Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust - Digital Catapult

318 views

Published on

Presentation about PDRs implementation and lessons learned at the Personal Data and Trust Network - Real Consent and GDPR Readiness Workshop

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust - Digital Catapult

  1. 1. Personal Data Receipts Real Consent & GDPR Readiness January 16th, 2017 Michele Nati Lead Technologist Personal Data and Trust Lucie Burgess, Head of Personal Data and Trust David Ponsford, Senior Product Manager Digital Catapult, London @michelenati
  2. 2. Motivation • Personal Data availability is growing • By 2019, total shipments will reach 214.6 million units, a five-year Compound Annual Growth Rate (CAGR) of 28% (IDC) • … and business digital transformation is leveraging that • … with transparency and trust becoming of paramount importance • Only 1 in 5 Consumers read privacy statement; 15% feels to have control over how their data are used (Source: Data Protection Eurobarometer) • And regulatory framework now in place to measure it (GDPR) http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf
  3. 3. Trust and GDPR Trustworthiness ReputationTrust - Transparency (Article 12-14, Information notice) - Accountability (Article 4 and 7, Consent) - Level of Control (Article 17-19, Data erasure and portability)
  4. 4. Background • Summer 2016 intern • Understanding what transparency means for consumers • Data discovery, interviews, user-centric design, prototyping, measuring • Findings: transparent, clear and concise summary of collected data, increase trust https://pdtn.org/designing-consent-receipts-future-personal-data-sharing/
  5. 5. Personal Data Receipts Multi-disciplinary team: - UX Lead - Marketing experts - Lawyer - Lead Tech Lawyer advice: According to DPA, consent is not required for: a) the “legitimate interests” of the data controller so long as they do not override the fundamental rights of the data subject; b) data that it is necessary to collect or process the data to fulfill a contract the data subject asked to enter • PDRs are a super-set of consent receipt • First full transparency, then control
  6. 6. Current Benefits • Individuals: • Simplify understanding of privacy policies • Track and control the use of personal data • Organizations: • Increase transparency, by simplifying privacy policies • For both: • Simplify Subject Access Requests (by providing a link to Data Controller)
  7. 7. Technical integration – Logic view User interfaces: collect, stores and manage PDRs PDR generator: uses secure APIs from different corporate legacy systems (e.g. Salesforce) Audit trail: authenticity, integrity, confidentiality, non-repudiability
  8. 8. Technical integration – Digital Catapult system Preserving privacy: • No new personal information is created; nor passed and stored across different systems • Secure meta-data communication • Pseudonyms to link PDRs and users • PDRs only sent the first time, with random delay, to avoid traceability • Audit trail: including PDR version for maintain consistency (in case of Privacy Policy change)
  9. 9. PDR trial ambitions • Educate consumers (visitors) about their personal data sharing • Measure the value of PDR for consumers • Promote best practices and adoption to increase businesses transparency and trust
  10. 10. PDR trial summary 80% 20% Yes No 51%49% Opened Overall visitor engagement 1504 PDRs sent 20 27 13 16 0 0 0 0 Visitors: Total Page views : Contact via website: Requests to be removed: Website engagement 303 339 128 183 47% 44% 4% 4% Centre Visitors: PDRs sent: Email open rate: Click thru rate: This week Last weekCatapult Centre engagement DCC visitors* 95 Closed Data 191 IoT 94 Licensed Data 157 P D & T Would you like all services you signed up for to send you a PDR? 80% 20% Yes No Would you consider implementing something similar within your company? Yes - 80% Yes - 80% 0 20 40 60 80 100 120 140 14/09/16 17/09/16 20/09/16 23/09/16 26/09/16 29/09/16 02/10/16 05/10/16 08/10/16 11/10/16 14/10/16 17/10/16 20/10/16 23/10/16 26/10/16 29/10/16 01/11/16 04/11/16 07/11/16 10/11/16 13/11/16 16/11/16 19/11/16 22/11/16 25/11/16 28/11/16 01/12/16 04/12/16 07/12/16 10/12/16 13/12/16 16/12/16 Total Visitors 3892 Total visitors 1950 Total fist time visitors 1504 Total receipts sent *figures taken cumulative since 13/09/16 PDRs sent by interest area
  11. 11. GDPR compliance • Article 12-14, Information notice • Use of icons and simple text to explain: what, how and for what purpose • (could be extended to target different demographic groups) • Article 4 and 7, Consent • Provides a record for both individual and organization • Includes data collected under consent • (currently only in human-readable format; could be extended with link to remove consent) • Article 17-19, Data erasure and portability • Provides link to contact Data Controller • (could be extended with link to automatically trigger data erasure or portability; but needs strong identity and identification, Article 29 WP)
  12. 12. Next steps • Report to be released soon • Commercial • Promote adoption • Organizations collecting personal data and needing GDPR compliance • SMEs providing personal data management solutions (e.g., e-wallets) • Technical • Understand requirements, formulate and test assumptions, deliver technology to: • Provide additional functionalities • Simplify adoption (process vs toolkit) • Increase scalability (e.g. PDR as a service) • Foster interoperability (standardized human and machine readable format)
  13. 13. BSI PAS 4891 – Privacy Labels • Recommendation on how organizations communicate how they use customers personal data online • Define the categories of information • Provide an initial icons mockup • Can be used in layered privacy policies (and PDRs)
  14. 14. THANK YOU! #DigiCatapult info@digicatapult.org.uk 0300 1233 101 Digital Catapult digicatapult.org.uk /DigitalCatapult @DigitalCatapult

×