Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust - Digital Catapult

356 visualizaciones

Publicado el

Presentation about PDRs implementation and lessons learned at the Personal Data and Trust Network - Real Consent and GDPR Readiness Workshop

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Personal Data Receipts - Michele Nati - Lead Technologist Privacy and Trust - Digital Catapult

  1. 1. Personal Data Receipts Real Consent & GDPR Readiness January 16th, 2017 Michele Nati Lead Technologist Personal Data and Trust Lucie Burgess, Head of Personal Data and Trust David Ponsford, Senior Product Manager Digital Catapult, London @michelenati
  2. 2. Motivation • Personal Data availability is growing • By 2019, total shipments will reach 214.6 million units, a five-year Compound Annual Growth Rate (CAGR) of 28% (IDC) • … and business digital transformation is leveraging that • … with transparency and trust becoming of paramount importance • Only 1 in 5 Consumers read privacy statement; 15% feels to have control over how their data are used (Source: Data Protection Eurobarometer) • And regulatory framework now in place to measure it (GDPR) http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf
  3. 3. Trust and GDPR Trustworthiness ReputationTrust - Transparency (Article 12-14, Information notice) - Accountability (Article 4 and 7, Consent) - Level of Control (Article 17-19, Data erasure and portability)
  4. 4. Background • Summer 2016 intern • Understanding what transparency means for consumers • Data discovery, interviews, user-centric design, prototyping, measuring • Findings: transparent, clear and concise summary of collected data, increase trust https://pdtn.org/designing-consent-receipts-future-personal-data-sharing/
  5. 5. Personal Data Receipts Multi-disciplinary team: - UX Lead - Marketing experts - Lawyer - Lead Tech Lawyer advice: According to DPA, consent is not required for: a) the “legitimate interests” of the data controller so long as they do not override the fundamental rights of the data subject; b) data that it is necessary to collect or process the data to fulfill a contract the data subject asked to enter • PDRs are a super-set of consent receipt • First full transparency, then control
  6. 6. Current Benefits • Individuals: • Simplify understanding of privacy policies • Track and control the use of personal data • Organizations: • Increase transparency, by simplifying privacy policies • For both: • Simplify Subject Access Requests (by providing a link to Data Controller)
  7. 7. Technical integration – Logic view User interfaces: collect, stores and manage PDRs PDR generator: uses secure APIs from different corporate legacy systems (e.g. Salesforce) Audit trail: authenticity, integrity, confidentiality, non-repudiability
  8. 8. Technical integration – Digital Catapult system Preserving privacy: • No new personal information is created; nor passed and stored across different systems • Secure meta-data communication • Pseudonyms to link PDRs and users • PDRs only sent the first time, with random delay, to avoid traceability • Audit trail: including PDR version for maintain consistency (in case of Privacy Policy change)
  9. 9. PDR trial ambitions • Educate consumers (visitors) about their personal data sharing • Measure the value of PDR for consumers • Promote best practices and adoption to increase businesses transparency and trust
  10. 10. PDR trial summary 80% 20% Yes No 51%49% Opened Overall visitor engagement 1504 PDRs sent 20 27 13 16 0 0 0 0 Visitors: Total Page views : Contact via website: Requests to be removed: Website engagement 303 339 128 183 47% 44% 4% 4% Centre Visitors: PDRs sent: Email open rate: Click thru rate: This week Last weekCatapult Centre engagement DCC visitors* 95 Closed Data 191 IoT 94 Licensed Data 157 P D & T Would you like all services you signed up for to send you a PDR? 80% 20% Yes No Would you consider implementing something similar within your company? Yes - 80% Yes - 80% 0 20 40 60 80 100 120 140 14/09/16 17/09/16 20/09/16 23/09/16 26/09/16 29/09/16 02/10/16 05/10/16 08/10/16 11/10/16 14/10/16 17/10/16 20/10/16 23/10/16 26/10/16 29/10/16 01/11/16 04/11/16 07/11/16 10/11/16 13/11/16 16/11/16 19/11/16 22/11/16 25/11/16 28/11/16 01/12/16 04/12/16 07/12/16 10/12/16 13/12/16 16/12/16 Total Visitors 3892 Total visitors 1950 Total fist time visitors 1504 Total receipts sent *figures taken cumulative since 13/09/16 PDRs sent by interest area
  11. 11. GDPR compliance • Article 12-14, Information notice • Use of icons and simple text to explain: what, how and for what purpose • (could be extended to target different demographic groups) • Article 4 and 7, Consent • Provides a record for both individual and organization • Includes data collected under consent • (currently only in human-readable format; could be extended with link to remove consent) • Article 17-19, Data erasure and portability • Provides link to contact Data Controller • (could be extended with link to automatically trigger data erasure or portability; but needs strong identity and identification, Article 29 WP)
  12. 12. Next steps • Report to be released soon • Commercial • Promote adoption • Organizations collecting personal data and needing GDPR compliance • SMEs providing personal data management solutions (e.g., e-wallets) • Technical • Understand requirements, formulate and test assumptions, deliver technology to: • Provide additional functionalities • Simplify adoption (process vs toolkit) • Increase scalability (e.g. PDR as a service) • Foster interoperability (standardized human and machine readable format)
  13. 13. BSI PAS 4891 – Privacy Labels • Recommendation on how organizations communicate how they use customers personal data online • Define the categories of information • Provide an initial icons mockup • Can be used in layered privacy policies (and PDRs)
  14. 14. THANK YOU! #DigiCatapult info@digicatapult.org.uk 0300 1233 101 Digital Catapult digicatapult.org.uk /DigitalCatapult @DigitalCatapult

×