Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Customers in the cloud pulse final


Published on

  • Be the first to comment

Customers in the cloud pulse final

  1. 1. The Customer and the Cloud: Protecting Customer Privacy With Your SaaS Solution Blair Reeves – IBM Digital Analytics Aurélie Pols – Mind Your Privacy © 2014 IBM Corporation
  2. 2. Today‟s Speakers Aurelie Pols Chief Visionary Officer, Mind Your Privacy @AureliePols Blair Reeves Product Manager, IBM Digital Analytics @BlairReeves @IBMEMM 1
  3. 3. Please note IBM‟s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user‟s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. @IBMEMM @BlairReeves 2
  4. 4. Privacy in Context IBM Customer Experience Suite (content management) @BlairReeves @IBMEMM 3
  5. 5. Balancing Measurement Needs with Privacy Existing Private Sector Privacy Laws Emerging Private Sector Privacy Laws @IBMEMM @BlairReeves 4
  6. 6. Expectations: no legislation, promised! Source: @IBMEMM @aureliepols 5
  7. 7. My kids in the cloud, perfectly load balanced @IBMEMM @aureliepols 6
  8. 8. Confessions of a EU digital analyst (& Privacy geek)         Grew up in the Netherlands, Dutch passport French mother tongue Most of my friends are bilingual at least Have Polish & Russian origins Set-up my 1st start-up in Belgium in 2003 Sold it to Digitas LBi (Publicis), in 2008 Moved to Spain in 2009 Created 2 other start-ups in Spain in 2012 – Mind Your Group, Putting Your Data to Work – Mind Your Privacy, Data Science Protected – Yes, a “law firm” but we prefer to say a bunch of Data Scientists working with a bunch of lawyers @IBMEMM @aureliepols 7
  9. 9. European specificities vs. global Privacy 8
  10. 10. Privacy, a fundamental right in the EU  European Convention of Human Rights (1953) – Section I, Rights & Freedoms, Article 8: Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Note the national security reference, we’ll get back to it!  US: Samuel Warren and Louis Brandeis talk “the right to be left alone” in Harvard Law Review in 1890! @IBMEMM @aureliepols 9
  11. 11. Privacy, a Human Right? Global level The Right to Privacy in the Digital Age Draft resolution, crafted by Germany & Brazil Adopted without a vote December 18th 2013 Next steps UN High Commissioner Navi Pillay to submit a report on the Source: protection & promotion of the right to Privacy in the context of domestic & extraterritorial surveillance and/or interception of digital communications & the collection of personal data August 25th 2014 @IBMEMM @aureliepols 10
  12. 12. The Rule of Law is the basis for Democracy US & UK Common Law EU Continental Law Class actions Fines (by DPAs: Data Protection Agencies) Personal Data Protection Citizen focused: data belongs to the visitor/prospect/consumer/citizen Over-arching EU Directives & Regulations Privacy Business focused Patchwork of sector based legislations: HIPPA, COPPA, VPPA, … PII varies per state APEC Continental law influenced Risk levels: low, medium (profiling), high (sensitive data), extremely high (profiling with sensitive data) @IBMEMM @aureliepols 11
  13. 13. PII list of variables & US states I Personal Information (based on the definition commonly used by most states) i Name, such as full name, maiden name, mother„s maiden name, or alias ii Personal identification number, such as social security number (SSN), passport number, driver„s license number, account and credit card number iii Address information, such as street address or email address iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) v Telephone numbers, including mobile, business, and personal numbers. Information identifying personally owned property, such as vehicle registration number or title number and related information Source: information based on current ongoing analysis (partial results) @IBMEMM @aureliepols 12
  14. 14. PII list of variables & US states II Medical information as PII Financial information as PII California Alaska North Carolina Arkansas Iowa North Dakota Missouri Kansas Oregon New Hampshire Massachusetts South Carolina North Dakota Missouri Vermont Texas Nevada Wisconsin Virginia New York* Wyoming Passwords information as PII Biometric information as PII Georgia Iowa Maine Nebraska Nebraska North Carolina Wisconsin Source: information based on current ongoing analysis (partial results) @IBMEMM @aureliepols 13
  15. 15. PII vs. Risk levels PII Risk level Extremely high (profiling of sensitive data) High (sensitive) Low Medium (profiling) Data type Information Security Measures @IBMEMM @aureliepols 14
  16. 16. Fines?  Spain: responsible for 80% of data protection fines in the EU Source: http://www.mindyourpriva @IBMEMM @aureliepols 15
  17. 17. Total Privacy fines, penalties & settlements worldwide Just 6 weeks into 2014, the world total in Privacy damages has already reached half the level of last year‟s record: $74 million Source: acy_fines?taxonomyId=84&pageNumber=3 @IBMEMM @aureliepols 16
  18. 18. Data ownership? Dutch mobile, more B2B KPN is a Dutch Telco Operations are in the Netherlands, Belgium & Germany Brands: Hi, Simyo, Telfort & KPN, XS4ALL, EPlus & Base (sold to Telefonica) @IBMEMM @aureliepols 17
  19. 19. What are we working on in Europe?  Exists today – EU Data Protection Directive (95/46/EC) – ePrivacy Directive 2002/58/EC (as revised by 2009/136/EC)  Coming up #EUDataP Source: www.iabeurope.e u/files/8813/7882 /1681/IAB_Tuesd ay_Webinar_Dat a_Protection_FI NAL.pdf @IBMEMM @aureliepols 18
  20. 20. Consolidating: from national DPAs to WP29  Each country has it‟s own Data Protection Agency (DPA) – The French CNIL, the UK ICO, the Spanish AGPD, the 16 German länder, the Italians, the Dutch, … – And they all work differently, with different budgets and different rules  The Article 29 Data Protection Working Party – Gives recommendations – Has no effective power but everybody listens: “an independent European advisory body on data protection and privacy”. – Opinion 05/2012 on Cloud Computing, adopted July 1st 2012 (p 20: Guidelines for clients & providers of cloud computing services) – Influences the current debate about the upcoming Personal Data Protection Regulation (horizon 2016) @IBMEMM @aureliepols 19
  21. 21. The Cloud 20
  22. 22. #EUDataP related to Cloud  Article 4.3. of the EU Personal Data Protection Regulation distinguished between: – Service in the cloud – Storage in the cloud  Recurrent Question: Does it apply to back-ups? – Yes, this has been specifically specified in the Regulation, following the WP29‟s 2012 recommendation  Types of cloud computing: – Private, Public, Hybrid, Community  Service types: IAAS, PAAS, SAAS @IBMEMM @aureliepols 21
  23. 23. Legal status of participants: controller vs. processor  The customer as data controller – Determines whether to choose cloud computing (total or partial) – Determines the type of cloud computing (especially regarding International Data Transfers) – Determines the cloud computing service types  Responsible for the processing of personal data – This can not be delegated  The Cloud Certified Professional (CCP) as data processor – IBM data centers ISO-27001 & SSAE-16 certified + ITCS104 IBM security policy  Consequences of the participants‟ legal status: – Applicable law: national law of controller/customer – Except national security @IBMEMM @aureliepols 22
  24. 24. Source: @IBMEMM @aureliepols 23
  25. 25. Shared accountability Source: 54dfaa644b1fe589e4462b6f2a20b7.jpeg?itok=OIAVYOR1 @IBMEMM @aureliepols 24
  26. 26. Typical personal data misconceptions Very often present in technology companies – We do not identify the user while using the data, so we have no issues with Privacy law – We only use the serial # of the users device, so the data is anonymous and we have no issues with Privacy laws – We encrypt the data so we are no longer using/sending/receiving personal data – We use hashes to replace all serial #, so the data is now anonymous and we have no issues with Privacy laws – We anonymize the data, so we are not using personal data – We can use the user‟s data for anything we want, as long as we keep the data to ourselves – Look: big name companies are doing the same, so we are ok Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013 @IBMEMM @aureliepols 25
  27. 27. Connected cars? TomTom profiles roads, not people Slide borrowed from @simonhania from TomTom, IAPP congress Brussels, November 2013 @IBMEMM @aureliepols 26
  28. 28. Consent in Telcos, some go for very granular Slide borrowed from Stephen John Deadman from Vodafone Group Services Limited, IAPP congress Brussels, November 2013 @IBMEMM @aureliepols 27
  29. 29. Cloud: So where to start? Suggested line of thought: WP29‟s Security & Data Protection Goals Transparency Intervenability Availability Integrity Portability Confidentiality Isolation Source: @IBMEMM @aureliepols 28
  30. 30. Data protection requirements in the clientprovider relationship(s) – WP29 1. Compliance with basic principles – Transparency – Purpose specification & limitation => consent, opt-in, opt-out – Erasure of data => anonymization, re-qualification 1. Contractual safeguards of the “controller-processor” relationship 1. Technical & organizational measures of data protection & data security – Isolation (purpose limitation) – Availability – Intervenability – Integrity – Portability – Confidentiality – Accountability @IBMEMM @aureliepols 29
  31. 31. Compliance with basic principles  Transparency – Who is controller (data collector) & purpose of data collection (what are you using the data for exactly?) – This includes sub-contractors  Purpose specification & limitation – Data collected for specified, explicit and legitimate purposes & not not further processed in a way incompatible with those purposes – Prior to data collection – Consent: opt-in, opt-out, don‟t ask  Erasure of data – Legal data retention periods => customer re-qualification (average 30%) @IBMEMM @aureliepols 30
  32. 32. Trust & creepiness  Consent is about a reasonable expectation of the use of data – There‟s a fine line between feeling charmed vs. feeling invaded – Create win-win situations: • Customers give company information • Customers get better service/value for money @IBMEMM @aureliepols 31
  33. 33. Information Security Measures Technical & organizational measures of data protection & security – Availability: • Timely & reliable access to personal data • Cloud provider: reasonable measures to cope with risk of disruption – Integrity: • No malicious or accidental alteration of the data during processing, storage or transmission – Confidentiality: • Encryption between transit, always & secure remote connections – Isolation: • Data storage, memory & networks is often shared => risk! – Intervenability: • No obstacles to data subject‟s right to access, rectification, erasure, .. – Portability @IBMEMM @aureliepols 32
  34. 34. Techno security is just one piece of the puzzle Technological security Processes Resources Data Collection @IBMEMM @aureliepols 33
  35. 35. Where to start? 34
  36. 36. Balancing Risks & Benefits in the Cloud  Benefits – Price – Transfer of responsibility? – Availability (BYOD, strike, natural disaster, …)  Risks – Cloud Provider PIA, (Privacy Impact Assessment) – Security evaluation of your own information – Nature of your own data Source: @IBMEMM @aureliepols 35
  37. 37. From Compliance to Risk Assessment  Achieving 100% compliance is chimera – Compliance is a journey, not a destination – Level of required compliance linked to • Sector • Personal internal management • Company risk profile  Risk is a moving target – Risk of being fined – Risk of being breached – Brand perception => subjective @IBMEMM @aureliepols 36
  38. 38. Leading global reinsurer example Note: slides blurred for confidentiality reasons @IBMEMM @aureliepols 37
  39. 39. Metrics & KPIs to follow evolution Note: slides blurred for confidentiality reasons @IBMEMM @aureliepols 38
  40. 40. Typical set-up example, International Co Local subsidiary 1 Local subsidiary 1 Local subsidiary 2 Local subsidiary 3 Local subsidiary 4 Terms & Conditions Applicable Security Measures??? @aureliepols @IBMEMM 39
  41. 41. What to do? This is your check-list I 1. Know your information structure (cloud) – Can you exactly draw the previous slide? 2. Cloud inventory (PIA) – Provider (& sub-contractors) – Location • Cloud service HQ • Servers – Applicable law: our friend Snowden – Physical location: earthquakes? • Any incidents to report? • In-house control access (risk) • Terms & Conditions – Information Security measures – Related to Privacy @IBMEMM @aureliepols 40
  42. 42. What to do? This is your check-list II 3. Know your Data structure: data inventory (cloud) – (Do you know which data can be found where)? – Have you reviewed your information security measures? – What happens in case of a breach? 4. Authorization required? – Approval International Data Transfers (IDT) – Safe Harbor – Binding Corporate Rules (BCR) – User consent @IBMEMM @aureliepols 41
  43. 43. MYP Information Security Framework Organizational Data Security measures Risk classification Low/medium/high/extreme Data Lifecycle Integrity Availability Confidentiality Security @aureliepols Authentication Privacy @IBMEMM 42
  44. 44. Human errors cause most data breaches Source: http://www.cooldaily ost/data-andsecurity-breaches @IBMEMM @aureliepols 43
  45. 45. Harmonizing Security & Privacy cultures  Effective Privacy management depends upon a Risk driven approach that surpasses compliance needs – Prepare for legislative changes – Recognize that just because something is legal, it doesn’t mean it is a good idea – Consider how Privacy drives strategic advantage => USP?  Skill requirements & interfaces between professionals – Identifying intersection and tackling conflict – Finding a common language – Developing a Privacy culture Source: /presentations/file_upload/grc-w07when-worlds-collide-harmonisinggovernance-between-security-andprivacy.pdf @IBMEMM @aureliepols 44
  46. 46. Even the IAB agrees… @IBMEMM @aureliepols 45
  47. 47. @IBMEMM @aureliepols 46
  48. 48. Thank you! Learn more: @BlairReeves Learn more: @AureliePols @IBMEMM 47
  49. 49. Thank you – Q&A 48
  50. 50. Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2014. All rights reserved.  U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.  Please update paragraph below for the particular product or family brand trademarks you mention such as WebSphere, DB2, Maximo, Clearcase, Lotus, etc.  IBM, the IBM logo,, [IBM Brand, if trademarked], and [IBM Product, if trademarked] are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special 3rd party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others. @IBMEMM @aureliepols 49