The session will address GDPR compliance challenges in the context of industry 4.0 and will offer a deeper look into the convergence of data privacy with the digitalisation movement, where Big Data, IoT, AI and Cloud services are all depending on one thing: DATA.
Driving Behavioral Change for Information Management through Data-Driven Gree...
ITCamp 2018 - Cristiana Fernbach - GDPR compliance in the industry 4.0
1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
GDPR
Compliance in the Industry 4.0
Cristiana Fernbach
LL.M., MBA, CIPP/E
Stratulat Albulescu – Attorneys at Law
3. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1 GDPR – Cloud Killer?
2 Big Data VS “Big” GDPR
3 New Challenges For AI – GDPR
4 Blockchain from GDPR Perspective
5 Conclusion
Agenda
4. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1. GDPR – Cloud Killer? (1)
Both the processor and controller
must implement technical and
organisational measures to ensure a
level of security appropriate to the
inherent risks to the data being
processed
The DPO requirement may also fall
to processors (depending on the
nature of their core activities and/or
the type of data processed)
Data processor shall have in place
procedures for exercitation of data
subject rights
Cloud Service
Provider
Enterprise that
use Cloud
Service
Data
processor
Data
controller
5. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
1. GDPR – Cloud Killer? (2)
GDPR Specific Challenges for Controller
Implementing retention policies effectively in the cloud and having a
clear overview of cloud service providers’ backups
Inclusion of breach notification obligations and protocols
Appropriate safeguards required for the storage of data in NON-EU
countries
Facilitate the right of data portability for data subjects
Maintain control and ownership of personal data
Performing of Data Protection Impact Assessment (“DPIA”) and a
Security Assessment to determine any risk of cloud’s usage
6. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
2. Big Data VS “Big” GDPR (1)
Obtaining meaningful consent can be difficult, but novel
and innovative approaches can help
Legitimate interest is not a “soft option”
Big data analytics – strictly necessary for the performance
of a contract?
Big data analytics may lead to excessive collection of data
Data retention longer than necessary since big data apps
are capable of analysing large volumes of data
Right of access to personal data? Difficult to comply due to
a vast quantity of personal data used in big data analytics
7. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
2. Big Data VS “Big” GDPR (2)
In a growing number of high-profile
corporate cybersecurity breaches,
hackers have stolen some of the most
sensitive data that consumers have,
including identification numbers,
passwords and financial information
Data minimization
Fairness of processing
Data breach procedures Security incidents
8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
2. Big Data VS “Big” GDPR (3)
Facebook’s
Security Incident
Cambridge Analytica
beginning in 2014
obtained data on 50
million Facebook users
Uber’s Security
Incident
The breach exposed
names, email
addresses and phone
numbers of 50 million
people worldwide,
plus personal details
of 7 million drivers
Greenwich
University’s
Security Incident
The breach exposed the
personal data of 19,500
students, including
information on some
students' mental health
problems
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
2. Big Data VS “Big” GDPR (4)
Why? How?
• Big Data sets often include personal data
• In many cases, it is not possible to separate the
personal data from the non-personal data.
• Sensitive personal data may only be automatically
processed based on explicit consent
• Identify where personal data is involved
• “Clean” the data sets, including pseudonymisation
• Ensure a valid legal basis for profiling
• Ensure that a process is in place to obtain human
intervention, when necessary
SOLUTIONS
TRANSPARENCY PRIVACY BY DESIGN
Source: GDPR Report, 2017 https://gdpr.report/news/2017/07/24/gdpr-big-data-friends-foes
10. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
3. New Challenges For AI – GDPR (1)
The International Data Corporation predicts that there
will be 200 billion connected devices by 2020 and if
standards stay the same that could mean billions of
security vulnerabilities.
SECURITY ISSUES
Source: https://www.scmagazineuk.com/will-we-get-a-gdpr-for-the-iot/article/758037/
11. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
3. New Challenges For AI – GDPR (2)
Artificial intelligence needs a vast amount of data
to learn: data in the realm of big data
considerations
Big data uses artificial intelligence techniques
to extract value from big datasets
Integrated privacy in the full lifecycle of systems, operations and products
Proactive, not reactive; preventive, not remedial
End-to-end security – full existence protection
Privacy assurance – the default mode to operate
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
3. New Challenges for AI – GDPR (3)
AI and GDPR’s principles
Fairness Principle
Use relevant and correct data
Not emphasise information relating to racial or ethnic origin, political
opinion, religion or belief, trade union membership, genetic status, health
status or sexual orientation if this would lead to arbitrary discriminatory
treatment
Purpose Limitation Principle
In cases where previously-collected personal data is to be re-used, the
controller must consider whether the new purpose is compatible with the
original one
Data minimisation Principle
Examine the intended area of application of the model to facilitate
selection of relevant data necessary for the purpose
Transparency Principle
The use of artificial intelligence is a form of automated processing, and,
moreover, in some cases the decision is taken by the robot (automated
decision based on profiling)
13. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
4. Blockchain from GDPR Perspective (1)
Blockchain databases are particularly interesting because
they allow - at least in theory - transactions between parties
without having to disclose their identity directly to the
contracting party or the public
However
Studies has shown that the address of a service user can be
traced back to its IP address, which in turn can be traced back
to a specific internet connection or connection owner
14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
4. Blockchain from GDPR perspective (2)
When designing a business model based on
Blockchain technology, and you don’t want
to ask the participants to provide their
prior consent, include in the services to be
rendered the perpetually given function of
authenticating the transaction and its
validity
Then each participant can make use
either of:
Art. 6 para. (1) lit. f)
GDPR – legitimate
interest of the controller
Art. 6 para. (1) lit. b)
GDPR – performance of a
contract or in order to
take steps to enter into a
contract
15. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
5. Conclusion
Data
minimization
Consent
needed?
Profiling and
automatic
decision
Data
subject’s
rights
TIME TO ACT !