Ichec dig strat gdpr

Digital Business & GDPR
Jacques Folon
Partner
Edge Consulting
Maître de conférences
Université de Liège
Professeur
ICHEC
Professeur invité
Université de Lorraine (Metz)
Visiting professor
ESC Rennes School of Business

https://gdprfolder.eu
© 2018 GDPRFOLDER.EU SPRL All Rights Reserved.
Every company & self employed is concerned
SM
E
Self employed
Non profit
Private sector
Public
sector

https://gdprfolder.eu
© 2018 GDPRFOLDER.EU SPRL All Rights Reserved.
employees Prospects
ContactsUsers & clients
Which Data ?

http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg

privacy ?????
6
http://www.fieldhousemedia.net/wp-content/uploads/2013/03/fb-privacy.jpg

Average number of Facebook
« friends » in France: 177 in 2018
30

PRIVACYVS SOCIAL
NETWORKS
https://encrypted-tbn2.gstatic.com/images?q=tbn:ANd9GcQgeY4ij8U4o1eCuVJ8Hh3NlI3RAgL9LjongyCJFshI5nLRZQZ5Bg

4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the ﬁrst place.
Eric Schmidt

14SOURCE: http://mattmckeon.com/facebook-privacy/

1
Privacy statement confusion
• 53% of consumers consider that a privacy statement
means that data will never be sell or give
• 43% only have read a privacy statement
• 45% only use different email addresses
• 33% changed passwords regularly
• 71% decide not to register or purchase due to a
request of unneeded information
• 41% provide fake info
112
Source: TRUSTe survey

24
http://1.bp.blogspot.com/-NqwjuQRm3Co/UCauELKozrI/AAAAAAAACuQ/MoBpRZVrZj4/s1600/Party-Raccoon-Get-Friends-Drunk-Upload-Facebook.jpg

The person who took the photo
is a real friend
25
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg

http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def
Antonio Casili
• Importance of T&C
• Everybody speaks
• mutual surveillance
• Lateral surveillance

geolocalisation
http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png

Interactions controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

Interactions NOT controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

Codes of conducts and certifications
!44

!54
A.CONTEXT
B.SOME DEFINITIONS
C.THE PRINCIPLES
D.GDPR CONSEQUENCES
E.METHODOLOGY

IN 3 WORDS
!56
• GDPR IS A "REGULATION" ><
"DIRECTIVE"
• WORLDWIDE INFLUENCE
• CONSEQUENCES FOR COMPANIES
AND PUBLIC SECTOR

!57
MAY 2018
ENTRY INTO FORCE MAY
25,2018
DISCUSSED SINCE 2014
VOTED IN 2016
RISKS
PENALTIES
4% ANNUAL TO
20 M €
COMPENSATION IN COURT
REPUTATION
IMPACT
CONTRACT
PROCESSES
MARKETING
ORGANISATION

PERSONAL DATA
!59
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can
be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;

PROCESSING
!60
‘processing’ means any operation or set of
operations which is performed on personal data or
on sets of personal data, whether or not by
automated means, such as collection, recording,
organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making
available, alignment or combination, restriction,
erasure or destruction;

CONTROLLER
!61
controller’ means the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and
means of the processing of personal data; where the
purposes and means of such processing are
determined by Union or Member State law, the
controller or the specific criteria for its nomination
may be provided for by Union or Member State
law;

processor or sub-contractor
!62
processor means a natural or legal
person, public authority, agency or other
body which processes personal data on
behalf of the controller

Sub-contractor
129
The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing
to be carried out, and must ensure compliance with those
measures

64
The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State in
which the processor is established, shall also be incumbent on the
processor

data breach
!65
personal data breach’ means a breach of
security leading to the accidental or
unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed

C : 12 MAIN PRINCIPLES OF GDPR
!66
1. Accountability
2. Consumer / citizen rights
3. Privacy by design
4. Information security
5. Data breach
6. Penalties
7. identity access management
8. lawfulness for processing
9. Register
10.Risk analysis and PIA
11.Training
12.Data privacy officer

PRIVACY POLICY OR REGULATION OR …

2/ Consumer/citizen's right
!72
TRANSPARENCY
SENSITIVE INFORMATIONS
INFORMATION COLLECTED
RIGHT OF ACCESS
RIGHT TO RECTIFICATION
RIGHT TO ERASE
RIGHT OF PROCESSING LIMITATION
PORTABILITY
RIGHT OF OPPOSITION TO PROFILING

Right to be forgotten
• On 13.05.2014 the European Union Court of
Justice backed a ruling called “the right to be
forgotten,” which allows individuals to control
their data and ask search engines, such as Google,
to remove inadequate personal results from the
Internet.
• However, the decision cannot be interpreted as a
“victory” for the protection of the personal data
of Europeans, according to privacy experts.

• In 2010 a Spanish citizen lodged a complaint against a Spanish
newspaper with the national Data Protection Agency and
against Google Spain and Google Inc.
• The citizen complained that an auction notice of his
repossessed home on Google’s search results infringed his
privacy rights because the proceedings concerning him had
been fully resolved for a number of years and hence the
reference to these was entirely irrelevant.
• He requested, ﬁrst, that the newspaper be required either to
remove or alter the pages in question so that the personal
data relating to him no longer appeared;
• and second, that Google Spain or Google Inc. be required to
remove the personal data

• In its ruling of 13 May 2014 the EU Court said :
• a)On the territoriality of EU rules: Even if the physical server of a
company processing data islocated outside Europe, EU rules apply
to search engine operators if they have a branch or a sub sidiary in
a Member State which promotes the selling of advertising space
offered by the search engine;
• b)On the applicability of EU data protection rules to a search
engine : Search engines are controllers of personal data. Google can
therefore not escape its responsibilities before European lawwhen
handling personal data by saying it is a search engine. EU data
protection law applies and so does the right to be forgotten.
• c) On the “Right to be Forgotten” : Individuals have the right -
under certain conditions - to ask search engines to remove links
with personal information about them.This applies where the
information is inaccurate, inadequate, irrelevant or excessive for the
purposes of the data

• At the same time, the Court explicitly clariﬁed
that the right to be forgotten is not absolute but
will always need to be balanced against other
fundamental rights, such as the freedom of
expression and of the media

• Right to erasure (future rules?)
• 1.The data subject shall have the right to obtain from the
controller the erasure of personal data relating to them and the
abstention from further dissemination of such data, and to
obtain from third parties the erasure of any links to, or copy or
replication of that data, where one of the following grounds
applies:
• (a) the data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed
• (b) the data subject withdraws consent on which the processing
is based according
• (c) when the storage period consented to has expired and
where there is no other legal ground for the processing of the
data

Look at the entire data lifecycle

2.STORE
• SECURITY
• ENCRYPTION
• AUTHENTICATION
• AVAILABILITY
• CONFIDENTIALITY
• IAM

SECURITY
SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-
security-2/

Source : https://www.britestream.com/difference.html.

Control by the employer
161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/

Employees share (too) many
information and also with third parties

Where do one steal data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars

DATA PRIVACY & THE EMPLOYER
45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg

SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/

May the employer control everything?

Could my employer
open my emails?
169

Employer’s control
177
http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux

86
SECURITY IS A LEGAL OBLIGATION

7/ IDENTITY ACCESS MANAGEMENT
!129

8/ LAWFULNESS OF PROCESSING
!130
CONSENT MUST BE EXPLICIT

131
'the data subject's consent' shall
mean any freely given specific
and informed indication of his
wishes by which the data subject
signifies his agreement to
personal data relating to him
being processed

134
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. Further
processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States
shall lay down appropriate safeguards for personal data stored for
longer periods for historical, statistical or scientific use.

135
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of
the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority
vested in the controller or in a third party to whom the data are
disclosed

136
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life

125
Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected
with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject

9/ RECORD OF PROCESSING ACTIVITIES
!142
RECORD

10/ RISK ANALYSIS AND PIA
!143

METHODOLOGY
!149
1. PRELIMINARY AUDIT
2. RISK ANALYSIS
3. LIST OF SERVICES
4. RECORD OF PROCESSING ACTIVITIES
5. ACTION PLAN
6. SERACH FOR COMPLIANCE
7. SOLUTION FOR NON COMPLIANCE
8. CONTINUOUS PROCESSES
9. TRAINING
Préparation
Implémentation
Pérennisation

154
Source de l’image : http://ediscoverytimes.com/?p=46

RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html

Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend 
Chief Information Security Officer Kansas State University

The new head of MI6 has been left
exposed by a major personal security
breach after his wife published
intimate photographs and family
details on the Facebook website.
Sir John Sawers is due to take over
as chief of the Secret Intelligence
Service in November, putting him in
charge of all Britain's spying
operations abroad.
But his wife's entries on the social
networking site have exposed
potentially compromising details
about where they live and work, who
their friends are and where they
spend their holidays.
http://www.dailymail.co.uk

Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password

Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware

Phishing
Sources/ Luc Pooters, Triforensic, 2011

Social engineering
Sources/ Luc Pooters, Triforensic, 2011

Take my stuff,
please!

3rd Party
Applications
•Games, quizzes, cutesie stuﬀ
•Untested by Facebook – anyone
can write one
•No Terms and CondiVons – you
either allow or you don’t
•InstallaVon gives the developers
rights to look at your proﬁle and
overrides your privacy seYngs!

RFID & internet of things
188
http://www.ibmbigdatahub.com/sites/default/files/public_images/IoT.jpg

87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin

Ichec dig strat gdpr

More Related Content

What's hot

Similar to Ichec dig strat gdpr

More from Prof. Jacques Folon (Ph.D)

Recently uploaded

Ichec dig strat gdpr