Personal information has become a form of currency to improve the user experience and target the consumer with relevant products. But where's the line between targeting and harassment? In this session you will hear the latest updates regarding privacy policies across Europe.
- Opportunities and Threats: Discuss the latest EU regulations and hear how become a transparent data-driven business
- Avoid excess data: when to collect data and how to use it to offer relevant products to your customer
- Privacy: The biggest barrier to personalised pricing in hospitality and travel?
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
1. Data is the New Oil
Privacy is the new Green
November 25th 2014
Eye4Travel Amsterdam
Aurélie Pols
@aureliepols
2. The SUN went down on Privacy
“You have zero privacy
anyway, get over it”,
Scott McNealy, CEO of Sun
Microsystems, January 1999
At eMetrics in Boston in 2006, this turned into
“Privacy is Dead Aurélie, get over it!”
Presented by: Aurélie Pols
@AureliePols
3. Call me a bore,
I’ve been listening to the helicopters coming,
while humming Wagner’s Ride of the Valkyries
4. From the rooftops of Amsterdam
Presented by: Aurélie Pols
@AureliePols
Source:
http://www.tripadvisor.nl/Lo
cationPhotoDirectLink-g188590-
d1740219-
i104248061-
Wyndham_Apollo-
Amsterdam_North_Holland_
Province.html
5. The is one I do not Trust (my data with)
Source: http://www.cnet.com/news/ftc-sues-wyndham-hotels-over-data-breaches/
Presented by: Aurélie Pols
@AureliePols
6. The story?
Reasonably protect the security of consumers’ personal data
Source: http://www.ftc.gov/enforcement/cases-proceedings/1023142/wyndham-worldwide-corporation
Presented by: Aurélie Pols
@AureliePols
8. Courts writing Privacy history?
The Right to be Forgotten (RTBF)
Source: http://www.economist.com/news/leaders/21602219-right-be-forgotten-sounds-attractive-it-creates-more-problems-it-solves-being
Presented by: Aurélie Pols
@AureliePols
E
C
J
9. A Global Privacy Perspective
Presented by: Aurélie Pols
@AureliePols
US & UK EU ASIA
Common Law Continental Law Partially
continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Amend
ed
New
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Patchwork of sector based
legislations: HIPPA, COPPA,
VPPA, …
Over-arching EU Directives &
Regulations
PII: varies per US
state
“Personal Data” => Risk levels:
low, medium, high, extremely
high
10. For now, 0 €, no business
WYNDHAM LOST MY TRUST
Presented by: Aurélie Pols
@AureliePols
11. I care about my data
Presented by: Aurélie Pols
@AureliePols
Source:
https://twitter.com/JavZamora/status/
479233003710083072/photo/1
12. About my online anonymity
Recent Pew Research: US citizens care about
Privacy
Source:
http://www.pe
winternet.org/2
013/09/05/ano
nymity-privacy-and-
security-online/
Presented by: Aurélie Pols
@AureliePols
13. Defining Privacy: do you need to?
Presented by: Aurélie Pols
@AureliePols
Privacy & Business Ethics
vs
Data Protection & Responsible Uses of Data
Customer Trust Legal Compliance
Data
Balancing act
=
Risk Management
Exercise
14. Privacy is Important
BUT WHO IS RESPONSIBLE?
Presented by: Aurélie Pols
@AureliePols
15. Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols
@AureliePols
16. Purpose, Consent & Data Uses
From:
Presented by: Aurélie Pols
@AureliePols
Purpose
Consent
FIPPs
Data for
approved
use
Purpose
Consent
To:
New
business
opportunity
Data analysis FIPPs
or merging
Big Data is Killing the Privacy Framework
17. Why is this bubbling up now?
D-I-G-I-T-A-L makes Data Global, replicable, …
The World Economic Forum – Personal Data: The
Emergence of a New Asset Class (2011)
The EU GDPR – General Data Protection Regulation
(2012- 2015?)
The OECD – Guidelines on the Protection of Privacy &
Transborder Flows of Personal Data (1980, reviewed in 2013)
The UN – The Right to Privacy in the Digital Age (2014)
Presented by: Aurélie Pols
@AureliePols
18. Total Privacy fines worldwide
Presented by: Aurélie Pols
@AureliePols
6 weeks into
2014, the
world total in
Privacy
damages had
reached 50%
of last year’s
record: $74
million
Source: http://www.computerworld.com/s/article/9246393/Jay_Cline_U.S._takes_the_gold_in_doling_out_privacy_fines?taxonomyId=84&pageNumber=3
19. And of course data breaches
Presented by: Aurélie Pols
@AureliePols
Target,
JPMorgan,
Home Depot,
…
But what happens
After the breach?
20. How many lawsuits is Target facing?
Presented by: Aurélie Pols
@AureliePols
140
totaling over $750 million
21. THE QUESTION IS NOT IF, IT’S WHEN
Presented by: Aurélie Pols
@AureliePols
22. Privacy ABC
Presented by: Aurélie Pols
@AureliePols
FIPPs:
Fair
Information
Privacy
Practices
Source:
https://security.berkeley.edu/sites/default/files
/uploads/FIPPSimage.jpg
23. If you collect PII… then
Presented by: Aurélie Pols
@AureliePols
US & UK EU
Common Law Continental Law
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector
Over-arching EU Directives &
based legislations:
Regulations
HIPPA, COPPA, VPPA,
…
PII: varies per state Risk levels: low, medium, high,
extremely high
24. So what is considered PII?
Personal Information (based on the definition commonly used by most US states)
i Name, such as full name, maiden name, mother‘s maiden name, or alias
ii Personal identification number, such as social security number (SSN), passport
number, driver‘s license number, account and credit card number
iii Address information, such as street address or email address
iv Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
v Telephone numbers, including mobile, business, and personal numbers.
Information identifying personally owned property, such as vehicle registration
number or title number and related information
Presented by: Aurélie Pols
@AureliePols
Source: information based on
current ongoing analysis (partial
results)
25. PII vs. Risk levels: US vs. EU
Risk
level
Low risk data type
(clickstream data)
Presented by: Aurélie Pols
@AureliePols
Extremely high
(profiling of sensitive data:
probability of being pregnant => Target?)
PII
High
(sensitive data: health, financial,
Medium political views, sexual orientation, …)
(profiling: typically
retargeting through
cookies)
Data type & Information Security Measures
26. PERSONAL DATA
Presented by: Aurélie Pols
@AureliePols
EU Directive 95/46/EC, Article 2ª.
Shall mean any information relating to an identified or identifiable
natural person ('data subject');
an identifiable person is one who can be identified, directly or indirectly,
in particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic, cultural
or social identity;
27. A cat dies!
EVERY TIME YOU USE THE
ACRONYM PII
Presented by: Aurélie Pols
@AureliePols
29. Controller vs. Processor
Web property: Big
corporation, SME
Presented by: Aurélie Pols
@AureliePols
Customer: visitor,
voter, citizen, …
Intermediaries: tools,
agencies, consultancies,
…
Data Flow
Responsibility
Privacy
Rights
30. 12 Responsibilities of a Data Controller
1. Inform participants
2. Obtain informed consent
3. Ensure the data held is accurate
4. Delete personal data when it is no longer needed => delete or anonymize
5. Protect against unauthorized destruction, loss, alteration and disclosure => security
6. Contract with Data Processors responsibly
7. Take care transferring data out of Europe
8. If you collect “special” categories of data, get specialist advice
9. Deal with any data subject access requests
10. If the assessment is high stakes, ensure there is review of any automated decision making
11. Appoint a Data Protection Officer (DPO) and train staff
12. Work with supervisory authorities and respond to complaints
Source: http://blog.questionmark.com/responsibilities-of-a-data-controller-when-assessing-knowledge-skills-and-abilities
Presented by: Aurélie Pols
@AureliePols
31. Role playing example
Surveymonkey: https://www.surveymonkey.com/mp/policy/privacy-policy
Presented by: Aurélie Pols
@AureliePols
32. What about security?
Presented by: Aurélie Pols
@AureliePols
Data Collection
Processes
Resources
DPO
33. Implement Information Security Measures
Source: http://www.softbank.jp/en/corp/csr/management/info_security/efforts/
Presented by: Aurélie Pols
@AureliePols
34. Presented by: Aurélie Pols
@AureliePols
Entreprise goal
User goals
Privacy Policy
Requirements
Privacy
Mechanisms
Procedures
& Processes
Privacy Awareness
Training
Quality Assurance
Quality
Assurance
Feedback
35. Yelp said that only about 0.02 percent of users who actually completed the
registration process during the time period provided an underage birth rate, “and we
have good reason to believe that many of them were actually adults.”
The company had an average of about 138 million unique visitors in Q2 of 2014.
Cost? above 16$/monthly unique …
Source: http://www.pcworld.com/article/2684752/yelp-settles-us-ftc-charges-of-violating-child-privacy.html
Presented by: Aurélie Pols
@AureliePols
36. Data has become a valuable asset
DATA IS A RISK BECAUSE IT EXISTS
Presented by: Aurélie Pols
@AureliePols
37. What about travel?
CUSTOMER ON THE MOVE & AT
REST IS NOT EQUAL
Presented by: Aurélie Pols
@AureliePols
38. National Security vs. Privacy
Presented by: Aurélie Pols
@AureliePols
Data
Retention
vs.
Data
Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK,
passed), SOPA (US:
Stop Online Piracy
Act, similar to
French HADOPI) &
PIPA (US: Protect IP
Act)
39. Data Quality: if this is not me?
Presented by: Aurélie Pols
@AureliePols
40. If this was not me, what to do?
Presented by: Aurélie Pols
@AureliePols
41. Legislation & risk: win-win?
Presented by: Aurélie Pols
@AureliePols
New headache
- COPPA
- ISO 14443
42. Personalised pricing?
Don’t personalize on sensitive data
Presented by: Aurélie Pols
@AureliePols
Source:
http://privacytools.seas.harvard.edu/
files/privacytools/files/p44-
sweeney.pdf
43. Who owns the customer?
• Who owns the data?
– Privacy policies
– Data sharing principles (& options => choice)
• Who is responsible for the relationship?
– Who gets the money?
– How does the customer know who to contact?
Presented by: Aurélie Pols
@AureliePols
• Transparency & communication
• Core business & collaborative procedures with partners
44. Where to start?
Compliance?
Privacy?
Security?
Presented by: Aurélie Pols
@AureliePols
Moving targets
45. The “Magnum” Plan
• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures
(data protection)
• Adopt global & sustainable Privacy best practices
Presented by: Aurélie Pols
@AureliePols
46. Presented by: Aurélie Pols
@AureliePols
LOCAL HQ
SUBSIDIARY
1
Customer
Terms &
Conditions
Applicable Security Measures???
LOCAL
SUBSIDIARY
1
LOCAL
SUBSIDIARY
2
LOCAL
SUBSIDIARY
3
LOCAL
SUBSIDIARY
4
Where does it sit? Cloud/SaaS
47. Example of data flow issues
Presented by: Aurélie Pols
@AureliePols
Quantified self movement
Personal “health” data
Direction of flow is essential
Consequences on Privacy Policy
48. 5 ONLINE MARKETING RULES TO
RESPECT CONSUMER’S PRIVACY
Presented by: Aurélie Pols
@AureliePols
49. 5 Online Marketing rules to respect consumer's privacy
1. Say what you do and do what you say
2. Harness your data liability
3. Foster data frugality & documentation
Agile is the ‘mot du jour’
4. Cherish the human aspect of data protection
5. Dialogue and find common ground
Presented by: Aurélie Pols
@AureliePols
50. Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols
@AureliePols
51. Limiting Risk of holding data
Data Minimization Principle
Limit the collection of personal information to what is directly
relevant and necessary to accomplish a specified purpose
Data Retention Policies
Set of guidelines that describes which data will be archived, how
long it will be kept. Permanent deletion of the retained data is
part of any effective data retention policy.
Presented by: Aurélie Pols
@AureliePols
52. Data Retention Policies
• Delete the data, everywhere!
• Anonymize or De-identify the data
Presented by: Aurélie Pols
@AureliePols
By Ann Cavoukian and
Khaled El Emam, June 2011,
http://www.ipc.on.ca/image
s/Resources/anonymization.
pdf
53. Privacy by Design (PbD)
7 Fundamental Principles
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents Privacy-invasive
Presented by: Aurélie Pols
@AureliePols
events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of Privacy by
ensuring that personal data are automatically protected in any given IT system or business
practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s an
essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle management of
information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated promises and
objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults, appropriate notice,
and empowering user-friendly options
Customer creepiness is the question I get the most today. Depending on who I talk to: everybody agrees Privacy is important but no one is responsible
The US is also notorious for their views on protecting the Privacy of their citizens compared to other world citizens.
Which is interesting because through Digital, Privacy is becoming a global legislative issue.