor is established, shall also be incumbent on the
processor
68. data breach
!68
personal data breach’ means a breach of
security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed
69. C : 12 MAIN PRINCIPLES OF GDPR
!69
1. Accountability
2. Consumer / citizen rights
3. Privacy by design
4. Information security
5. Data breach
6. Penalties
7. identity access management
8. lawfulness for processing
9. Register
10.Risk analysis and PIA
11.Training
12.Data privacy officer
75. 2/ Consumer/citizen's right
!75
TRANSPARENCY
SENSITIVE INFORMATIONS
INFORMATION COLLECTED
RIGHT OF ACCESS
RIGHT TO RECTIFICATION
RIGHT TO ERASE
RIGHT OF PROCESSING LIMITATION
PORTABILITY
RIGHT OF OPPOSITION TO PROFILING
78. Right to be forgotten
• On 13.05.2014 the European Union Court of
Justice backed a ruling called “the right to be
forgotten,” which allows individuals to control
their data and ask search engines, such as Google,
to remove inadequate personal results from the
Internet.
• However, the decision cannot be interpreted as a
“victory” for the protection of the personal data
of Europeans, according to privacy experts.
79. • In 2010 a Spanish citizen lodged a complaint against a Spanish
newspaper with the national Data Protection Agency and
against Google Spain and Google Inc.
• The citizen complained that an auction notice of his
repossessed home on Google’s search results infringed his
privacy rights because the proceedings concerning him had
been fully resolved for a number of years and hence the
reference to these was entirely irrelevant.
• He requested, first, that the newspaper be required either to
remove or alter the pages in question so that the personal
data relating to him no longer appeared;
• and second, that Google Spain or Google Inc. be required to
remove the personal data
80. • In its ruling of 13 May 2014 the EU Court said :
• a)On the territoriality of EU rules: Even if the physical server of a
company processing data islocated outside Europe, EU rules apply
to search engine operators if they have a branch or a sub sidiary in
a Member State which promotes the selling of advertising space
offered by the search engine;
• b)On the applicability of EU data protection rules to a search
engine : Search engines are controllers of personal data. Google can
therefore not escape its responsibilities before European lawwhen
handling personal data by saying it is a search engine. EU data
protection law applies and so does the right to be forgotten.
• c) On the “Right to be Forgotten” : Individuals have the right -
under certain conditions - to ask search engines to remove links
with personal information about them.This applies where the
information is inaccurate, inadequate, irrelevant or excessive for the
purposes of the data
81. • At the same time, the Court explicitly clarified
that the right to be forgotten is not absolute but
will always need to be balanced against other
fundamental rights, such as the freedom of
expression and of the media
82. • Right to erasure (future rules?)
• 1.The data subject shall have the right to obtain from the
controller the erasure of personal data relating to them and the
abstention from further dissemination of such data, and to
obtain from third parties the erasure of any links to, or copy or
replication of that data, where one of the following grounds
applies:
• (a) the data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed
• (b) the data subject withdraws consent on which the processing
is based according
• (c) when the storage period consented to has expired and
where there is no other legal ground for the processing of the
data
109. Where do one steal data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars
111. DATA PRIVACY & THE EMPLOYER
45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg
112. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
134. 134
'the data subject's consent' shall
mean any freely given specific
and informed indication of his
wishes by which the data subject
signifies his agreement to
personal data relating to him
being processed
137. 137
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. Further
processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States
shall lay down appropriate safeguards for personal data stored for
longer periods for historical, statistical or scientific use.
138. 138
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of
the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority
vested in the controller or in a third party to whom the data are
disclosed
139. 139
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life
140. 125
Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected
with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject
152. METHODOLOGY
!152
1. PRELIMINARY AUDIT
2. RISK ANALYSIS
3. LIST OF SERVICES
4. RECORD OF PROCESSING ACTIVITIES
5. ACTION PLAN
6. SERACH FOR COMPLIANCE
7. SOLUTION FOR NON COMPLIANCE
8. CONTINUOUS PROCESSES
9. TRAINING
Préparation
Implémentation
Pérennisation
156. RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html
157. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
158. The new head of MI6 has been left
exposed by a major personal security
breach after his wife published
intimate photographs and family
details on the Facebook website.
Sir John Sawers is due to take over
as chief of the Secret Intelligence
Service in November, putting him in
charge of all Britain's spying
operations abroad.
But his wife's entries on the social
networking site have exposed
potentially compromising details
about where they live and work, who
their friends are and where they
spend their holidays.
http://www.dailymail.co.uk
159. Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
160. Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
161. Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
165. Take my stuff,
please!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
172. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin