When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
•Download as PPTX, PDF•
0 likes•233 views
As data sets and analytics sophistication grow, so do consumer's concerns about their privacy and what is being done with their personal information. Legislatures around the world are beginning to respond to these concerns. We present an overview of the General Data Protection Regulation and the California Consumer Protection Act to help companies comply with the law and engender trust with the consumers whose data they hold.
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Similar to When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
Similar to When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws (20)
Recently uploaded
Recently uploaded (20)
When Big Data is Personal Data - Data Analytics in The Age of Privacy Laws
- 1. WHEN BIG DATA IS PERSONAL DATA - DATA ANALYTICS IN THE AGE OF PRIVACY LAWS
- 2. DATA BREACHES IN 2019 • Blur – 2.4 million users • Town of Salem Video Game – 7.6 million users • DiscountMugs.com – credit card skimming • BenefitMall HR Services – number unknown • Capital One – like, everybody • Poshmark - last week • 86 others • It’s September © Aaron | Sanders PLLC Free photo 2069034 © Dejan Savic - Dreamstime.com
- 5. 1970 1980 1990 2000 2010 2020 2001 ‘18 September 11th Safe Harbor Invalidated EU Directive on Data Protection Safe Harbo r ’95 Cambridge Analytica ‘16 GDPR ‘19‘96 ‘98‘99 CCPA ‘15 HIPA A Gramm- Leach- Bliley COPP A First DP Law In the World, Hesse Germany How Did We Get Here? Computer Mainframes PCs Development of Information Technology Concerns About Privacy
- 6. • EUROPEAN UNION • UNITED STATES • JAPAN • SOUTH KOREA • BRAZIL • NIGERIA • AUSTRALIA • THAILAND
- 7. GENERAL DATA PROTECTION REGULATION • Regulation (EU) 2016/679 — protection of natural persons with regard to the processing of personal data and the free movement of such data
- 8. GDPR IN A NUTSHELL DATA PROCESSING must be lawful, limited, accurate, secure and for an explicit purpose DATA SUBECTS have rights DATA CONTROLLERS AND PROCESSORS have obligations of security and accountability RECORD KEEPING IS MANDATORY licensed under CC BY- SA
- 9. • Must be • Lawful • Done for “specified, explicit and legitimate purposes” • Limited to what is necessary • Accurate and kept up to date • Erased after storage is no longer necessary • Secure • Subject to accountability • 6 lawful bases for processing data • Informed consent • Performance of a contract • Compliance with legal obligations • Protection of the interests of a person • Performance of a task in the public interest • “Legitimate Interest of Processor” Data Processing
- 10. RIGHTS OF THE DATA SUBJECT • Right to know who is processing their information • Right to have cost-free access • Right to have information corrected • Limited Right of Erasure (Right to be Forgotten) • If lawful bases was consent or • If purpose is solely marketing • Right of Portability • Machine readable • May mean porting data to a competitor • Limited Right of Objection to Processing • If processing was not lawful © Aaron | Sanders PLLC
- 11. OBLIGATIONS OF CONTROLLERS AND PROCESSORS • Controllers – Responsible for “implementing appropriate technical and organizational measures which are designed to implement data-protection principles” • Security • Pseudonymization • Encryption • Disaster and Breach Response Plans • Regular Testing / Maintenance • Impact Assessments • Processors – those who process data on behalf of Controllers • Vendor (Data Protection) Agreements • Compliance with Controller’s Security Protocols • Rapid Breach Notification
- 12. NOTICE REQUIREMENTS & RECORD KEEPING • Contact information of the organization, and a responsible person inside the organization • Categories of personal data processed • Any processing of children’s data • Categories of recipients of data • Purpose of processing, explained in detail • Existence of any data transfers to other countries • Retention Periods • Recipients of personal data • Security and technical data protection measures
- 13. EXEMPTIONS • Anonymized Data • Public access to official documents • Employee data • Obligations of secrecy • Scientific and historical research purposes or statistical purposes (in the public interest) • Archiving in the public interest • Churches and religious associations
- 14. CALIFORNIA CONSUMER PROTECTION ACT • AB 375 (2018) – “The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right….” © Aaron | Sanders PLLC
- 15. TIMING FOR COMPLIANCE • Effective Date – January 1, 2020 • Look-Back Period – 2019 • Rulemaking – Approximately July 2020 WHO HAS TO COMPLY? • Businesses who: • Collect information on more than 50,000 CA residents, “households” or devices • Have $25 million or more in annual revenue • Derive half or more of revenue from selling Californian’s information
- 16. HEADLINE COMPLIANCE POINTS • Definition of “personal information” is broad • Like GDPR, consumers have rights • If a company is collecting data, notice to consumers is required: • What was collected • For what purpose • To whom it was shared, and for what purpose • To whom it was sold • A CONSUMER MAY OPT-OUT OF HAVING THEIR INFORMATION SOLD, AND CAN’T BE DISCRIMINATED AGAINST
- 17. OTHER STATE LAWS • Vermont – Data Brokers must register and pay a fee • Nevada – Disclose whether third parties can collect information from a consumer- facing website (“cookie notice”) • Florida – In the event of a data breach, data breach policy must be in writing and must be demonstrably followed
- 18. SO WHAT’S A DATA HOLDER TO DO? • Create a Concise Privacy Notice and Robust Internal Policies • Keep Good Records • Comply with Data Subject Requests • Educate your team • Don’t Keep Secrets • Keep your Promises
- 19. HERE TO HELP! • Tara Aaron, CIPP/US, CIPP/E • Aaron | Sanders Law PLLC • tara@aaronsanderslaw.com • www.aaronsanderslaw.com
Editor's Notes
- What it doesn’t allow data subjects to do is opt out of lawful processing completely (except in a couple of circumstances)
- Vendor Agreements Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (This is the Data Security Principle) Basic Security Protocols are also going to include employee training, user authentication, access controls, firewalls, software updates, virus control. GDPR doesn’t spell it out, but for example, if you’re ISO 27000 compliant, or HIPAA compliant, it’s likely that your security protocols are sufficient.
- There are U.S. state laws that mean you should also have a written data breach policy as well, and we’ll get to those.
- Major difference between the GDPR and the California law – consumers can opt out of all sale of data
- These are collective numbers, so basically if you have the information of more than 16,666 Califorians, and that information includes IP addresses, this applies to you.
- Definition of “sale” is super broad. Any transfer for consideration, except to service providers (those who help with internal business). Determining if information is being sold to a service provider. -- May have to re-do contracts with service providers. Keep California separate? The ‘do not sell’ button is only required for California residents, but Bailey said many companies plan to offer it to all U.S. users. ”Will I selectively display this link? Am I going to show it to everyone who comes to my website?” Bailey said. “Or am I going to somehow try to fence off California citizens and only show them the link? … For this particular use case, it’s a hard thing to do.”Verify users’ identity. If companies do choose to keep California residents separate, they’ll need to identify which consumers are from the state, the privacy professionals said, and that can get complicated. Leipzig advised against collecting data such as uploaded driver’s license photos; it just adds to the data a company needs to protect. At a minimum, Bailey said websites should include CAPTCHA tests and emailed verification to prevent bots from spamming ‘do not sell’ links.
- If you’re in the business of collecting and selling information about data subjects that your company does not have a direct relationship with, and any of those subjects are from Vermont, you need to be registered in Vermont. Nevada’s law is more narrow – only applies to sites that sell goods and services to consumers. So it applies to Amazon, but not Twitter. We didn’t get to a lot about cookie notices today – the EU is pretty soon going to be making a new regulation that will require cookie controls to be available at the browser level. Florida’s fines are up to half a million dollars.