GDPR: threat or opportunity? In May 2018, the European Union’s General Data Protection Regulation (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) (GDPR) will take effect. Companies that do not comply might be fined 20M, or 4% of their annual global turnover, whichever is greater. Despite the evident threat, GDPR is also a huge opportunity to rethink how your business works, and turn that threat into an opportunity. In this talk, we will show how GRAKN.AI (http://grakn.ai/) – a knowledge base – provides everything you need to turn your centralised record of users, as required by GDPR, and use it to provide value to your users. Adding them to a knowledge base, as well as your content or product, can open many new perspectives. =================================== About Samuel Pouyt (https://www.linkedin.com/in/samuel-pouyt/), Web Specialist, European Respiratory Society (https://www.ersnet.org/) Samuel Pouyt (https://www.linkedin.com/in/samuel-pouyt/) is a software architect and full stack developer at the European Respiratory Society (https://www.ersnet.org/) (ERS). His curriculum reflects his interests and curiosity. He started in mechanical automation, then obtained a Master of Arts in English Linguistics, American Literature, Russian and Musicology, while working as a developer. He is currently working on Natural Language Processing solutions and recommendation engines for the ERS while taking care of numerous websites and applications.

1. GDPR: THREAT OR
OPPORTUNITY?
POUYT SAMUEL

2. WHAT ARE WE
SPEAKING
ABOUT?
What is GDPR - some theory
One way of solving it and
turning it into an opportunity
Demo

3. WHAT IS GDPR?
Context
Privacy
Threat
Opportunity

4. CONTEXT
Who I am?
• Not a lawyer...
• Full Stack Dev -
Software Architect
• ERS
01

5. CONTEXT – EUROPEAN RESPIRATORY SOCIETY
127
C o u n t r i e s
25 000
D e l e g a t e s
70
S c i e n t i f i c S e s s i o n s
4000
O r i g i n a l a b s t r a c t s
50
E d u c a t i o n a l s e e s i o n s
180
I n t e r n a t i o n a l e x h i b i t o r s
40 000
M e m b e r s
120 000
N e w s l e t t e r

6. CONTEXT
Who I am?
• Not a lawyer...
• Full Stack Dev -
Software Architect
• ERS
01
General
Data
Protection
Regulation
02
European Law
• But...
03
May 2018
But we are
supposed to know
about it since 2016
04

7. PRIVACY
Not optional
anymore.
By design
By default
01
Demonstrable
• Conception
• Certification
02
Older software
• Documented process
03

8. PRIVACY – DATA SUBJECT
Anything and
everything
Right to access
01

9. ”
“Any information related to a natural person or ‘Data
Subject’, that can be used to directly or indirectly identify
the person. It can be anything from a name, a photo, an
email address, bank details, posts on social networking
websites, medical information, or a computer IP address.
http://www.eugdpr.org/gdpr-faqs.html

10. PRIVACY – DATA SUBJECT
Anything and
everything
Right to access
01
Consent
• Easy to give
• Easy to withdraw
02

11. ”
“ The conditions for consent have been strengthened, and
companies will no longer be able to use long illegible terms and
conditions full of legalese, as the request for consent must be
given in an intelligible and easily accessible form, with the
purpose for data processing attached to that consent. Consent
must be clear and distinguishable from other matters and
provided in an intelligible and easily accessible form, using
clear and plain language. It must be as easy to withdraw
consent as it is to give it
http://www.eugdpr.org/key-changes.html

12. PRIVACY – DATA SUBJECT
Anything and
everything
Right to access
01
Consent
• Easy to give
• Easy to withdraw
02
Right to be
forgotten
03

13. PRIVACY – DATA SUBJECT
Anything and
everything
Right to access
01
Consent
• Easy to give
• Easy to withdraw
02
Right to be
forgotten
03
Data
Portability
• exactitude of data
04

14. PRIVACY – DATA SUBJECT
Anything and
everything
Right to access
01
Consent
• Easy to give
• Easy to withdraw
02
Right to be
forgotten
03
Data
Portability
• exactitude of data
04
Re-
identification
• Read indirect :(
05

15. ”
“
De Montjoye and colleagues examined three months of credit
card transactions for 1.1 million people, all of which had been
scrubbed of any [personally identifiable information]. Still, 90%
of the time he managed to identify individuals in the dataset
using the date and location of just four of their transactions. By
adding knowledge of the price of the transactions, he
increased “reidentification” (the academic term for spotting an
individual in anonymized data) to 94%. Additionally, women
were easier to reidentify than men, and reidentification ability
increased with income of the consumer.
https://hbr.org/2015/02/theres-no-such-thing-as-anonymous-data

16. ”
“ Latanya Sweeney found that 87 percent of the
population in the United States, 216 million of 248
million, could likely be uniquely identified by their five-
digit ZIP code, combined with their gender and date of
birth.
https://www.wired.com/2007/12/why-anonymous-data-sometimes-isnt/

17. ”
“ ‘pseudonymisation’ means the processing of personal
data in such a manner that the personal data can no
longer be attributed to a specific data subject without
the use of additional information, provided that such
additional information is kept separately and is subject to
technical and organisational measures to ensure that the
personal data are not attributed to an identified or
identifiable natural person; (Art 4.5)
https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-primer-on-anonymization-and-
pseudonymization/

18. ”
“ the controller shall, in order to ascertain whether
processing for another purpose is compatible with the
purpose for which the personal data are initially
collected, take into account, inter alia:
[...]
e) the existence of appropriate safeguards, which may
include encryption or pseudonymisation.(Art 6)
https://iapp.org/news/a/looking-to-comply-with-gdpr-heres-a-primer-on-anonymization-and-
pseudonymization/

19. THREAT
What we know
01

20. ”
“
Under GDPR organizations in breach of GDPR can be fined up
to 4% of annual global turnover or €20 Million (whichever is
greater). This is the maximum fine that can be imposed for the
most serious infringements e.g. not having sufficient customer
consent to process data or violating the core of Privacy by
Design concepts. There is a tiered approach to fines e.g. a
company can be fined 2% for not having their records in order
(article 28), not notifying the supervising authority and data
subject about a breach or not conducting impact assessment.
It is important to note that these rules apply to both controllers
and processors -- meaning 'clouds' will not be exempt from
GDPR enforcement.
http://www.eugdpr.org/key-changes.html

21. THREAT
What we know
• Fines
• When
• The clock is ticking…
01
What we don’t know
• How it will be applied
• How far
• Good will/Due diligence
02

22. THREAT - SUMMARY
Not (only) an IT
problem
01
Expensive
02
Direct and Indirect
03

23. OPPORTUNITY (ONE AMONG MANY)
Data opportunity
• We need to know everything about the
data we hold about a user or data
subject
• Tracking system
01
Mix everything
• Expand the tracking system
• Mix content into it
• Find a way to be GDPR compliant
02

24. GDPR + =

25. GRAKN.AI TO
SOLVE GDPR
What is GRAKN.AI
Architecture
Schema
API and Dashboard
Demo

26. ”
“ THE DATABASE FOR AI
Grakn is a hyper-relational database for knowledge
engineering. Rooted in Knowledge Representation and
Automated Reasoning, Grakn provides the knowledge
base foundation for intelligent/cognitive systems.

27. ARCHITECTURE

28. SCHEMA

29. SCHEMA
property sub entity is-abstract
has value
plays owned
plays demand
plays authorizer
plays exported
plays imported
plays revoker
plays withdrawer;
last-name sub property;
first-name sub property;
email sub property;
match
$a isa property;
$p isa person, has identifier 123456;
(exporter:$x, exported:$a, exported-to:$z);
(owned:$a, owner:$p); get;
address sub property
has value;
city sub address;
zip sub address;
street1 sub address;
street2 sub address;
street3 sub address;

30. SCHEMA
person sub entity
has timestamp
has type
has identifier
plays identified
plays imported
plays importer
plays exported
plays exporter
plays owner;
match
$p isa person;
$e isa email, has value "member@test.com";
($e, $p) isa belongs;
get $p;
match $p isa person has identifier 1;get;

31. SCHEMA – HOW TO EXTEND IT AND BE GDPR COMPLIANT?
anonymous sub entity
has timestamp
plays incognito;

32. SCHEMA – HOW TO EXTEND IT AND BE GDPR COMPLIANT?
anonymous:
V123456
anonymous:
V123457
article: V1 article: V2 article: V3 article: V4 article: V5
topic: V14
topic: V11
topic: V15
topic: V12
topic: V16
topic: V13
topic: V17

33. SCHEMA – AUTHORIZATION
authorization sub entity
has name
has description
has timestamp
has expiration-date
plays needed
plays requisite
plays revoked
plays withdrawn;

34. ONTOLOGY – AUTHORIZATION

35. INFERENCE
define
is-authorized sub rule,
when {
(demand: $a, needed: $b) isa needs;
(requisite: $b, requester: $c ) isa requires;
} then {
(authorizer: $a, authorized: $c) isa authorizes;
};
is-revoked sub rule,
when {
(revoker:$a, revoked:$b) isa revoke;
(requisite:$b, requester: $c) isa requires;
} then {
(withdrawer:$a, withdrawn:$c) isa withdraws;
};

36. API
Return all data from a user
Revoke authorizations for a user
All authorization should be returned for a given system
Are all authorizations available for a given system?
Log what systems (or…) are doing with the user data
It should be documented
Tested and Scalable
Secure / protected
Recommendations/activity/etc.

37. DASHBOARD

38. DEMO TIME
GIT HUB REPO: HTTPS://GITHUB.COM/IDEALLEY/GRAKN-GDPR