From
Über
Creepy
to
Over
Compliant
Managing
your
(Digital)
Analy:cs
Assets
October
30th
2014
eMetrics
Summit
London
Aurélie
Pols
@aureliepols

Aurélie
Pols
Chief
Visionary
Officer
&
co-­‐founder
Mind
Your
Privacy
@aureliepols
Presented
by:
Aurélie
Pols
@AureliePols
• Grew
up
in
the
Netherlands,
Dutch
passport
• French
mother
tongue
• Most
of
my
friends
are
bilingual
at
least
• Have
Polish
&
Russian
origins
• Co-­‐founded
1st
start-­‐up
in
Belgium
in
2003
• Sold
it
to
Digitas
LBi
(Publicis)
UK
in
2008
• Moved
to
Spain
in
2009
• Created
2
other
start-­‐ups
in
Spain
in
2012
Mind
Your
Group,
Pu#ng
Your
Data
to
Work
Mind
Your
Privacy,
Data
Science
Protected
Yes,
a
“law
firm”
but
we
prefer
to
say
a
bunch
of
Data
Scien/sts
working
with
a
bunch
of
Lawyers

Call
me
a
bore,
I’ve
been
listening
to
the
helicopters
coming,
while
humming
Wagner’s
Ride
of
the
Valkyries

Addi:onal
scare
tac:cs
REMEMBER
TARGET?
Presented
by:
Aurélie
Pols
@AureliePols

Meet
Beth
and
Greg
December
19
Presented
by:
Aurélie
Pols
@AureliePols
2013:
40
million
credit
&
debit
card
accounts
breached
January
10
2014:
personal
data
of
70
million
customers
hacked
March
05
2014:
Beth
Jacobs,
Target
CIO
since
2008,
RESIGNS
May
05
2014:
Gregg
Steinhafel,
Target
CEO,
35-­‐year
company
veteran,
RESIGNS

Target
today
February
2014
May
15
2014
Presented
by:
Aurélie
Pols
@AureliePols

How
many
lawsuits
is
Target
facing?
Presented
by:
Aurélie
Pols
@AureliePols

140
29
from
banks
&
credit
unions
Totaling
$761
million
And
then
I
stopped
coun:ng
Presented
by:
Aurélie
Pols
@AureliePols

Unsinkable?
How
many
lifeboats
will
you
trade
for
lives?
Presented
by:
Aurélie
Pols
@AureliePols

How
about
creepiness
vs.
analyTcs?
Cloud
tools
fines
&
warnings
Oi,
Brazilian
Telco
&
Phorm
France
Telecom
&
email
campaign
tool
Presented
by:
Aurélie
Pols
@AureliePols

A
cat
dies
EVERY
TIME
YOU
USE
THE
ACRONYM
PII
Presented
by:
David
Hollender
@DavidHollender

So
what
is
considered
PII?
Personal
InformaTon
Presented
by:
Aurélie
Pols
@AureliePols
(based
on
the
definiTon
commonly
used
by
most
US
states)
i
Name,
such
as
full
name,
maiden
name,
mother‘s
maiden
name,
or
alias
ii
Personal
iden:fica:on
number,
such
as
social
security
number
(SSN),
passport
number,
driver‘s
license
number,
account
and
credit
card
number
iii
Address
informa:on,
such
as
street
address
or
email
address
iv
Asset
informa:on,
such
as
Internet
Protocol
(IP)
or
Media
Access
Control
(MAC)
v
Telephone
numbers,
including
mobile,
business,
and
personal
numbers.
Informa:on
iden:fying
personally
owned
property,
such
as
vehicle
registra:on
number
or
:tle
number
and
related
informa:on
Source: information based on current
ongoing analysis (partial results)

If
you
collect
PII…
then
Presented
by:
Aurélie
Pols
@AureliePols
US
&
UK
EU
APEC
Common
Law
Con:nental
Law
Con:nental
law
influenced
Class
ac:ons
Fines
(by
DPAs:
Data
Protec:on
Agencies)
Privacy
Personal
Data
Protec:on
(PDP)
Business
focused
Ci:zen
focused
Patchwork
of
sector
Over-­‐arching
EU
Direc:ves
&
based
legislaTons:
Regula:ons
HIPPA,
COPPA,
VPPA,
…
PII:
varies
per
state
Risk
levels:
low,
medium,
high,
extremely
high

Data
has
become
a
valuable
asset
DATA
IS
A
RISK
BECAUSE
IT
EXISTS
Presented
by:
Aurélie
Pols
@AureliePols

Where
to
start?
Compliance?
Privacy?
Security?
Presented
by:
Aurélie
Pols
@AureliePols
Moving
targets

The
“Magnum”
Plan
• Document
Presented
by:
Aurélie
Pols
@AureliePols
your
data
set-­‐up
• Set-­‐up
a
compliance
check-­‐list:
– Applicable
legisla:ons
to
your
sector
– Territorial
scope
• Evaluate
your
risk
• Follow-­‐up
with
informa:on
security
measures
(data
protec:on)
• Adopt
global
&
sustainable
Privacy
best
prac:ces

5
ONLINE
MARKETING
RULES
TO
RESPECT
CONSUMER’S
PRIVACY
Presented
by:
Aurélie
Pols
@AureliePols

5
Online
MarkeTng
rules
to
respect
consumer's
privacy
1. Say
what
you
do
and
do
what
you
say
2. Harness
your
data
liability
3. Foster
data
frugality
&
documenta:on
Agile
is
the
‘mot
du
jour’
4. Cherish
the
human
aspect
of
data
protec:on
5. Dialogue
and
find
common
ground
Presented
by:
Aurélie
Pols
@AureliePols

1.
Say
what
you
Do
&
Do
what
you
Say
Privacy
policies
statements:
• Publicly
Presented
by:
Aurélie
Pols
@AureliePols
available
documents
• Date
stamp:
less
than
1
year
old
• Implies
processes:
– Eg.
“we
don’t
collect
data
of
minors”
=>
COPPA
– Dele:on
&
anonymiza:on
– Bankruptcy
or
M&A
data
transfers
• Apributes
responsibility:
privacy@company.com

Presented
by:
Aurélie
Pols
@AureliePols
Entreprise
goal
User
goals
Privacy
Policy
Requirements
Privacy
Mechanisms
Procedures
&
Processes
Privacy
Awareness
Training
Quality
Assurance
Quality
Assurance
Feedback

Yelp
said
that
only
about
0.02
percent
of
users
who
actually
completed
the
registra:on
process
during
the
:me
period
provided
an
underage
birth
rate,
“and
we
have
good
reason
to
believe
that
many
of
them
were
actually
adults.”
The
company
had
an
average
of
about
138
million
unique
visitors
in
Q2
of
2014.
Cost?
above
16$/monthly
unique
…
Source:
hpp://www.pcworld.com/ar:cle/2684752/yelp-­‐seples-­‐us-­‐uc-­‐charges-­‐of-­‐viola:ng-­‐child-­‐privacy.html
Presented
by:
Aurélie
Pols
@AureliePols

2.
Harness
data
liability
Across
data
plavorms
&
flows
– Understand
Presented
by:
Aurélie
Pols
@AureliePols
Terms
&
Condi:ons
– Sovereign:es/legal
jurisdic:ons:
Safe
Harbor
and
Binding
Corporate
Rules
(BCRs)
– Access!
Ø
Tool
vexng
Ø Agency
vexng

Responsibility
of
analyTcs
agency?
Informa:on
Security
&
Compliance:
Follow
the
Data
ü Define
the
tools
ü Grant
accesses
ü Data
collec:on
&
data
lifecycle
ü Data
sharing
&
data
flows
Ø Ouen
a
Presented
by:
Aurélie
Pols
@AureliePols
weak
link

Who
has
access?
Source:
Privacy
Green
seal,
specific
audit
for
analy:cs
tools
&
data
agencies
Presented
by:
Aurélie
Pols
@AureliePols

3.
Foster
data
frugality
&
documentaTon
Agile
is
the
mot
du
jour,
also
for
data
collecTon
Old
adage:
“let’s
Presented
by:
Aurélie
Pols
@AureliePols
collect
everything,
just
in
case”
New
adage:
cherry
pick
the
data
for
which
the
following
must
be
held
true:
1. Without
X
data
apribute,
I
cannot
do
Y
legi:mate
task
and
need
no
less
than
X
to
do
Y
2. Addi:onally
collec:ng
data
point
Z
will
not
jeopardize
my
ini:al
data
collec:on
purpose

Agile
ways
of
working
with
Purpose
and
Consent
Use
meta-­‐data
to
classify
data
fields
and
groups
to
– Iden:fy
Presented
by:
Aurélie
Pols
@AureliePols
data
fields
containing
PII/personal
data,
(ad)
collec:on
source,
use
and
disclosure/sharing;
– Iden:fy
data
fields/groups
and
their
storage
that
need
consent;
– Iden:fy
data
fields
that
may
need
correc:on
by
individuals;
– Iden:fy
data
fields
that
may
need
de-­‐
iden:fica:on,
anonymiza:on
or
dele:on.

4.
Cherish
HR
in
Data
ProtecTon
Human
error
causes
most
data
breaches
Presented
by:
Aurélie
Pols
@AureliePols

Presented
by:
Aurélie
Pols
@AureliePols
Entreprise
goal
User
goals
Privacy
Policy
Requirements
Privacy
Mechanisms
Procedures
&
Processes
Privacy
Awareness
Training
Quality
Assurance
And
escalaTon
procedures
to
akribute
responsibility
Should
we
do
this
analysis?

Security
(technical)
Presented
by:
Aurélie
Pols
@AureliePols
Data
CollecTon
Processes
Resources
security

Purpose,
Consent
&
Data
Uses
From:
Presented
by:
Aurélie
Pols
@AureliePols
Purpose
Consent
FIPPs
Data
for
approved
use
Purpose
Consent
New
business
opportunity
Data
analysis
FIPPs
or
merging
To:

5.
Dialogue
&
common
ground
Trust
and
Creepiness:
Consent
is
about
a
reasonable
expectaTon
of
the
use
of
data
There’s
a
fine
line
between:
– Feeling
Presented
by:
Aurélie
Pols
@AureliePols
charmed
– Feeling
invaded
Create
win-­‐win
situa:ons:
– Customers
give
company
informa:on
– Customers
get
beper
service/value
for
money

Creepy?
Presented
by:
Aurélie
Pols
@AureliePols
For
some.
Risk
to
the
business?

Interac:ve
discussion
SHOULD
YOU
MEASURE
WHEN
LOGGED
OUT?
Presented
by:
Aurélie
Pols
@AureliePols

Discussion
topics
• The
Presented
by:
Aurélie
Pols
@AureliePols
context:
which
kind
of
applica:on?
sector?
• The
actors:
end
client,
analy:cs
agency/ies,
tools
• The
customer
expecta:on:
mainly
focusing
on
why
a
customer
logs
out
• The
risk
and
poten:al
liability
• Minimum
requirements
to
lower
risk

THANKS
For
coming