Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Privacy by design for peerlyst meetup


Published on

Slides on Privacy by Design connecting legal and regulation with practic implementation

Published in: Software
  • Be the first to comment

Privacy by design for peerlyst meetup

  1. 1. Privacy by Design (PbD) Connecting the dots between legal and technology by Advocate Alon Saposhnik and Initech Software Services Ltd, January, 2017
  2. 2. Main players ● “Data Subject” -An Individual who is the subject of personal data. ● “Personal data” - any information relating to an identified or identifiable natural person ● “Sensitive data” (according to the Israeli Privacy Laws) - includes “details concerning an individual’s personality, intimate relations, health condition, financial condition, opinions and religious belief”. ● “Controller” - is the one that is responsible for the compliance with the data protection regulations. ● “Processor” - is the one that is only responsible for processing personal data and is acting on behalf of the controller and according to its instructors. ● “Regulator” - Data Protection Authority (e.g, ILITA, information commissioner office etc.)
  3. 3. Guiding principles of PBD (Privacy by Design) 1. Proactive not reactive ; Preventative not remedial 2. Privacy as the Default 3. Privacy Embedded into Design. 4. Full Functionality; Positive-Sum not Zero-Sum. 5. End-to-End Lifecycle Protection. 6. Visibility and Transparency. 7. Respect for User Privacy
  4. 4. Who’s affected? ● Developers ● Companies using third party apps / software / hosting as a part of their product / service ● Data Controllers ● Data Processors ● Others?
  5. 5. Implementation - legal considerations 1. Infrastructure providers located outside of the EU territory - do they comply with privacy regulations or do they offer to sign on Model Clause (or Data Processing Addendum)? 2. Service providers located outside of the EU (Marketing, R&D) - sign on Model Clause when transferring data abroad 3. NDA agreements with workers and service providers to assure privacy compliance. 4. Information security - get ISO certificate for working with global companies
  6. 6. Case studies of privacy lawsuits - in Israel ● Local Israeli App (Sync.Me): was ordered by the regulator to erase all personal data that were illegally collected on users. Activity in Israel has been stopped. ● Data Rings (seller of databases): was ordered by court to erase all personal data that was collected on individuals. Clients of the company who gained access to the data were ordered to do the same. ● Israeli company (undisclosed) was fined 177,000 NIS for illegal commercial use of personal data that as collected on individuals.
  7. 7. Case studies of privacy lawsuits - abroad ● The Hamburg regulator has ordered Facebook to halt its unlawful collection and storage of data belonging to 35 million German WhatsApp users. The Commissioner has also ordered that Facebook delete any data that they have already collected from WhatsApp. ● £40,000 fine for healthcare organization that failed to protect patient's personal data: a general practitioner clinic that revealed confidential details about a woman and her family to her estranged ex-partner was fined £40,000 by the Information Commissioner. ● An EU lawmaker is calling for the European Commission to investigate dating app Tinder for potential breaches of European data protection rules, because it uses personal data without explicit consent. ● The CNIL has issued an order giving Microsoft three months to make changes to its operating system in line with French data protection law. According to the CNIL, Windows Store collects user data on all downloaded applications without user consent or even awareness, monitoring the time spent on each app. Windows 10 also automatically installs an advertising identifier, enabling Microsoft to monitor users' browsing to offer targeted ads. The CNIL will only consider fining the company if it fails to make changes. ● Intelligent Lending, trading as Ocean Finance, was fined by the UK regulator after it sent seven million texts offering a new credit card powered by a major lender.
  8. 8. Implementation - applicative considerations 1. Privacy Policies - Organizational practices and procedures 2. Israeli Privacy Law requires registration of certain databases with the Database Registrar 3. Data Protection Certification - for demonstrating compliance with Data Protection Regulation by controllers and processors 4. Conduct Privacy Impact Assessment 5. Internal Training Programs 6. Presence of Privacy Specialist in early stages of product development
  9. 9. Typical privacy issues in mobile / web applications Collecting unnecessary sensitive data during sign-up Failure to get approval for TOS / receiving emails during sign-up (Privacy and Anti-Spam Laws) Blind selection of data center in USA Unintentional exposure of sensitive data when using 3rd party integrations (i.e., using Messenger to collect personal data exposes it to Facebook)
  10. 10. Typical privacy issues in mobile / web applications Unintentional exposure of sensitive data belonging to other users due to bugs in code Development / testing environments are replicated from production data without obfuscating personal data Access of personnel to the sensitive data through direct access to database Production data compromised through unrestricted access to backups
  11. 11. ● Privacy policy + confirmation for designated actions (account creation, etc.) ● Newsletters / promotion correspondence establishes an opt-in mechanism according to Privacy law and the Anti-Spam Law requirements ● Infrastructure for personal data retrieval and erasure (blacklisting erased data to be filtered out during recovery from backups) ● Back office with multiple levels of access to Personal data of Users (each role has Implementation - examples
  12. 12. Implementation - examples ● Hosting location selection - EU or approved location by EU (Israel is approved) ● Managing the list of 3rd parties that receive access to User’s personal data (including appropriate permissions model) ● Implement contractual mechanisms with 3rd parties (e.g., Data Processing agreement) ● Data Access Layer middleware should restrict selection of data to session / user context
  13. 13. Implementation - takeouts and challenges for PBD Big advantage for EU / Israel-based providers High risk of working with providers based outside of the EU and in such places as East-Europe / Asia (Belarus, Ukraine, India, China, Russia) where EU privacy regulations does not apply and thus impossible to enforce Questions to answer when starting a project: Which criteria should we implement as a minimum default privacy by design? At what stage should we involve a privacy specialist?
  14. 14. Thank you for listening! For technical questions: For legal questions: