The document discusses privacy and data protection considerations for organizations. It begins by acknowledging that many people lie to their doctors about sensitive personal matters. It then provides three key points:
1. Organizations should treat customer data as their most precious asset and ensure they share common goals and language with legal counsel regarding privacy and data protection.
2. When considering privacy regulations, organizations should understand data as an economic asset, recognize challenges in defining data harms, and minimize privacy-related risks and liability within the data ecosystem.
3. Organizations should start by defining themselves in the data ecosystem, documenting their data flows and obligations, aligning their activities with terms and consent mechanisms, understanding their risks, and documenting/communic
3. #agilitytour
Risk Adverse for My Children
Ø
My
most
precious
assets
Ø
We
share
common
goals
Ø
And
speak
the
same
language
Could
you
say
the
same
of
your
Legal
Council?
4. #agilitytour
Consider Before Crucifying the Rule of Law
1. The
specifics
of
data
as
an
Economic
Asset:
²
Data
in
infinitely
transferable
without
decay
2. OPen
forgoQen
LegislaRve
Challenges
²
Defining
and
recognising
Data
Harms
3. Related
to
evolving
Privacy
LegislaRon
²
Compliance
is
a
Risk
Exercise
4. Minimizing
Privacy
related
Risks
²
YOUR
liability
within
the
Data
Ecosystem
6. #agilitytour
Fact Remains: RACI Matrices
Ø Legal
council
will
be
held
accountable
Ø Legal
council
should
be
consulted
• Responsible
• Who
is/will
be
doing
this
task?
• Who
is
assigned
to
work
on
this
task?
R
• Accountable
• Who’s
head
will
roll
if
this
goes
wrong?
• Who
has
the
authority?
to
take
decision?
A
• Consulted
• Anyone
who
can
tell
me
more
about
this
task?
• Any
stakeholders
already
idenRfied?
C
• Informed
• Anyone
whose
work
depends
on
this
task?
• Who
has
to
be
kept
updated
about
the
progress?
I
7. #agilitytour
In a World of Dynamic RegulaMon
Two
fundamental
Data
Privacy
quesRons:
1. How
far
is
too
far
(for
data
use
&
transparency)?
2. Who
will
decide
(what
is
acceptable)?
8. #agilitytour
If I Had 1 £ for Every Time I Heard…
1. Yes
but
we
don’t
collect
PII
2. InternaRonal
data
transfers?
Safe
Harbour!
9. #agilitytour
So What to Do? 1 Rules Them All
FIPPs:
Fair
informaRon
PracRce
Principles
1. Transparency
• NoRce/awareness
&
Purpose
=>
how
transparent?
2. Choice
• Consent
=>
opt-‐in
or
opt-‐out,
ex-‐
or
implicit?
3. InformaRon
Review
&
CorrecRon
• Access
&
parRcipaRon
in
(data)
accuracy
4. InformaRon
ProtecRon
• Data
integrity
&
security
5. Accountability
• Enforcement
and
redress:
I. Self-‐regulaRon,
II. Private
remedies
through
civil
acRons
(Germany)
III. Government
enforcement
(FTC,
European
Data
ProtecRon
Agencies,
…)
Transparency
Choice
InformaMon
review &
correcMon
InformaMon
protecMon
Accountability
11. #agilitytour
PII vs. Risk Levels
DIGITAL
EXHAUST
Low
Risk
OBA
Medium
Risk
(profiling)
HIPAA
HEALTH
DATA
High
Risk
(sensiRve)
Risk
Level
Data
type
InformaRon
Security
Measures
Gehng
closer
to
uniquely
idenRfying
an
individual
FCRA
CREDIT
SCORING
Extremely
High
Risk
(profiling
of
sensiRve
data)
US:
if/then
exercises
PII
12. #agilitytour
Where to Start?
1. Define
yourself
• Who
are
you
in
the
data
ecosystem?
• What
are
your
obligaRons?
• What
is
expected
of
you?
• (Who
can
find
out?)
13. #agilitytour
Where to Start?
2. Document
your
Digital
Entanglement
High-‐level
mock-‐up
of
exisRng
client.
Next
steps:
ü Terms
&
sovereignRes
ü Data
points
&
access/sharing
ü Purpose
&
Consent
ü Data
retenRon
periods
14. #agilitytour
Where to Start?
3. Align
your
liabiliOes:
Ø
What
do
the
terms
allow?
Ø
Which
data
points
are
you
collecRng?
Ø
Which
clauses
are
being
used
(InternaRonal
data
transfer
mechanisms:
SafeHarbour)?
Ø
Who
has
access?
Data
sharing
Ø
…
15. #agilitytour
Where to Start?
Purpose
Consent
4. Don’t
drop
the
ball
on
Purpose
and
Consent!
What
happens
if
opt-‐out
of
email
list,
?
hQps://support.google.com/adwords/answer/
6276125?hl=en
UK:
OpRcal
Express
bought
“consented”
data
from
Thomas
Cook
See
ICO
PECR:
hQps://ico.org.uk/for-‐organisaRons/guide-‐to-‐
pecr/introducRon/what-‐are-‐pecr/
z
16. #agilitytour
Where to Start?
5. Understand
your
risk
Ø
Of
legal
issues:
fines,
class
acRons
Schleswig-‐Holstein
DPA
considers
SafeHarbour
clauses
today
unacceptable
+
can’t
be
replaced
by
model
clauses
either
=>
is
this
a
risk
for
your
company?
Ø
Of
customer
backlashes:
unexpected/creepy
data
uses
Target:
using
shopping
behavior
to
define
pregnancy
state
(sensiRve
data)
=>
consent!
17. #agilitytour
Where to Start?
6. Document,
train
&
communicate
• If
asked,
be
able
to
show
you’ve
done
your
homework
• Define
accountability
(data
stewards)
&
escalaRon
procedures
• Explain
&
ask
for
help:
your
company
is
the
paOent!
18. #agilitytour
We All Hated the “Cookie DirecMve”, Right?
Thank
you
for
listening!
Gracias
por
su
atención!
aurelie@mindyourprivacy.com