-
1.
Daniel Ayala (@buddhake)
Managing Partner & Founder,
Secratic
How to Build a
Privacy Program
-
2.
© 2019 Secratic LLC.
-
3.
Secratic was built on the premise that a strong bridge between
information security and privacy and the broader company can
help a business not just succeed, but flourish.
Secratic provides strategic security and privacy advisory to
growing companies through the benefit of decades of its global
enterprise experience and helps its clients find the right balance
in concert with the business at hand by acting as their outside
CISO/CPO. By spending ample time getting to know these
companies, Secratic uses that insight to give contextual,
informed guidance on topics such as risk, compliance and
incident response, and ensures that a company's security and
privacy programs properly align with what the business needs
and does.
© 2019 Secratic LLC.
-
4.
© 2019 Secratic LLC.
https://maven.secratic.com
-
5.
What is
Privacy
The state or condition of
being free from observed
or disturbed by other
people.
-
6.
Privacy in the News
© 2019 Secratic LLC.
https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market
https://www.billboard.com/articles/business/legal-and-management/8545568/tiktok-class-action-lawsuit-child-privacy
-
7.
Blockchain + Privacy = Conundrum
-
8.
Blockchain
Handdrawn
© 2019 Secratic LLC.
-
9.
Interconnected
© 2019 Secratic LLC.
-
10.
Blockchain
+ Privacy =Compliance =
© 2019 Secratic LLC.
-
11.
Step 1: Look At Yourself in the Mirror
• What are your regulatory requirements?
© 2019 Secratic LLC.
-
12.
Inside Look: Regulatory Requirements
© 2019 Secratic LLC.
General
Data
Protection
Regulation
(GDPR) 12
Increased territorial
scope
Consent
Breach notification
Right to Access
Right to be
Forgotten
Data Portability
Privacy by Design
Data Protection Officers
-
13.
General Data
Protection
Regulation
(GDPR)
13
Increased
territorial scope
Consent
Breach notification
Right to Access
Right to be
Forgotten
Data Portability
Privacy by Design
Data Protection
Officers© 2019 Secratic LLC.
-
14.
https://iapp.org/resources/article/state-comparison-table/
© 2019 Secratic LLC.
-
15.
Step 1: Look At Yourself in the Mirror
• What are your regulatory requirements?
• What jurisdictions are you operating in?
© 2019 Secratic LLC.
-
16.
Step 1: Look At Yourself in the Mirror
• What are your regulatory requirements?
• What jurisdictions are you operating in?
• What is your customer culture?
© 2019 Secratic LLC.
-
17.
The Creepy
Line
http://creepyline.com
-
18.
18
Security &
Privacy Utility
Balance
© 2019 Secratic LLC.
-
19.
Fully Private
Fully Secure
Fully Open
Fully Collecting
Utility
Balance
???
Uninformed
What do I pick?
Huge utlity, huge data
disclosure
© 2019 Secratic LLC.
-
20.
Fully Private
Fully Secure
Fully Open
Fully Collecting
Utility
Now add in transparency
Better informed
Still want utility
Might make better
choices
It’s clear what is collected
It’s clear what it is used for
It’s clear who they share it with
It’s clear how long they keep it
It’s presented so that average beings
can read it quickly and clearly
© 2019 Secratic LLC.
-
21.
OMG!
I can use w/o sharing
everything?
I can decide what to
share?
Fully Private
Fully Secure
Fully Open
Fully Collecting
Now add in transparency It’s clear what is collected
It’s clear what it is used for
It’s clear who they share it with
It’s clear how long they keep it
It’s presented so that average beings
can read it quickly and clearly
and choice!
Utility
© 2019 Secratic LLC.
-
22.
Fully Private
Fully Secure
Fully Open
Fully Collecting
Finally, add trust (but verify)
and accountability
I can trust because I’ve verified
They do what they say they do
More value, more control
Data security practises
Depersonalisation (and even better,
aggregation)
Retention (GET RID OF IT FAST!)
Use an identity that user’s care about
and protect
Utility
© 2019 Secratic LLC.
-
23.
Trust
© 2019 Secratic LLC.
-
24.
Step 1: Look At Yourself in the Mirror
• What are your regulatory requirements?
• What jurisdictions are you operating in?
• What is your customer culture?
• What is your company culture?
© 2019 Secratic LLC.
-
25.
Look Inside: Company Culture
• Which type of company are you?
• Data Slurper?
• Risk Averse?
• Bleeding Edge?
• Fast Follower?
• Data Economy Mandate?
© 2019 Secratic LLC.
-
26.
Step 1: Look At Yourself in the Mirror
• What are your regulatory requirements?
• What jurisdictions are you operating in?
• What is your customer culture?
• What is your company culture?
• How can you build support for a privacy program?
© 2019 Secratic LLC.
-
27.
Look Inside: Build Support
• Organisational change management mindset
• Find ways to tie to business value
• Competitive Advantage
• Customer Sentiment/Trust
• Enable Later (Ethical) Data Use
© 2019 Secratic LLC.
-
28.
Step 2: What Data Do You Have?
• Inventory
• Data Flow
• What is Sensitive?
• How is it Protected?
© 2019 Secratic LLC.
-
29.
Coexistence
SecurityPrivacy
-
30.
Step 3: What Do You Do With Your
Data
• How Does Data Move From System to System?
• Who Do You Share It With? Why?
• Who Has Access to It?
• Who Processes It For You?
• Have You Reviewed Their Security & Privacy Controls & Policies
© 2019 Secratic LLC.
-
31.
Step 4: Data Governance & Ethics
• Data Use Institutional Review Board (IRB)
• Ethical Boundaries Exercise
• Who Is Responsible - The DPO
• Annual Review (Frequency)
© 2019 Secratic LLC.
-
32.
Data Use
IRB
• Is it ethical?
• How will data use
interact with
customers?
• How will we use the
data?
• What do we really
need?
• What are the risks?
• Is the data
protected?
• Is it lawful?
• Are we protected?
• What are the
unintended
consequence?
Legal
Security/
Privacy
Marketing
Business
Leaders
© 2019 Secratic LLC.
-
33.
Step 4: Data Governance & Ethics
• Data Use Institutional Review Board (IRB)
• Ethical Boundaries Exercise
• Who Is Responsible - The DPO
• Annual Review (Frequency)
© 2019 Secratic LLC.
-
34.
Step 5: Privacy By Design
• Integrate Reviews into Development Lifecycle
• Integrate Reviews into Product Lifecycle
• Tie Into Data Use IRB
© 2019 Secratic LLC.
-
35.
Remediation Done by
Business/Technology
• Privacy by Design (rolls into
existing product
management planning
processes)
• Data Pseudonymisation of
individuals in storage,
separation of people data
• Data Retention (Define the
length of keeping data, and
purge accordingly)
Personal
data w/
Token ID
Token ID
Usage
Records
Demographic
Aggregated
Data
Purge
Data
Regularly
© 2019 Secratic LLC.
-
36.
Remediation Done by
Business/Technology
• Clear, concise disclosure
of data collected,
processed, used, shared,
and consent kept w/
recall
• Cookie acceptance before
cookie is dropped and
consent w/ recall
© 2019 Secratic LLC.
-
37.
Remediation Done by
Business/Technology
• Request & process for
what we know, right to
be forgotten, data
correction
• Store personal data
securely (access control,
encryption, deletion)
• Add link to privacy notice
to all pages and
applications
© 2019 Secratic LLC.
-
38.
Step 6: Educate Colleagues
© 2019 Secratic LLC.
Data Collection
Data Use
-
39.
Step 7: Communicate with
Transparency
• Privacy Policy
• Descriptive Privacy Site
• Build Trust & Customer Confidence
• Privacy as a Business Differentiator
• Data Subject Access Requests & Don’t Sell My Info
© 2019 Secratic LLC.
-
40.
Step 8: Documentation & Such
• Register with Privacy Shield
• Register with DPA in Europe
• Declare Compliance with Any Others?
• Document Data Flows & IRB Outcomes
• Third Party Assessments (Both Security & Privacy)
© 2019 Secratic LLC.
-
41.
Step 9: Stay Informed
• Privacy Laws & Changes
• Bloomberg Law
• News & Business Impacts
• Privacy Maven (https://maven.secratic.com)
• Lawfare
• Lexology
• Connect with your GC or Outside Counsel
© 2019 Secratic LLC.
-
42.
The Steps
Look in the mirror
What data do you have?
What do you do with the data?
Data governance and ethics
Privacy by design
Educate colleagues
Communicate to customers
Documentation
Stay Informed
-
43.
In Summary
• Security, privacy and compliance are closer than ever and growing closer
• Privacy is a topic that customers are taking seriously, and are part of business
• Not only that, robust and transparent privacy can be business enablers
• The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings
around the states
• You don’t have to boil the ocean to get a privacy programme going. Start with your most important
data
• Think about the ways that data use can be used for bad, along with how they can be used for good as
they are developed.
• Push back on the idea that if some data is good, then more data is better. Use Governance to agree on
ethics, legal, security approach. Balance!
• Depersonalization of data alone doesn’t actually keep it private
• Location and biometrics will see increased challenge both in courts of law and courts of public opinion.
• On privacy, be Gretsky: skate to where the puck is going, not where it is now.
• Transparency and leaning into security, privacy and compliance in tech builds trust and reputation.
© 2019 Secratic LLC.
-
44.
Privacy is dead
It’s still not great,
but getting better
NOT YET
-
45.
The Future of Privacy
Is Interesting
-
46.
Have a moment?
Please review this session
In the event app.
Thank you for
coming!
Nope!
@buddhake
/danielaayala
Clear the myth: Privacy is dead
Good news: It’s not dead yet. EU is driving a new way of thinking
Bad news: Still not great in the USA
Refer to Apple billboard at CES in 2019, apple card marketing
Public & Private – different but same
Plan ahead on the way you architect blockchain solutions.
If personal info is included in the blockchain, you can’t undo it
Integrity and Availability are pretty well taken care of in Blockchain, but what about Confidentiality?
The biggest issues, as in many technology efforts comes down to how the technology is architected and established from the beginning. As Blockchain has permanent (immutable) and perpetual life, if the information stored on the blockchain or the crypto used to protect it is not futureproofed.
GDPR/CCPA also has some very significant conflicts with blockchain: entries can NOT be deleted, or amended. No DSAR request can change that. So that means using blockchain for storing personal info is a GDPR nonstarter.
There are some approaches when looking at private blockchains, but the tradeoffs are pretty significant including lack of transparency, forced control of the copies of the blockchain, and a lot more complex infrastructure subject to error/attack vectors
So ill leave you with two concepts that are also part of securing and managing and protecting the privacy of data.
Clear the myth: Privacy is dead
Good news: It’s not dead yet. EU is driving a new way of thinking
Bad news: Still not great in the USA
Refer to Apple billboard at CES in 2019, apple card marketing