This document provides an overview of privacy by design considerations under privacy law, particularly the GDPR. It begins with introductions and an outline of topics to be covered, which include privacy by design fundamentals, key legal considerations, and practical application. Under fundamentals, the document defines privacy by design, its benefits, and the 7 principles of privacy by design. It discusses how privacy by design relates to the information lifecycle. Under legal considerations, it outlines core privacy principles like notice and consent, purpose of use, individual rights, and the approaches of various legal frameworks. For practical application, it discusses privacy and security by design, privacy impact assessments, and provides examples of Google's implementation of notice and consent under the GDPR.
Presentation given on the experience of privacy design labs on the LSEC Belgium GDPR event of 30 November 2017.
Event page: https://www.leadersinsecurity.org/events-old/icalrepeat.detail/2017/11/30/186/-/gdpr-plan-to-be-ready-prepare-to-set-change-to-go-session-3-privacy-impact-assessment-scenario-planning-data-loss-management.html?filter_reset=1
Privacy Design lab page: https://sites.google.com/site/pbd20171106
Example of a privacy design jam by Facebook (Berlin 2017) : https://www.facebook.com/facebookbrussels/videos/1419793831400471/
This document provides an overview of privacy by design principles and considerations under privacy law, particularly the GDPR. It begins with introductions and an outline of topics to be covered. It then discusses the fundamentals of privacy by design, including its definition, benefits, and the 7 core principles. It covers key legal considerations around personal data, notice and consent requirements, purpose limitations, and individual rights. Practical applications are discussed, including privacy impact assessments and implementing privacy and security by design in product and system designs. Examples are provided of Google's privacy notices and consent mechanisms.
Privacy by Design - taking in account the state of the artJames Mulhern
Establishing transparency and building trust provide an opportunity to develop greater, more meaningful relationships with data subjects i.e people, customers, colleagues... in turn this can lead to more effective and valuable services that help transform organisations.
A "Privacy by design" approach can help achieve this but it doesn't happen by accident and transformation doesn't occur over night. So a deliberate approach that looks beyond May 2018 and compliance is required.
Presentation to representatives from the technology and Local Government sectors at TechUK, the UK's trade association for the technology.
We now have to obey the law and comply with GDPR, ensuring people's data are securely stored, we track who has access to it and if the client requests to review, update or remove their data, we should do so in an automated fashion. But, are you there yet? Chances are, there's still a long way to go.
In this talk I will address some of the challenges we solved in greenfield projects as well in old, legacy applications. We introduced "privacy by design" as just another "by design" mantra we already had build in our workflow and as we worked on the project, we applied it everywhere when we saw user data (personal or not) was processed. This ensured that all data was handled and treated the same way and allowed the business to reorient themselves again to be creative in approaching their customers.
Privacy by Design as a system design strategy - EIC 2019 Sagara Gunathunga
1) Privacy by Design (PbD) is an approach to system design that emphasizes privacy and data protection through the entire lifecycle. The 7 PbD principles include making privacy the default, embedding privacy into design, and keeping systems user-centric and transparent.
2) To apply PbD, personal data should be separated from other business data and stored securely in a separate system. Standard protocols like SAML and OAuth2 should be used to share personal data securely.
3) When designing a personal data repository, transparency, data minimization, and giving users control over their data through a self-care portal are important considerations.
This document provides an overview of key concepts regarding data privacy and security. It discusses the differences between privacy and security, with privacy focusing on data collection and use and security focusing on data protection. Key privacy principles like consent and purpose limitation are explained. The document also summarizes several US privacy laws like the FTC Act, COPPA, and data breach notification laws, as well as some international laws. Best practices around privacy policies, audits, and governance are also covered.
Presentation given on the experience of privacy design labs on the LSEC Belgium GDPR event of 30 November 2017.
Event page: https://www.leadersinsecurity.org/events-old/icalrepeat.detail/2017/11/30/186/-/gdpr-plan-to-be-ready-prepare-to-set-change-to-go-session-3-privacy-impact-assessment-scenario-planning-data-loss-management.html?filter_reset=1
Privacy Design lab page: https://sites.google.com/site/pbd20171106
Example of a privacy design jam by Facebook (Berlin 2017) : https://www.facebook.com/facebookbrussels/videos/1419793831400471/
This document provides an overview of privacy by design principles and considerations under privacy law, particularly the GDPR. It begins with introductions and an outline of topics to be covered. It then discusses the fundamentals of privacy by design, including its definition, benefits, and the 7 core principles. It covers key legal considerations around personal data, notice and consent requirements, purpose limitations, and individual rights. Practical applications are discussed, including privacy impact assessments and implementing privacy and security by design in product and system designs. Examples are provided of Google's privacy notices and consent mechanisms.
Privacy by Design - taking in account the state of the artJames Mulhern
Establishing transparency and building trust provide an opportunity to develop greater, more meaningful relationships with data subjects i.e people, customers, colleagues... in turn this can lead to more effective and valuable services that help transform organisations.
A "Privacy by design" approach can help achieve this but it doesn't happen by accident and transformation doesn't occur over night. So a deliberate approach that looks beyond May 2018 and compliance is required.
Presentation to representatives from the technology and Local Government sectors at TechUK, the UK's trade association for the technology.
We now have to obey the law and comply with GDPR, ensuring people's data are securely stored, we track who has access to it and if the client requests to review, update or remove their data, we should do so in an automated fashion. But, are you there yet? Chances are, there's still a long way to go.
In this talk I will address some of the challenges we solved in greenfield projects as well in old, legacy applications. We introduced "privacy by design" as just another "by design" mantra we already had build in our workflow and as we worked on the project, we applied it everywhere when we saw user data (personal or not) was processed. This ensured that all data was handled and treated the same way and allowed the business to reorient themselves again to be creative in approaching their customers.
Privacy by Design as a system design strategy - EIC 2019 Sagara Gunathunga
1) Privacy by Design (PbD) is an approach to system design that emphasizes privacy and data protection through the entire lifecycle. The 7 PbD principles include making privacy the default, embedding privacy into design, and keeping systems user-centric and transparent.
2) To apply PbD, personal data should be separated from other business data and stored securely in a separate system. Standard protocols like SAML and OAuth2 should be used to share personal data securely.
3) When designing a personal data repository, transparency, data minimization, and giving users control over their data through a self-care portal are important considerations.
This document provides an overview of key concepts regarding data privacy and security. It discusses the differences between privacy and security, with privacy focusing on data collection and use and security focusing on data protection. Key privacy principles like consent and purpose limitation are explained. The document also summarizes several US privacy laws like the FTC Act, COPPA, and data breach notification laws, as well as some international laws. Best practices around privacy policies, audits, and governance are also covered.
This document discusses privacy by design principles for software development. It outlines key concepts like data subjects, controllers, processors and regulators. The 7 guiding principles of privacy by design are described. Implementation considerations include legal requirements for data transfers, privacy policies, impact assessments and training. Typical privacy issues for mobile/web apps are listed. Examples of implementation include opt-in mechanisms and restricting data access. Working with providers outside the EU poses high risks of non-compliance.
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
My presentation for SUG Hungary presented on 26.06.2018 with topic Privacy by Design and by Default and General Data Protection Regulation with Sitecore
This document summarizes a presentation given on GDPR legislation. The key points are:
- GDPR introduces significant changes to data protection law, including expanded definitions of personal data, new lawful processing categories, increased fines and penalties, and enhanced data subject rights.
- Organizations need to undertake various preparations activities to achieve GDPR compliance, including data discovery, policy reviews, training, and documenting accountability records.
- Specific processes like risk assessments, breach notifications, and respecting data subject rights around access, rectification, objection and erasure must be established. Proper documentation will be critical to demonstrate compliance.
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/tLtr50A5b4b
The General Data Protection Regulation (GDPR) is inevitable and goes live in the EU beginning May 25th 2018. It touches all technical and organizational measures as well as the design of internal systems and processes, and affects all companies around the world that have customers in the EU.
Join IDERA and Dr. Sultan Shiffa as he focuses on how data modeling, governance and collaboration help Executives, IT Managers, Architects, DBAs and Developers tackle the key challenges around data protection by design and by default, individual rights to access and erasure, valid consent, data protection roles and accountabilities, data breach notifications, and auditing the records of data processing activities. This session will also explore best practices and examples for how to master those challenges and assess the data protection impact. After this session, you can be prepared to become GDPR compliant ahead of the deadline and beyond.
At the Synopsys Security Event Israel, Ram Levi, Founder & CEO, Konfidas presented on GDPR. For more information, please visit our website at www.synopsys.com/software
25 May 2018, the General Data Protection Regulation (GDPR) deadline, is less than 6 months away.
As the attention on the regulation is at the top, there is now a growing concern for any organization that is affected by.
We would like to invite you to join our webinar to share with you our approach and help your organization and you document repository to be compliant with GDPR.
During the webinar, our special guests, George Parapadakis – Business Solutions Strategy, Alfresco and Bart van Bouwel – Managing Partner, CDI-Partners, will provide you with:
- How to implement GDPR in your document repository
- How the Alfresco Digital Business Platform can help your organization to be compliant with GDPR
- Xenit approach: a managed shared drive
-Xenit demonstration
-Top tips to start preparing for the GDPR.
This document summarizes intellectual property (IP) rights and protections for management general agents (MGAs) in the insurance industry. It discusses how MGAs fit within the overall insurance structure and where their key IP resides, including underwriting models, management information, know-how, and customer connections. The document outlines the main IP rights that apply, including rights in confidential information, database rights, copyright, trademarks, and patents. It provides details on ownership and enforcement of these rights, as well as practical precautions MGAs can take to protect their IP.
The document discusses key themes and considerations for organizations regarding employees using personal devices for work. It covers issues around data access, device risks, management risks, and staff awareness. Specific topics examined include corporate and personal liability, digital evidence, monitoring communications, data protection, and implementing appropriate policies to address these issues. The goal is to help businesses balance enabling innovation through new technologies while managing risks.
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
Il regolamento privacy europeo (GDPR) richiede di adottare un nuovo approccio in materia di cyber security a causa del rischio di sanzioni e gli obblighi regolatori applicabili
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...Jason Haislmaier
This document discusses data rights and protections in the United States. It notes that while data is increasingly valuable, there is no single comprehensive law protecting it. Instead, protection comes from various areas like copyright, trade secret, contract, and privacy/security laws. The document outlines the limited protections each area provides and how protections are inconsistent based on the type of data. It concludes that as data value increases, understanding these complex and varying protections will be important for transactions and litigation involving data.
The General Data Protection Regulation (GDPR) comes into effect in May 2018 and will apply to all organizations that process personal data. It requires organizations to be accountable, transparent, and protect individuals' rights regarding their personal data. Organizations must have a lawful basis for processing personal data, obtain consent for marketing communications, and provide privacy notices describing how data will be handled. The GDPR also imposes requirements for security policies, data protection officers, impact assessments, and penalties for non-compliance.
This document provides an overview of Polar's approach to complying with the General Data Protection Regulation (GDPR). It discusses Polar's commitment to privacy, what GDPR is, some of the key challenges of implementation, and the processes and reviews Polar has put in place. The director introduces himself and his role at Polar, and then covers key aspects of GDPR including data subject rights, the definitions of controllers and processors, lawful bases for processing, and requirements around consent, documentation, accountability, and security.
Do you know, where your sensitive data is?SPC Adriatics
This document provides an overview of sensitive data protection in Office 365. It defines sensitive data as confidential, integrity, and availability of information. It notes that sensitive data can exist in many locations, including Office 365 services, and outlines some of the key capabilities for protecting sensitive data, including Data Loss Prevention and eDiscovery. It also presents a business case study of how Lotus F1 Racing team improved security and mobile collaboration using Office 365's sensitive data protection features.
Using personal devices at work presents risks around data access, device security, and management and policy issues. Key concerns include what corporate data users can access, malware risks, bypassing security protocols, and monitoring employee communications and device use. Organizations should implement clear policies around personal device usage to address legal and regulatory requirements, limit liability, and properly handle electronic evidence, data protection, and information retention.
Mind Your Business: Why Privacy Matters to the Successful EnterpriseEric Kavanagh
The Briefing Room with Dr. Robin Bloor and HPE Security
There's no such thing as bad publicity? In the era of data breaches, that's not really true. Time and again in recent years, the mighty have fallen. And as sensitive data reaches the hands of bad guys the world over, so go the fates of customers and companies alike. That's why security is the fastest growing sector of enterprise IT today, with privacy issues front and center.
Register for this episode of The Briefing Room to hear veteran Analyst Dr. Robin Bloor explain why companies need to pay serious attention to the ever-growing importance of privacy, not just security. He'll be briefed by Jay Irwin of Teradata and Carole Murphy of HPE Security, who will demonstrate how their technologies can be combined to create a robust privacy infrastructure that allows organizations to avoid data breaches, or at least keep the data encrypted, thus avoiding the damage of a breach.
The document is a presentation from Winston & Strawn LLP on fundamental intellectual property and privacy issues in M&A transactions. It discusses:
1) Whether intellectual property and privacy should be a concern in deals
2) What to examine during diligence, including patents, trademarks, copyrights, consumer data, and contracts
3) How to negotiate deal terms, such as representations and warranties, definitions, and licensing intellectual property between buyer and seller.
David Burg, Infosecurity.nl, 3 november, Jaarbeurs UtrechtInfosecurity2010
This document discusses current cyber threats and challenges. It describes a hypothetical attack scenario carried out by sophisticated attackers over several weeks. The attackers were able to compromise sensitive databases, obtain privileged access, monitor network activity, exfiltrate data, and manipulate financial account values to enable fraudulent transactions. The document calls for organizations to better inventory sensitive data, increase technical monitoring and audits, and ensure cybersecurity has independence and business insight. Public-private partnerships for threat information sharing are also recommended.
The General Data Protection Regulation and the DAMA DMBOK – Tools you can use for Compliance
Abstract: The General Data Protection Regulation will be the law governing data privacy in Europe in 2018. Surveys show that less than 50% of organisations are aware of the changes within the legislation, and even fewer have any plan for achieving compliance. In this session, Daragh O Brien takes us on a high level overview of the GDPR and how the disciplines of the DMBOK can help compliance.
Notes: DMBOK is an abbreviation for the "Data Management Book of Knowledge" which is published by DAMA International (The Data Management Association)
Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs UtrechtInfosecurity2010
The document provides guidance for effectively preparing for and participating in an IT audit. It advises understanding the purpose and phases of the audit. During the audit, be aware of attitudes and perspectives, and understand what maturity levels the auditor expects. Scope is determined based on risks, and compliance is evaluated through fact-finding and issue tracking. Controls are selected based on risks and sensitivity levels. The IT auditor can help improve the IT environment regarding people, processes, and technology.
Privacy experience in Plone and other open source CMSInteraktiv
This document discusses privacy experience in open source content management systems (CMS) like Plone. It begins by explaining why privacy matters and providing examples of recent privacy issues. It then discusses different approaches to privacy internationally and how this affects global open source communities. The document proposes universal privacy principles and discusses how privacy can be ensured in open source CMS communities specifically, with suggestions for Plone. It emphasizes a preventative, privacy by design approach.
This document discusses privacy by design principles for software development. It outlines key concepts like data subjects, controllers, processors and regulators. The 7 guiding principles of privacy by design are described. Implementation considerations include legal requirements for data transfers, privacy policies, impact assessments and training. Typical privacy issues for mobile/web apps are listed. Examples of implementation include opt-in mechanisms and restricting data access. Working with providers outside the EU poses high risks of non-compliance.
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
My presentation for SUG Hungary presented on 26.06.2018 with topic Privacy by Design and by Default and General Data Protection Regulation with Sitecore
This document summarizes a presentation given on GDPR legislation. The key points are:
- GDPR introduces significant changes to data protection law, including expanded definitions of personal data, new lawful processing categories, increased fines and penalties, and enhanced data subject rights.
- Organizations need to undertake various preparations activities to achieve GDPR compliance, including data discovery, policy reviews, training, and documenting accountability records.
- Specific processes like risk assessments, breach notifications, and respecting data subject rights around access, rectification, objection and erasure must be established. Proper documentation will be critical to demonstrate compliance.
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/tLtr50A5b4b
The General Data Protection Regulation (GDPR) is inevitable and goes live in the EU beginning May 25th 2018. It touches all technical and organizational measures as well as the design of internal systems and processes, and affects all companies around the world that have customers in the EU.
Join IDERA and Dr. Sultan Shiffa as he focuses on how data modeling, governance and collaboration help Executives, IT Managers, Architects, DBAs and Developers tackle the key challenges around data protection by design and by default, individual rights to access and erasure, valid consent, data protection roles and accountabilities, data breach notifications, and auditing the records of data processing activities. This session will also explore best practices and examples for how to master those challenges and assess the data protection impact. After this session, you can be prepared to become GDPR compliant ahead of the deadline and beyond.
At the Synopsys Security Event Israel, Ram Levi, Founder & CEO, Konfidas presented on GDPR. For more information, please visit our website at www.synopsys.com/software
25 May 2018, the General Data Protection Regulation (GDPR) deadline, is less than 6 months away.
As the attention on the regulation is at the top, there is now a growing concern for any organization that is affected by.
We would like to invite you to join our webinar to share with you our approach and help your organization and you document repository to be compliant with GDPR.
During the webinar, our special guests, George Parapadakis – Business Solutions Strategy, Alfresco and Bart van Bouwel – Managing Partner, CDI-Partners, will provide you with:
- How to implement GDPR in your document repository
- How the Alfresco Digital Business Platform can help your organization to be compliant with GDPR
- Xenit approach: a managed shared drive
-Xenit demonstration
-Top tips to start preparing for the GDPR.
This document summarizes intellectual property (IP) rights and protections for management general agents (MGAs) in the insurance industry. It discusses how MGAs fit within the overall insurance structure and where their key IP resides, including underwriting models, management information, know-how, and customer connections. The document outlines the main IP rights that apply, including rights in confidential information, database rights, copyright, trademarks, and patents. It provides details on ownership and enforcement of these rights, as well as practical precautions MGAs can take to protect their IP.
The document discusses key themes and considerations for organizations regarding employees using personal devices for work. It covers issues around data access, device risks, management risks, and staff awareness. Specific topics examined include corporate and personal liability, digital evidence, monitoring communications, data protection, and implementing appropriate policies to address these issues. The goal is to help businesses balance enabling innovation through new technologies while managing risks.
Come cambia la cybersecurity con il regolamento privacy europeoGiulio Coraggio
Il regolamento privacy europeo (GDPR) richiede di adottare un nuovo approccio in materia di cyber security a causa del rischio di sanzioni e gli obblighi regolatori applicabili
Data Property Rights (Rocky Mountain IP and Technology Institute 2013) (May 2...Jason Haislmaier
This document discusses data rights and protections in the United States. It notes that while data is increasingly valuable, there is no single comprehensive law protecting it. Instead, protection comes from various areas like copyright, trade secret, contract, and privacy/security laws. The document outlines the limited protections each area provides and how protections are inconsistent based on the type of data. It concludes that as data value increases, understanding these complex and varying protections will be important for transactions and litigation involving data.
The General Data Protection Regulation (GDPR) comes into effect in May 2018 and will apply to all organizations that process personal data. It requires organizations to be accountable, transparent, and protect individuals' rights regarding their personal data. Organizations must have a lawful basis for processing personal data, obtain consent for marketing communications, and provide privacy notices describing how data will be handled. The GDPR also imposes requirements for security policies, data protection officers, impact assessments, and penalties for non-compliance.
This document provides an overview of Polar's approach to complying with the General Data Protection Regulation (GDPR). It discusses Polar's commitment to privacy, what GDPR is, some of the key challenges of implementation, and the processes and reviews Polar has put in place. The director introduces himself and his role at Polar, and then covers key aspects of GDPR including data subject rights, the definitions of controllers and processors, lawful bases for processing, and requirements around consent, documentation, accountability, and security.
Do you know, where your sensitive data is?SPC Adriatics
This document provides an overview of sensitive data protection in Office 365. It defines sensitive data as confidential, integrity, and availability of information. It notes that sensitive data can exist in many locations, including Office 365 services, and outlines some of the key capabilities for protecting sensitive data, including Data Loss Prevention and eDiscovery. It also presents a business case study of how Lotus F1 Racing team improved security and mobile collaboration using Office 365's sensitive data protection features.
Using personal devices at work presents risks around data access, device security, and management and policy issues. Key concerns include what corporate data users can access, malware risks, bypassing security protocols, and monitoring employee communications and device use. Organizations should implement clear policies around personal device usage to address legal and regulatory requirements, limit liability, and properly handle electronic evidence, data protection, and information retention.
Mind Your Business: Why Privacy Matters to the Successful EnterpriseEric Kavanagh
The Briefing Room with Dr. Robin Bloor and HPE Security
There's no such thing as bad publicity? In the era of data breaches, that's not really true. Time and again in recent years, the mighty have fallen. And as sensitive data reaches the hands of bad guys the world over, so go the fates of customers and companies alike. That's why security is the fastest growing sector of enterprise IT today, with privacy issues front and center.
Register for this episode of The Briefing Room to hear veteran Analyst Dr. Robin Bloor explain why companies need to pay serious attention to the ever-growing importance of privacy, not just security. He'll be briefed by Jay Irwin of Teradata and Carole Murphy of HPE Security, who will demonstrate how their technologies can be combined to create a robust privacy infrastructure that allows organizations to avoid data breaches, or at least keep the data encrypted, thus avoiding the damage of a breach.
The document is a presentation from Winston & Strawn LLP on fundamental intellectual property and privacy issues in M&A transactions. It discusses:
1) Whether intellectual property and privacy should be a concern in deals
2) What to examine during diligence, including patents, trademarks, copyrights, consumer data, and contracts
3) How to negotiate deal terms, such as representations and warranties, definitions, and licensing intellectual property between buyer and seller.
David Burg, Infosecurity.nl, 3 november, Jaarbeurs UtrechtInfosecurity2010
This document discusses current cyber threats and challenges. It describes a hypothetical attack scenario carried out by sophisticated attackers over several weeks. The attackers were able to compromise sensitive databases, obtain privileged access, monitor network activity, exfiltrate data, and manipulate financial account values to enable fraudulent transactions. The document calls for organizations to better inventory sensitive data, increase technical monitoring and audits, and ensure cybersecurity has independence and business insight. Public-private partnerships for threat information sharing are also recommended.
The General Data Protection Regulation and the DAMA DMBOK – Tools you can use for Compliance
Abstract: The General Data Protection Regulation will be the law governing data privacy in Europe in 2018. Surveys show that less than 50% of organisations are aware of the changes within the legislation, and even fewer have any plan for achieving compliance. In this session, Daragh O Brien takes us on a high level overview of the GDPR and how the disciplines of the DMBOK can help compliance.
Notes: DMBOK is an abbreviation for the "Data Management Book of Knowledge" which is published by DAMA International (The Data Management Association)
Peter Kornelisse, Infosecurity.nl, 4 november, Jaarbeurs UtrechtInfosecurity2010
The document provides guidance for effectively preparing for and participating in an IT audit. It advises understanding the purpose and phases of the audit. During the audit, be aware of attitudes and perspectives, and understand what maturity levels the auditor expects. Scope is determined based on risks, and compliance is evaluated through fact-finding and issue tracking. Controls are selected based on risks and sensitivity levels. The IT auditor can help improve the IT environment regarding people, processes, and technology.
Privacy experience in Plone and other open source CMSInteraktiv
This document discusses privacy experience in open source content management systems (CMS) like Plone. It begins by explaining why privacy matters and providing examples of recent privacy issues. It then discusses different approaches to privacy internationally and how this affects global open source communities. The document proposes universal privacy principles and discusses how privacy can be ensured in open source CMS communities specifically, with suggestions for Plone. It emphasizes a preventative, privacy by design approach.
Presentation on key legal issues regarding use and developments of BOTs, AI - GDPR, Data Protection. Case study BRISbot. Presentation delivered at Epicenter 30 of May 2017 in partnership with BRIS and Microsoft.
EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
In this Accenture document we explore the implications, challenges and impacts of the General Data Protection Regulation (GDPR) as well as touching on the opportunities this regulation creates for financial services firms. Learn more: https://accntu.re/2uq8ANV
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
This document provides an overview of the EU General Data Protection Regulation (GDPR) which takes effect on May 25, 2018. It discusses the issues with how organizations currently manage data and how GDPR aims to better protect consumer data. Key points include expanded definitions of personal data, increased rights for data subjects, higher fines for non-compliance, and new requirements for consent, transparency, accountability, and breach notification. It outlines four steps businesses need to take, including reviewing policies, establishing a legal basis for processing, demonstrating compliance, and considering appointing a data protection officer.
UX & GDPR - Building Customer Trust with your Digital ExperiencesUser Vision
This briefing was held as part of User Vision's 'Breakfast Briefing' series in Feb 2018. It looks at what GDPR means for businesses and for the UX of digital experiences.
UX & GDPR - Building Customer Trust with your Digital ExperiencesStephen Denning
This briefing was held as part of User Vision's 'Breakfast Briefing' series in Feb 2018. It looks at what GDPR means for businesses and for the UX of digital experiences.
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
In the shadow of the global pandemic and the associated economic downturn, organizations are focused on cost optimization, which often leads to impulsive decisions to deprioritize compliance with all nonrevenue programs.
Regulators have evolved to adapt with the notable increase in data subject complaints and are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine while Equifax agreed to pay a minimum of $575 million for its breach. The US Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories sued over the company’s failure to take “reasonable steps” to secure its sensitive personal data.
Privacy and data protection are enforced by a growing number of regulations around the world and people are actively demanding privacy protection — and legislators are reacting. More than 60 countries have introduced privacy laws in response to citizens’ cry for transparency and control. By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today, according to Gartner. There is a convergence of data privacy principles, standards and regulations on a common set of fundamental principles.
The opportunities to use data are growing exponentially, but so too are the business and financial risks as the number of data protection and privacy regulations grows internationally.
Join this webinar to learn more about:
- Trends in modern privacy regulations
- The impact on organizations to protect and use sensitive data
- Data privacy principles
- The impact of General Data Protection Regulation (GDPR) and data transfer between US and EU
- The evolving CCPA, the new PCI DSS version 4 and new international data privacy laws or regulations
- Data privacy best practices, use cases and how to control sensitive personal data throughout the data life cycle
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
The document summarizes an IBM breakfast briefing on data protection, security, and regulatory updates. The briefing covered the changing EU General Data Protection Regulations and implications for organizations, including increased fines for noncompliance. It also discussed practical strategies for organizations to build a culture of data protection compliance, including data discovery, classification, retention, and disposal. Speakers included experts from IBM, law firms, and other companies to discuss analytics and best practices to help organizations adhere to new rules and regulations.
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
The document summarizes an IBM breakfast briefing on data protection, security, and regulatory updates. The briefing covered the changing EU General Data Protection Regulations and implications for organizations, including increased fines for noncompliance. It also discussed privacy rights for individuals, such as the "right to be forgotten" and access to their own data. The briefing addressed how analytics can help adhere to new rules and regulations.
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersSpain-Holiday.com
What is GDPR? As a holiday rental property owner, Airbnb host or holiday rental agent, why does it matter to you?
You don't need to work at a large internet company like Facebook, Google or Amazon to be affected, or responsible for data protection.
As part of the travel & tourism industry, you probably have personal data on your guests such as name and email address at the very least. You may also have highly sensitive data such as financial details, date of birth and passport details.
The introduction of the new privacy regulation called the GENERAL DATA PROTECTION REGULATION, or GDPR, comes into effect from 25th May 2018.
This webinar aims to help you understand what your obligation in how you deal with the data from the customers, the penalties and risks for non-compliance and, most importantly, a step by step roadmap to becoming GDPR compliant as a small business owner in the holiday rental industry.
Alongside tips and practical advice, the webinar will explore the opportunities that the introduction of the new data protection law can have for you in the travel & tourism industry.
The presentation agenda will cover:
Introduction and overview to GDPR
GDPR and the Holiday Rental Industry
GDPR and You - Responsibilities, risks and benefits
Roadmap to GDPR compliance
GDPR applies to all businesses and organisations, big or small, offering products or services to citizens in the EU. Show your customers that you are committed to treating their personal data with respect and consideration by understanding how to become GDPR-ready for 25th May 2018.
This document provides an overview of the General Data Protection Regulation (GDPR) and outlines steps for compliance. It begins with a disclaimer about the information provided. It then lists resources for learning more about the GDPR and its 99 articles and 173 recitals. The rest of the document outlines key aspects of GDPR compliance, including identifying high and critical risk data, privacy notices, individual rights and redress, lawful and fair processing, privacy by design, data security, and data transfers.
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies.
I.s.m. de adviesraden en Katrien Dossche.
For more information visit https://www.thesaurus.ie or https://www.brightpay.ie
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 with the aim of protecting all EU citizens from privacy and data breaches in an increasingly data driven world.
Payroll bureaus process large amounts of personal data, not least in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
In this CPD accredited webinar, we will peel back the legislation to outline clearly:
What is GDPR and why is it being implemented?
Why employers need to take it seriously
How it will impact payroll bureaus
How to prepare for GDPR
How we are working to help you
Sangyun Lee, 'Why Korea's Merger Control Occasionally Fails: A Public Choice ...Sangyun Lee
Presentation slides for a session held on June 4, 2024, at Kyoto University. This presentation is based on the presenter’s recent paper, coauthored with Hwang Lee, Professor, Korea University, with the same title, published in the Journal of Business Administration & Law, Volume 34, No. 2 (April 2024). The paper, written in Korean, is available at <https://shorturl.at/GCWcI>.
सुप्रीम कोर्ट ने यह भी माना था कि मजिस्ट्रेट का यह कर्तव्य है कि वह सुनिश्चित करे कि अधिकारी पीएमएलए के तहत निर्धारित प्रक्रिया के साथ-साथ संवैधानिक सुरक्षा उपायों का भी उचित रूप से पालन करें।
Pedal to the Court Understanding Your Rights after a Cycling Collision.pdfSunsetWestLegalGroup
The immediate step is an intelligent choice; don’t procrastinate. In the aftermath of the crash, taking care of yourself and taking quick steps can help you protect yourself from significant injuries. Make sure that you have collected the essential data and information.
Genocide in International Criminal Law.pptxMasoudZamani13
Excited to share insights from my recent presentation on genocide! 💡 In light of ongoing debates, it's crucial to delve into the nuances of this grave crime.
The Future of Criminal Defense Lawyer in India.pdfveteranlegal
https://veteranlegal.in/defense-lawyer-in-india/ | Criminal defense Lawyer in India has always been a vital aspect of the country's legal system. As defenders of justice, criminal Defense Lawyer play a critical role in ensuring that individuals accused of crimes receive a fair trial and that their constitutional rights are protected. As India evolves socially, economically, and technologically, the role and future of criminal Defense Lawyer are also undergoing significant changes. This comprehensive blog explores the current landscape, challenges, technological advancements, and prospects for criminal Defense Lawyer in India.
Business law for the students of undergraduate level. The presentation contains the summary of all the chapters under the syllabus of State University, Contract Act, Sale of Goods Act, Negotiable Instrument Act, Partnership Act, Limited Liability Act, Consumer Protection Act.
Corporate Governance : Scope and Legal Frameworkdevaki57
CORPORATE GOVERNANCE
MEANING
Corporate Governance refers to the way in which companies are governed and to what purpose. It identifies who has power and accountability, and who makes decisions. It is, in essence, a toolkit that enables management and the board to deal more effectively with the challenges of running a company.
Receivership and liquidation Accounts
Being a Paper Presented at Business Recovery and Insolvency Practitioners Association of Nigeria (BRIPAN) on Friday, August 18, 2023.
2. Who are you?
Austin Chambers
Attorney at Lewis, Bess, Williams & Weese
CIPP/US, CIPP/E, CIPP/C
Data Privacy, Security and Intellectual Property
Practice focused on US and international privacy
issues, and technology transactions.
GDPR & International privacy;
Privacy Shield certification;
EU-US and other cross-border data transfer
agreements;
international and intercompany data licensing;
website and mobile app agreements;
marketing, email and advertising compliance;
information security programs;
data breach response; software licensing and
development
2
3. What will we cover?
PbD
Fundamentals
Key legal
considerations
Practical
Application
3
4. Part I
Privacy by Design Fundamentals
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
4
5. What is Privacy by Design?
An approach to systems engineering that accounts for privacy at each
stage of the product and information lifecycle
System that integrates core privacy considerations into existing project
management and risk management methodologies and policies.
Engineering that takes human values into account throughout the system
design process
USER CENTRIC
5
6. Benefits of Privacy by Design
Key Goals: build trust, mitigate risk, and comply with the law
The UK Information Commissioner’s Office describes the benefits as follows:
Designing projects, processes, products or systems with privacy in mind at the
outset can lead to benefits which include:
Potential problems are identified at an early stage, when addressing them will
often be simpler and less costly.
Increased awareness of privacy and data protection across an organisation.
Organisations are more likely to meet their legal obligations and less likely to
breach the data protection law.
Actions are less likely to be privacy intrusive and have a negative impact on
individuals.
6
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/
7. 7 Principles of Privacy by Design
Proactive, not reactive; preventative, not remedial
Privacy as default setting
Privacy embedded into design
Full functionality (positive sum, not zero sum)
End-to-end security (full lifecycle protection)
Visibility and Transparency (keep it open)
Respect user privacy (keep it user centric)
7
https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf
8. Privacy by Design and the Information
lifecycle
PbD is key in various essential phases of the information lifecycle
For example, PbD is essential when:
building new IT systems for storing or accessing personal data;
developing policies or strategies that have privacy implications;
embarking on a data sharing initiative; or
using data for new purposes.
8
9. Part II
Legal and Practical Considerations
LEGAL FRAMEWORKS AND CONSUMER EXPECTATIONS
9
11. Core Principles: PII & Personal Data
“PII” – A person’s first or last name in combination with another piece of
identifying information, such as an address, driver’s license number, etc.
“personal data” (EU) – any information relating to a identified/identifiable
natural person
“sensitive information” – SSN, PHI, CC#, Financial
“sensitive information” (EU) – personal data relating to race,
religious/philosophical beliefs, health/sex life, political affiliation/opinions,
union membership
BUT, most laws usually exclude publically available info, at least to some
degree (CAN/EU = more limits)
11
12. Core Principles: PII & Personal Data
Any information relating to an identified/identifiable person
Identifying information relating to private individual
Unencrypted identifying information re: private individual
Sensitive information OR 2+ linked elements of identifying info
12
13. Core Principles: Overview
Notice + Consent
At primary collection
Legitimizes collection, disclosure
Establishes purpose of use
Must be non-deceptive
Purpose of Use
legitimate basis/unanticipated uses
Unauthorized disclosures
Automated decision-making
Contractual (price discrimination)
Statutory (discrimination against
protected class)
Individual rights
Access
Modification
Choice
Retention/Deletion
Security/Risk Mitigation Measures
Administrative
Procedural
Technical
Systems design
Use of Crypto
Anonymization
13
14. Core Principles: Notice + Consent
Consent is the cornerstone of privacy
law
US Law/§5
PIPEDA (CAN)
GDPR (EU)
Data rights established w/ notice by
first party + user consent
Notice must describe use, collection,
sharing, choices
Laws/contracts/standards may require
specific degree of consent
14
15. Core Principles: Notice + Consent
What is consent?
Notice + Use
Consumers must be
notified of analytics
in PP, but use =
agree
Implied opt-in
Implied right to
collect/use for
business reasons
Notice + opt out
To use email to
send a newsletter,
must give opt-out
choice
Notice + opt in
To collect
geolocation, users
must choose to
allow
15
16. Core Principles: Notice + Consent
GDPR Ar. 13 – Notice
Must provide notice of:
Categories of data collected
The purposes of the processing
The legal (legitimate) basis for
processing
The recipients or categories of
recipients of the data,
Int’l transfer and basis
Any automated decision making
or profiling + logic and
significance or consequences
Additional notice obligations if data
provided by third party
Requires improvements in notice
plain language
“layered” notice
“just in time disclosures”
Standardized icons
16
17. Core Principles: Notice + Consent
GDPR Ar. 6-7
Consent generally required, unless
exception:
Contractual necessity,
emergencies/vital interests,
legitimate interest
legal requirements
Consent must be:
Informed
Freely given
”unambiguous” (“explicit” if SI)
revocable
PIPEDA - Principle 3
Notice and consent is the “Cornerstone”
of Canadian privacy law
Prior express consent preferred, but
sensitivity of info, expectations may vary
Must set out purposes
Consent is only valid if reasonable to
expect the individual would understand
purpose and means
Consent not required if use/disclosure if
”reasonable person would find
appropriate in circumstances”
Balance! Think about users
17
18. Core Principles: Notice + Consent
Section 5 – FTC
Companies encouraged to take “privacy by
design” approach
Say what you do, do what you say!
FTC focuses more on “harm” model – similar to
‘reasonable expectations’
Certain “commonly accepted” practices don’t
require consent (fulfillment, compliance, fraud
prevention, first party marketing)
For other requires “informed, meaningful choices”
Notice and choice should be:
Provided in context of decision to agree
Concise, understandable
Encourage improving privacy notices
See “Protecting Consumers in an Era of Rapid
Change”
E-Privacy Regulation
Users have rights under ePrivacy Regulation
(online communications)
Right to opt-out of “automated decision-
making” under GDPR
Opt-in consent required for behavioral
advertising, analytics
Cookies
Online ads
Facebook pixels
Must be prior to collection!
Must provide choice (does system support?)
UX and documentation challenge
18
19. Core Principles: Purpose of Use
The purposes you may process information are generally limited
Scope of notice, consent sets limits right to share, use
PIPEDA, for example, requires that use/disclosure must be limited to what is “appropriate in
circumstances”
Consent generally required for uses beyond predictable/transactional use, such as:
Augmentation/Profiling
Marketing
Advertising/behavioral analytics
New, undisclosed uses
Consent required to disclose data if not obvious part of initial transaction, e.g. to:
Service providers
Marketers
Partners & co-owners
Sale of business
19
20. Core Principles: Purpose of Use
Ar 5 – Processing Principles
Personal Data must be processed :
Lawfully, Fairly and Transparently
For specific, explicit, and legitimate
purposes
Adequate, relevant, limited to
purpose
“Proportionate”
Data minimization is key
Accurate
Stored for limited time
Securely
PIPEDA
Principles of PIPEDA :
Identification of purpose (Prin. 2)
Identify, document, notify of changes
Limiting collection (Prin. 4)
Collect only what is necessary for
purpose
Limiting use, disclosure and retention
(Prin. 5)
Don’t disclose/use in ways not
expected
Don’t retain data forever
20
21. Core Principles: Individual Rights
Personal data is about people—they often retain rights in that data
Access
PIPEDA principle 9
Must provide all personal data, account for disclosures, demonstrate compliance with consent.
30 days!
Right Does not exist in US law (but suggested)
Retention
Organization, consumer optics, storage cost
Liability & Litigation
Cost of Processing and analytics
Destruction
Data must be securely destroyed/wiped
21
22. Core Principles: Individual Rights
Ar. 15-21: Individual’s rights with respect to processing
Access (right to know all info req’d under notice)
Rectification (correct inaccuracies)
Erasure (RTBF -- if irrelevant/dated, consent withdrawn, unlawful,
overriding individual right)
Limit use (inaccurate, not fit for purpose, unnecessary, overriding
individual right)
Portability (NEW! – if based on consent or necessity, or if automated
processing, right to receive data in exportable, open format.)
Object (to direct marketing, “solely automated decision-making with
significant legal effects” unless necessary or consented)
22
24. Application: Privacy by Design
Article 25: Privacy & Security by Design
Given state of the art, cost of implementation, and nature, scope, context,
purpose and risks of processing
Privacy measures to consider:
Anonymization
Pseudonoymization
Data minimization
Security measures to consider
Confidentiality & encryption (at rest, in transit)
Access (Least privilege, need to know)
Update and vulnerability management
Balancing security and usability
24
25. Application: Privacy Impact
Assessment
Article 35: DPIA
If high risk to rights and freedom, must carry out assessment of impact on
individual privacy
Required if:
Systematic and extensive evaluation of personal aspects, e.g. profiling where
decisions produce legal or similar effects
Large scale processing of sensitive data
Systematic monitoring of public area (cctv)
Must produce:
Description of system and processing ops
Assessment of necessity and proportionality of processing
Description of risk mitigation measures
25
26. Conducting a DPIA
PRODUCT DESIGN
Notice
Short form/icons, etc.
Just in time disclosure
Unambiguousness/Explicitness
Third party notice req’s
Consent
Language and means
Business issues
Data Minimization
SYSTEMS DESIGN
Managing consents
documentation
revocation
Process limitation
Fair & lawful
Restricted to identified purposes
Ensuring individual rights
Portability
Access
Anonymization
Retention
26
27. ‘Classic’ Notice and Consent
GOOGLE’S PRIVACY UX DURING ACCOUNT CREATION
ACCOUNTS.GOOGLE.COM/SIGNUP
27
28. Can’t get acc’t without agreement
(href: summary for each item)
28
36. Notice how you get clarifying examples
when you hover over sections with dotted
lines… This is a ‘layered’ notice
36
37. ‘Supplemental’ Notice and Consent
SOLVING THE EXISTING USER DILEMMA (WHEN THINGS CHANGE) – AN EXAMPLE OF
GOOGLE’S GDPR EFFORTS
GOOGLE.COM SEARCH QUERY OF THEN-CURRENT IP ADDRESS FROM GERMAN IP
37
38. GDPR & Google – New Privacy
Notice/Consent
An example of implementing GDPR notice to existing users
Notice & consent typically occurs at registration/service activation/initial config etc.
This creates an issue should data practices and/or legal requirements change (especially given
how many people already use Google)
The following examples show how Google attempts to address that problem
Note that this notice:
Appears ONLY in EU (I accessed Google via VPN using German IP address)
Is annoyingly placed at the top of search results so that you see it
Persists until you make it go away
Recurs if you log out of your account or tell it to go away temporarily
Is easy to read
Has handy links throughout
Not sure, but I’d venture a guess that if you click OK when logged in, Google logs
date/time/IP to prove you agreed
38
45. Group Problem: IOT
You’re developing a new home wifi
speaker. You’d like to integrate voice
control, access Spotify, stream from
phone to speaker seamlessly.
To compete in the saturated market,
marketing is key, especially online ads
Botnets are an increasing risk, and have
been known to hijack IOT devices in
attacks
Consumers increasingly wary of IOT
decisions breaking devices
Meet someone, talk, ask questions think
through a problem & solution to one of
the following issues:
Limited UI
Broad range, ages of users (risk profile?)
Diagnostics/QA/QI and broad definition
of personal data
Marketing information vs device
information
Security limitations (e.g. updates)
Access/individual rights requests
Device ownership concerns
Third party integrations (e.g. AI)
Trust & branding
45