Here are some key points about privacy and ethics by design for big data and AI systems:- Privacy and data protection should be built into systems from the initial design stage, not bolted on as an afterthought. This is known as "privacy by design". - Systems should be designed to only collect and retain personal data that is actually necessary for the specific purpose. No excessive data collection.- Default settings should be set to the most privacy-friendly levels. For example, collecting the minimum amount of personal data by default.- Systems should have transparency and explainability baked in. For example, individuals should be able to easily understand the logic and criteria behind algorithmic decisions or profiles about them
The conference will contextualise the changing regulatory landscape, considering the business impact of the GDPR and DPA (2018) and how it is changing policy and process in practice.
When GDPR came into force in May it significantly raised the bar of obligation and accountability, ensuring that all organisations who handle personal data adhere to strict regulations around privacy, security and consent. 6 months on from implementation, the conference will consider how data protection procedure has moved on, with insight from frontline practitioners reflecting on how practices within their organisation have changed.
The event will also provide an update from the regulator; exploring regulatory action policy, decision making for fines and penalties, and clarifying some of the most prominent areas of misconception and non-compliance.
Core conference topics include:
• Key legal issues and obligations
• Data security and encryption
• Privacy Impact Assessments
• Databases, data mapping and classification
• Privacy by design
• Practical strategy implementation
Similar a Here are some key points about privacy and ethics by design for big data and AI systems:- Privacy and data protection should be built into systems from the initial design stage, not bolted on as an afterthought. This is known as "privacy by design". - Systems should be designed to only collect and retain personal data that is actually necessary for the specific purpose. No excessive data collection.- Default settings should be set to the most privacy-friendly levels. For example, collecting the minimum amount of personal data by default.- Systems should have transparency and explainability baked in. For example, individuals should be able to easily understand the logic and criteria behind algorithmic decisions or profiles about them
Similar a Here are some key points about privacy and ethics by design for big data and AI systems:- Privacy and data protection should be built into systems from the initial design stage, not bolted on as an afterthought. This is known as "privacy by design". - Systems should be designed to only collect and retain personal data that is actually necessary for the specific purpose. No excessive data collection.- Default settings should be set to the most privacy-friendly levels. For example, collecting the minimum amount of personal data by default.- Systems should have transparency and explainability baked in. For example, individuals should be able to easily understand the logic and criteria behind algorithmic decisions or profiles about them (20)
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Here are some key points about privacy and ethics by design for big data and AI systems:- Privacy and data protection should be built into systems from the initial design stage, not bolted on as an afterthought. This is known as "privacy by design". - Systems should be designed to only collect and retain personal data that is actually necessary for the specific purpose. No excessive data collection.- Default settings should be set to the most privacy-friendly levels. For example, collecting the minimum amount of personal data by default.- Systems should have transparency and explainability baked in. For example, individuals should be able to easily understand the logic and criteria behind algorithmic decisions or profiles about them
9. How do we regulate?
• Sets out the ICO’s powers for clarity
and consistency about when and
how we use them;
• Ensures fair, proportionate and
timely regulatory action to protect
individuals’ information rights;
• Ensures regulatory action is
targeted, proportionate and
effective; and
• Assists in the delivery of Information
Rights Strategic Plan.
10. Our Regulatory Activity
• conducting assessments of compliance;
• issuing information notices;
• issuing assessment notices;
• producing codes of practice;
• issuing a warning;
• issuing a reprimand;
• issuing enforcement notices;
• administering fines;
• administering fixed penalties; and
• prosecuting criminal offences before the courts (not in Scotland!)
11. Our Regulatory Objectives
1. To respond swiftly and effectively to breaches;
2. To be effective, proportionate, dissuasive and consistent in our application of
sanctions;
3. In line with legislative provisions, promote compliance with the law;
4. To be proactive in identifying and mitigating new or emerging risks; and
5. To work with other regulators and interested parties constructively.
12. We will consider…
• the nature and seriousness of the breach;
• the categories of personal data;
• the number of individuals affected;
• whether the issue raises new or repeated issues;
• the gravity and duration of a breach;
• whether the organisation or individual involved is representative of a sector or
group;
• the cost of measures to mitigate any risk;
• the public interest in regulatory action being taken;
• any other regulator’s action; and
• any expressed opinions of the EDPB.
13. Aggravating factors:
• the attitude and conduct of the individual or organisation;
• whether relevant advice or warnings has not been followed;
• whether the DC failed to follow an approved or statutory code of conduct;
• the prior regulatory history;
• the vulnerability of the individuals affected;
• any protective or preventative measures and technology available, including by
design;
• the manner in which the breach or issue became known to the ICO; and
• any financial (including budgetary) benefits gained or financial losses avoided.
14. When is a CMP likely?
• a number of individuals have been affected;
• there has been a degree of damage or harm;
• sensitive personal data has been involved;
• there has been a failure to comply with an information notice, an assessment
notice or an enforcement notice;
• there has been a repeated breach of obligations or a failure to rectify a
previously identified problem or follow previous recommendations.;
• wilful action is a feature of the case;
• there has been a failure to apply reasonable measures to mitigate any breach;
and
• there has been a failure to implement the accountability provisions of the GDPR.
15. Determining the amount:
1. An ‘initial element’ removing any financial gain from the breach.
2. Adding in an element to censure the breach based on its scale and severity.
3. Adding in an element to reflect any aggravating factors.
4. Adding in an amount for deterrent effect to others.
5. Reducing the amount to reflect any mitigating factors, including ability to pay.
16. Fixed Penalties:
Tier 1: £400;
Tier 2: £600;
Tier 3: £4,000;
up to a statutory maximum of
£4,350.
DPA 2018 s155
20. The investigation has become
the largest investigation of its
type by any Data Protection
Authority - involving online
social media platforms, data
brokers, analytics firms,
academic institutions, political
parties and campaign groups.
27. Framework
1. Our GDPR Readiness state
2. Identified our Business Strategy
3. Reviewed, Improved & Shaped Data Protection
and Privacy Compliance Programme
4. Programme Implementation
5. Review & Transition to BAU
1
2
34
5
28. People
• Buy in - we started at the top and had our highest
level of management behind us all the way
• Reward and promote the right behaviour
• Understand what your employees need to know
and how you can help guide them through the
changes
• Awareness - Drive the culture change and
mind-set around Data privacy & Data
protection
• Data Protection Ambassadors
29. ay
People - Training
• Global layered training principle
• Different levels for different roles
• Entire business base layer data privacy and data
protection training 2017 & 2018
• Took a central role in Woods new Code of
Conduct
• Targeted training for teams that have access and
manage high volumes of personal data – Contract
teams, HR, Occupational Health, IT,
Communications & Marketing, Business Dev
• Make your people your strongest asset not the
weakest
30. Policies and procedures – the new challenges
• We have reviewed and updated our
policies/procedures and in particular focused
on Subject Access Requests and our Breach
Response procedure
• To help ensure that we meet the new
timeframes we developed templates/tracking
tools that helped respond to SARs and
Breaches
• Training and awareness was key
• The OODA loop - Observe, Orientate, Decide
and Act
31. 2019 & GDPR
31
• Wood has one SAR and one data procedure
globally
• 6 months in and Wood is continually reviewing
our programme, which is aided with the
guidance from the ICO, other sources and open
source external experiences
• We have kept our Sponsors and our Steering
Group in place for our programme – we are
ensuring that senior management are
continually involved
• We are now formulating our objectives for 2019
with our DPO
33. Privacy and Ethics in the era of Big Data and AI
Ivana Bartoletti – Head of Privacy & Data Protection
34. Structure
The increasing importance of Big Data.
Decisions by Autonomous Systems (AI): definitions, law and challenges.
Privacy and ethics by design.
Design for values: where are we with AI?
Deploying algorithms: practical steps for machine – human cooperation.
Gemserv 34
35. The importance of Big Data
Organisations are increasingly looking
towards data analytics to make more
informed and efficient decisions.
Data analytics allows companies to make
sense of data and develop patterns and
predictions.
Gemserv 35
Examples
A children’s doll, My Friend Cayla, uses a
microphone, location data and information
collected via an App to personalise messages
and interactions with children.
Online Advertising Systems characterise
individuals into social and demographic
categories on the basis of tracking their online
behavioural interests.
Smart Homes monitor residents’ and
homeowners’ use of appliances at home and
behavioural habits, in order to reduce water
and energy use.
This allows such organisations to reduce
costs, improve efficiencies and produce
more tailored customer experiences and
service offers.
36. Decisions by Autonomous Systems (AI): Background
Artificial Intelligence (AI) can also play a role where such
systems are self-learning, allowing for evolving analysis,
predictive functions and even decisions.
Autonomous Systems are increasingly involved in taking
decisions that replicate, or even replace, human decision-
making. Within this process, an AI System analyses.
AI systems or programs can be particularly concerning from a
data security and data protection perspective due to the lack of
transparency of their effects on individuals.
Gemserv 36
However….
37. Big Data and Artificial Intelligence
Do we need regulation?
38. Decisions by Autonomous Systems (AI): Concepts
Definition
Article 13 of the GDPR requires meaningful information about the logic, significance and the
envisaged consequences of automated decision-making for the data subject.
Article 22 of the GDPR limits “decision[s] based solely on automated processing” that
similarly significantly affect data subjects.
Regulation
Several regulatory authorities, including the Information Commissioner’s Office and
Norwegian Data Protection Authority (Datatilsynet), have issued opinions around using
algorithms.
Industries bodies such as the Alan Turing Institute, AI Now Institute and Institute of Electrical
and Electronics Engineers (IEEE) have also issued guidance about assessing AI and Big Data
systems for their technological and legal compliance, and many organisations are focusing
on the ethics of AI.
Gemserv 38
39. Decisions by Autonomous Systems (AI): Challenges
Gemserv 39
The key challenges for data processing and autonomous systems centre around compliance with three
principles:
Responsibility involves imbuing systems
and processes with ethical values and
considerations and ensuring that
algorithms complete, rather than
replace, human decisions.
Fairness involves protecting individuals
from the adverse effects of automation,
and ensuring profiling is not carried out
in a fair and non-biased way.
Transparency involves giving data
subjects and, where possible, the
public, an explanation of processes
and procedures involved in
algorithmic decisions or profiling.
41. Are procedures for
testing data accuracy in
place?
Are the uses of
data/profiling made
clear to data subjects?
Are mechanisms for
collecting consent in
place?
Privacy and Ethics by Design
Gemserv 41
Organisations should consider privacy and ethical principles throughout the design of systems:
Have you carried out a
DPIA and/or
Algorithmic Impact
Assessment on
automated decisions?
Have you received
apportioned liability
between third
parties?
Have decision-makers
for the system been
selected?
Are appropriate access
controls in place?
Have APIs and user-
facing features been
designed with privacy
and transparency in
mind?
Do you keep track of
requests or
complaints received?
Do you have a
procedure for
ascertaining effects of
automated decisions?
42. Design for Values: Where are we with AI?
Gemserv 42
Systems need to be embedded with…
…Values chosen by the organisation
Training and testing of autonomous systems…
…Needs to identify if any biased results emerge
Algorithmic functions need to be constrained…
…To avoid weighting characteristics that could lead to bias
Developers and deployers need to agree…
…An apportionment of liability if automated decisions go
wrong
Example
Self-driving vehicles are an
example of how values
needed to be embedded
into automated systems.
Different values may
present a ‘trolley problem’
where, faced with a
potential accident, the car
must decide whose life to
prioritise.
43. Deploying Algorithms: Practical Steps
Gemserv 43
Human intervention may be necessary for GDPR
compliance if decisions have legal or similarly
significant effects.
Human intervention also may be necessary to allow
decisions to be explained to individuals.
Other steps can include:
At the design stage, humans should set the values
for AI systems.
Humans should have control over system outputs.
Strict roles and responsibilities should constraint
which humans can access AI systems.
47. www.rgdp.co.uk
Paul Motion: Accredited Specialist in Data Protection and FoI Law, BTO Solicitors LLP
Mark Chynoweth: General Manager, RGDP LLP
5th December 2018
GDPR Scotland Summit 2018
GDPR – after the hype, how is the Data
Protection Officer’s role working in practice?
49. www.rgdp.co.uk
Agenda
Data Protection Principles
Audit of personal data
Reasons and Legal bases for processing personal data
Privacy policies and Cookies notices
Data protection policies
Controller / processor / data sharing relationships
Record of Processing
Security of the personal data
Direct marketing
Cross border transfers
Training
DPO or Data Protection lead
50. www.rgdp.co.uk
Principles
Under the overarching principle of Accountability, you are required to
demonstrate compliance with the following data protection principles:
Lawfulness, Fairness and Transparency
Purpose Limitation
Data Minimisation
Accuracy
Storage Limitation
Integrity and Confidentiality
51. www.rgdp.co.uk
Audit of Personal Data
Conduct this audit as the first step – it will inform much of what is to come
Identify:
Where personal data is collected
what personal data is collected
what you use the data for
who it may be shared with
how long you need to keep the data
Document all this information in an asset register
Establish a process for keeping the audit or asset register up to date
52. www.rgdp.co.uk
Reasons and Legal Bases
Know why you need to hold / process personal data – be sure that you
have a valid reason
Identify the legal basis for processing each type of data you hold:
Consent
Contract
Legal Obligation
Vital Interests
Public Interest
Legitimate Interest
If you hold special category data you will also need to identify additional
reasons for processing
53. www.rgdp.co.uk
Privacy Notices
Also known as Fair Processing Notices.
GDPR specifies that information such as the purpose and legal basis for
processing must be given to data subjects when you are collecting their
personal data.
This information must be provided in a concise, transparent, intelligible
and easily accessible form, using clear and plain language, especially if
you are processing the data of a child or vulnerable person.
Separate and individually bespoke privacy or fair processing notices are
required for different categories of data subjects.
Cookies policies on websites.
54. www.rgdp.co.uk
Policies and Procedures
In addition to Privacy Notices, you should have an overarching data
protection policy and policies covering:
Data Protection Impact Assessments
Breach Management procedures (including breach register)
Data Subject Rights (Subject Access Requests)
Retention
Security of Processing
Cross border data transfers
Training
Other policies, e.g. HR, Social Media, Remote Working etc should be
checked to ensure that they are GDPR compliant – this can be done in
slower time during routine policy updates.
55. www.rgdp.co.uk
Data Sharing
You should establish whether you are a Data Controller or Processor for
each category of personal data being processed:
Data Controller
Data Processor
Joint Controller
A Data Controller must carry out due diligence in relation to any Data
Processor it employs and monitor compliance.
Contracts between Data Controllers and Processors should be updated
with GDPR compliant Data Protection clauses.
It is good practice to maintain a register of all contracts with the date
when data sharing agreements or data protection clauses are agreed.
56. www.rgdp.co.uk
Record of Processing
Organisations with over 250 employees.
Organisations with less than 250 employees
The Record of Processing must contain the following information:
name and contact details of the controller, joint controller, controller’s representative and the DPO
the purposes of the processing
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data has been or will be disclosed including recipients
in third countries or international organisations;
transfers of personal data to a third country or international organisation
time limits for erasure of the different categories of data;
a description of the security measures in place to protect the personal data.
57. www.rgdp.co.uk
Security of Personal Data
GDPR insists on integrity and confidentiality of personal data.
Organisations must have technical and organisational measures in place
to prevent unauthorised or unlawful processing and to guard against
accidental loss, destruction or damage. Measures include:
Pseudonymisation
Anonymisation
Encryption
Security Standards
Back-ups
Vulnerability Scans and Penetration Testing
Access Controls
58. www.rgdp.co.uk
Direct Marketing
Direct marketing includes sending out campaign messages and information as well as
selling. Rules in relation to direct marketing are contained in the Privacy and Electronic
Communication Regulations (PECR):
Post
Phone Calls
Emails and Text Message
Business to Business (B2B) Marketing
Soft Opt-In
You must always offer an opt-out option.
59. www.rgdp.co.uk
Cross Border Transfers
Under GDPR, you cannot transfer personal data to a country outside the EU unless:
The country provides adequate protection confirmed by an EU Commission “adequacy
decision”
An appropriate safeguard has been put in place between the data exporter and importer
The data transfer is exempt from the requirements of the GDPR.
Appropriate safeguards
If no “adequacy decision” has been issued and it is not possible to use one of the
appropriate safeguards then as a last resort you may be able to rely on an exemption,
e.g. consent, conclusion of a contract, if it is in the data subject’s interest, in the public
interest, for legal claims, for vital interest or for legitimate interest.
60. www.rgdp.co.uk
Other Requirements
Embed a culture of data protection throughout your organisation
Train your staff - induction and annual refresher training
Staff should know:
Who to go to for help and advice - DPO or DP Lead
What and where the policies are held
What to do if they become aware of a breach
What to do if they get a data subject request
62. www.rgdp.co.uk
Top Tips for GDPR Compliance
Bearing in mind the data protection principles:
Conduct an audit of personal data – know what personal data you hold and where
Understand the reasons why you need to hold / process it
Establish the appropriate legal basis for each of type of personal data you process
Get your privacy notices and cookie notices right
Get appropriate data protection policies and procedures in place – ensure staff know about them
Understand your controller / processor / data sharing relationships and actively monitor third
parties
Produce a Record of Processing
Ensure the security of the personal data you store / process – electronic and paper
Understand the rules for direct marketing (if relevant)
Understand the rules for cross border transfers of personal data (if relevant)
Embed the culture – embrace the data protection principles and train your staff
Appoint a DPO or Data Protection lead (consider outsourcing!)
63. www.rgdp.co.uk
Paul Motion: Accredited Specialist in Data Protection and FoI Law, BTO Solicitors LLP
Mark Chynoweth: General Manager, RGDP LLP
5th December 2018
QUESTIONS?
64. www.rgdp.co.uk
Creating a human intrusion detection system
Technology: Human & Augmented intelligence
Individual training plans
Gamified training
Passwords and the dark web
GDPR: Staff awareness & education
65. www.rgdp.co.uk
What do we mean?
An individual who is able to identify malicious
activity and/or policy violations.
GDPR: Human Intrusion Detection
Collectively, a group of individuals who are
able to identify malicious activity and/or
policy violations.
67. www.rgdp.co.uk
Use machine learning at mailbox level
Assess each employees ability to recognise threats
Each user automatically graded
Personalised training based on this ability
Users progress as knowledge increases
GDPR: Individual training plans
68. www.rgdp.co.uk
Categorise users into different groups
Deliver interactive, micro learning methods
Training delivered individually, supported by
over 50 gamified videos and 1,000 HTML scenarios
Memorable and fun
GDPR: Gamified training
69. www.rgdp.co.uk
Database of over 500 million breached passwords
Adding to at circa 10,000 each day
How do you know that your credentials are secure?
GDPR: Passwords & the dark web
70. www.rgdp.co.uk
Compliance is a journey.
There is no silver bullet and everyone is compliant…
until they aren’t.
Education and awareness takes many forms, but
again, is a journey.
Technology aids awareness, builds knowledge and
mitigates risk.
To find out more about CyberWhite, IronScales and
Authlogics can assist, please visit our stand.
Summary
74. Data Protection Law in 2018 – Quick Reminder
74
General Data Protection Regulation (“GDPR”)
Provides the general framework for handling personal data in Europe.
Data Protection Act 2018
Applies the GDPR in the UK and provides exemptions from certain rules e.g. subject access requests.
Should be read in conjunction with the GDPR.
Note that the Data Protection (Charges and Information) Regulation 2018
requires certain organisations to register with the ICO in the UK (in addition to Article 30 Register)
Privacy & Electronic Communications Regulations
Specific legislation for electronic marketing including email, cookies and online behavioural advertising.
This is undergoing review currently by the European authorities.
75. What will we cover?
75
▶ The DSAR landscape post GDPR
▶ Managing Requests
▶ What needs to be disclosed?
77. DSARS – the landscape post GDPR
77
▶Disproportionately high volume of complaints to the ICO are about DSARs
▶Most organisations are experiencing some increase in rights requests
▶Easier now that requests can be made verbally but identification is an
issue
▶Increase in requests for erasure
▶Some requests for rectification
…increase in awareness of rights – customers and employees
78. Identifying a DSAR
78
Can be made in any format and even verbally (consider identification issues.)
Keep an eye on social media accounts.
Valid if received by ANYONE in your organisation – think about training.
80. 80
Individual
must be
directly
identifiable
from the data
But can also
be data
identifiable
from other
data held
Can include
opinions made
about an
individual by
another
Decisions &
decision
making
process may
also be caught
Must
“concern” the
individual.
Electronic
records and
relevant filing
systems.
Personal data checklist…
81. Some Examples
81
► Common Examples: Name, address, date of birth, national insurance number,
passport number, salary information, performance information
► Correspondence (emails, IMs)
► Opinions expressed about an individual
► Information from monitoring: Phone calls; CCTV footage
Remember: right is to information, not documents: it is acceptable to extract
information provided context is retained
82. What needs to be provided?
A copy of the personal data requested AND individuals also ‘have the right to obtain’:
▶confirmation as to whether personal data are processed
▶a copy of the personal data
▶purposes of processing
▶categories of personal data
▶to whom data has been disclosed (in particular if overseas)
▶how long data will be stored for
▶the right to lodge a complaint with the ICO
▶where the personal data was obtained from
▶whether any automated decision making has taken place
84. DSAR Response StepsStep 1: Recognise / Verify DSAR
▶ Identify the request as a DSAR
▶ Identify the individual
▶ Check what Personal Data is covered ; is there enough information to locate
the personal data?
Step 2: Locate the relevant data Use the search parameters given – can include:
▶ all e-mails and documents that relate to that individual;
▶ all hard-copy files that are structured by reference to the individual;
▶ voice recordings, photographs or CCTV images
▶ information processed by data processors
85. DSAR Response Steps (cont.)
Step 3: Assess what should be disclosed
▶ is it personal data?
▶ does it meet the parameters of the request (remove anything outside timescale or scope)
▶ consider exemptions
Step 4: Respond
▶ Securely provide the information requested, within 1 calendar month of request
Step 5: Record
▶ Keep a record of searches done, information returned and redactions and exemptions applied: you will be asked
for these if the ICO investigates
89. Excessive Requests?
89
▶If request is “manifestly unfounded or excessive”:
▶A ‘reasonable fee’ to cover administrative costs can be charged OR
▶The request can be refused
▶What is “manifestly unfounded or excessive” will be a high bar....disproportionate
effort cases under old DPA 1998 may be relevant
90. Is it actually personal data?
90
▶Information must ‘relate to’ the identifiable individual to be personal data.
▶This means that it does more than simply identifying them – it must
concern the individual in some way.
▶To decide whether or not data relates to an individual, you may need to
consider:
▶the content of the data – is it directly about the individual or their
activities?;
▶the purpose you will process the data for; and
▶the results of or effects on the individual from processing the data
91. Some recent developments…
91
▶Lonsdale v NatWest Bank (Sep 2018)
▶Suspicious activity report – individual had accounts closed, made a claim
and a DSAR
▶On application to High Court to strike out DPA claim, held that personal
data included:
▶Business decisions made by the bank;
▶Information relating to suspicious activity reports and reasons for closing
accounts;
▶Data used to inform actions / decisions
92. The Main Exemptions
92
Third party
information
Management
Planning /
Forecasting
Legal
Professional
Privilege
Negotiations
with
Requestor
References
(given and
received)
93. 93
Third Party Information Checklist
Has the individual consented?
Is it reasonable to comply without that consent? Remember you
are not obliged to ask for consent.
Factors to consider include:
type of information
duty of confidentiality owed
steps taken to seek consent
capability of giving consent
express refusal of consent
102. Vendor-Related Data Breaches
on the Rise in 2018
Regulatory Liability
Has Shifted
“Controllers are liable for their compliance with
the GDPR and must only appoint processors
who can provide ‘sufficient guarantees’ that
the requirements of the GDPR will be met and
the rights of data subjects protected.”
5
million
150
million
92
million
Credit & debit cards details exposed
Health data records exposed
DNA site customer details exposed
Breaches and Regulations Make Vendor Risk a Priority
110. Disjointed Processes 3rd, 4th, 5th Party Risks
Contract AgreementsGlobal Compliance
No Automation
=
Time-Intensive &
Costly Work
Outdated Spreadsheets,
Data In Multiple Tools
Limited Visibility,
Limited Mitigation
Frequent
Subprocessor Changes
Complex
Cross-Team Effort
Many Vendor Variations,
Lack of Accountability
Difficult Documents to Sift
Through
Diverse Laws
Create Complexity
Cross-Border Data Transfers,
Breach Notification, etc.
No Central
Platform
=
Outdated
Information &
Lack of Risk
Tracking
111. Are You Able to Ask the Right Questions?
Are you assessing
vendors on an ongoing
basis?
Are your vendor data
flows keeping your
central data map &
ROPA evergreen?
Are you assessing 4th
party vendors?
Can you search all
vendor contracts to
know what data
processing agreements
are in place?
Are you dependent on
manual questionnaires
or can you
pre-populate
or scan data?
Do you need to
manually review the
results of
questionnaires?
When risks are
identified, do you have
a central way of
assigning ownership
and tracking
remediation?
Can you easily
demonstrate
compliance and
accountability if
audited?
When a vendor is
offboarded do you have
evidence of data
destruction and
honored confidentiality?
Do you have central
way of detecting,
tracking, approving
sub-processor changes?
116. Build checklists relevant and specific to your business/type of vendors
Get basic information1
What data is processed?2
How is data processed?3
Prioritise by risk4
Send questionairres5
Step 2: Triage & Assess
118. Step 3: Document & Demonstrate
RISKS: What do you do with the risks identified?
AGREEMENTS: Do you centrally store contract/data
processor agreements?
ARTICLE 30 : How do you keep records up to date?
1
2
3
119. Step 4: Monitor Vendors
Sub-Processor List RSS Feed
Website or Knowledgebase Article
Contract or Data Processor Agreement (DPA)
Auto-Send Risk Assessments to Sub-
Processor
121. Step 5: Offboarding
Management
• Monitor expiration
dates
• Ensure vendors are
following proper
confidentiality
agreements
Roles & Responsibilities
• Whose job is it to
manage offboarding?
Privacy team?
Vendors?
• Make sure this is clear
in contracts
Backups
• Ensure backups are
properly handled
• Vendor backups
• Internal business
backups
123. The #1 Most Widely Used Privacy Management Platform
PIA | DPIA | PbD | InfoSec
Assessment Automation
Privacy Program Management
Vendor Risk ManagementIncident and Breach Response
Marketing Consent, Preferences, & Subject Rights
Data Protection by Design
and Default (PbD)
Data Inventory, Mapping,
Records of Processing
Global Readiness and
Accountability Tracker
Privacy and Security Incident
Intake
Incident Risk Assessment
Automation
Global Data Breach Law
Engine
Notification and Reporting
Obligations
3rd Party Privacy & Security
Risk Assessments
4th Party Sub-Processor
Auto-Detection
Vendor Compliance
Scanning
Contract & DPA
Management
Cookie Consent and Website
Scanning
Enterprise Preference Center
Universal Consent
Management
Data Subject Rights Portal
124. Free GDPR Workshops
4.5 IAPP CPE Credit Hours
OneTrust Certification Program in Select Cities
Monthly GDPR Webinar Series
Hosted by Top Tier Law Firms & Consultancies
RSVP TODAY
PrivacyConnect.com
2018 WORKSHOP SCHEDULE
Amsterdam
Dublin
Düsseldorf
Warsaw
Vienna
Manchester
Geneva
London
Zürich
Paris
Lisbon
Helsinki
Madrid
Tallinn
Bucharest
Copenhagen
Seattle
Portland
Chicago
Vancouver
Toronto
New York
Atlanta
Houston
Denver
San Francisco
Los Angeles
Rome
Stockholm
Brussels
Berlin
Munich
Oslo
Prague
Barcelona
Budapest
Hamburg
Belfast
Milan
Athens
”This was the best GDPR-focused conference I have ever been to. This
was not just a high-level look into requirements, but an in-depth
educational experience for myself and my colleagues.”
Boston
Washington
Austin
Charlotte
Phoenix
Sydney
Singapore
Melbourne
Hong Kong
Auckland
Tel Aviv
Dubai
Abu Dhabi
Doha
125. Visit Our Booth
Product Demos
Full Text GDPR Books
Free Tools & Templates
GDPR Workshops
Let’s connect @OneTrust!
126. Authentication mechanisms
and the GDPR
Jon Langley
Senior Technology Officer (Technology Policy)
GDPR Scotland Summit
Dynamic Earth, Edinburgh
5 December 2018
131. Policies and procedures?
The password used was the
individual’s username with 01 after
it. So it met the purely technical
standard [that the organisation had
in place], but was easily guessable
and very definitely not in line with
best practice or the advice we give
to staff.
“
”
135. Article 32 - security
‘Taking into account the state of the art,
the costs of implementation and the
nature, scope, context and purposes of
processing as well as the risk of varying
likelihood and severity for the rights and
freedoms of natural persons, the controller
and the processor shall implement
appropriate technical and organisational
measures to ensure a level of security
appropriate to the risk’
139. Click to edit Master title styleSome specifics
Let people use
them
Password
managers Blacklisting
How to stop your
users having bad
passwords
Credential
stuffing
Can you defend
against it
Should we still do
this?
Regular changes Admin accounts
Consider higher
levels of protection
Reset
process
Make sure it’s
secure
144. Summary
• Authentication is
potentially difficult
− People will always take
the route of least
resistance, we have to
allow for this
• The GDPR requires you to
take account of all the
circumstances
− Your authentication
mechanisms must be
tailored to specific
circumstances
145. Keep in touch
@iconews/iconews /icocomms /company/information
-commissioner’s-office
Subscribe to our e-newsletter at ico.org.uk, or find us on…
Jonathan.langley@ico.org.uk
146. Best GDPR practice from the
Marketing frontline
Dr Simone Kurtzke, Programme Leader, MSc Digital Marketing, Robert Gordon University
Jason Stewart, E-Commerce and Digital Manager, Aberdeen International Airport
147. • Brief history of permission-based marketing
• Research: Consumer trust in data security
• Compliant and fun: GDPR as opportunity
• Case study: AGS Airports - Marketing after GDPR
• Priority checklist for SME GDPR marketing
What we’ll cover today
148. Permission-based marketing
Permission marketing is an
approach to selling goods and
services in which a prospect
explicitly agrees in advance to
receive marketing information.
Seth Godin, 1999
149. Consumer consent in UK law
• 1998 Data Protection covers data stored on
computers but doesn’t define ‘consent’
• 2003 Privacy & Electronic Communications
Regulations requires opt-in consent for
marketing messages – illegal to send
unsolicited email
• 2012 EU ‘Cookie Law’ – consent required to
serve non-essential website cookies (e.g. for
advertising and tracking)
150. Permission as Privilege – Consumer research
• Data security is first driver of trust in brands – but 50% of
consumers do not want personal data used at all
(Kantar TNS 2018)
• 72% of consumers think businesses, not government, are
best equipped to protect them (pwc Protect Me 2017)
• 60% of 16-18 year olds trust a machine over humans
(40%) to protect their data / privacy
(Edelman Trust Barometer 2018)
151. Implications for Brands
• Provide data security reassurance –
be explicit and comply (to reduce worry)
• Be transparent – clearly communicate what
data is used for (to generate trust)
• Use consumer data to provide value / add
utility (convenience / customer experience)
152. GDPR: Opportunity to build trust & be useful
• Traditional lead gen activities – prize draws, ‘free’ Wi-Fi
with pre-ticked e-newsletter sign-ups no longer possible
• Data trust = competitive advantage
• ‘Transparency in the intent’ – sceptical, informed
consumers trust truthful brands offering tangible benefits
• What is the VALUE of my CHOOSING to share my data with
you?
161. • We’re the second biggest airport group in the UK, comprising of Aberdeen, Glasgow and
Southampton Airports
• Combined we look after 15 million passengers every year
• The AGS Digital team is a stand-alone team working across the group
• Pre-GDPR, we undertook a 2 year project to get ready for the legislation changes
About AGS Airports
162.
163.
164. A big brand, with a big audience
1.92m
10.01m
251k Collective number of social media followers for AGS.
Emails sent to AGS customers YTD 2018.
The number of customer records held on the
collective AGS customer CRM database.
165. Using big data to personalise communications
• Richer data = more targeted and contextual communications to our customers
• The more we know about our customers, the more we can tailor their online experience
166. • Very little! At AGS we aim to exceed legislative requirements for data security
• Appointment of full time DPO
• Data security by design – procurement, IT, DPIAs, data audits, policy reviews etc.
• Automated, encrypted and anonymized marketing data/transfers
• No sharing of marketing data
• More explicit and defined opt-in procedures
• Redefined data retention policy
• Higher degree of segmentation for marketing communications
• “Hard” unsubscribes – opt-out from one, opt-out from all.
GDPR – what’s changed for AGS?
167. GDPR – what’s changed for AGS?
• Established, loyal customer database
• Average <0.5% unsubscribes
• Open rates exceed 20%
• Opt-out opportunities sent pre-GDPR
• Links to unsubscribe and refreshed privacy
policy
• Unsubscribe rate just 1.2%
• Key to establish already-engaged customer
lists, and only communicate to engaged
customers
168. Marketing data – what’s next for AGS?
• Utilising consensually-provided data to personalise and improve the AGS passenger journey
• API-driven data collection to CRM database
• Real-time user segmentation and omnichannel, personalised communications
• Examples:
– Ability to provide ancillary products and services based on travel plans
– Live real-time communications based on tracked flights
– Send communications to people in the airport at this moment
– Exclude customer segments from communications they are unlikely to be interested in
using real-time data segmentation
169. Mobile app – launching Q2 2019
• Utilising real-time API customer data
• Push notifications based on tracked flight
• Ability to easily book and manage airport
products such as lounge passes
• Geo-fencing within the terminal environs to
enable in-terminal push notifications
Marketing data – what’s next for AGS?
170. Post purchase journey
Using customer data to serve
products and services that
are relevant to their
destination.
Providing a service that is
useful and easy to use for
passengers.
Marketing data – what’s next for AGS?
171. Making things easier…
• Creating a “single-sign-in” across the website and
booking systems
• Allowing users to save and manage all of their
flights, as well as their products booked.
• Using PCI DSS compliant services to store and use
customer data
• Data powers “one click ordering” a world-first for
airports.
Signed-in user experience
Marketing data – what’s next for AGS?
174. GDPR Marketing Priorities for SMEs
1. Review & audit opt-in status of existing database
contacts
2. Create process & workflow for current & new data
collection activity (incl. website and all marcomms
collateral)
3. Gather opt-in consent from valuable existing
contacts
4. Train sales team on compliant leads management
175. 5. Create process to handle data information requests
6. Create process for GDPR breaches (incl. crisis comms)
7. Review external partners / third party suppliers for
compliance (incl. digital tools e.g. WordPress plug-ins,
scheduling tools)
8. Update your privacy page
9. Create process for ongoing ‘best practice’ database
management (for clean, compliant data)
GDPR Marketing Priorities for SMEs
176. GDPR Marketing for SMEs – Key resources
• Download and review marketing specific checklists
(e.g. BusinessBrew, DMA)
• ICO direct marketing checklist & Code of Practice (to
be updated, currently in consultation)
• ICO data protection self-assessment toolkit (includes
direct marketing, data sharing & records management
checklists)
177. Final words – The Benefits of GDPR
• Higher quality leads
• More accurate data
• Better customer experience
• Stronger relationships with
customers
• More effective Marketing
181. GDPR BAU GDPR Challenges
• GDPR Programme post 25/05 … The work starts NOW!!!
• Change Attitudes & Behaviours : first-line ownership - for PII… its not an “IT”
Problem!!
• Maintain a culture of Data Protection by Design and Default?
• How can we manage PII Data lifecycle (structured & unstructured) ?
• How do we accurately maintain the Records of Processing Activities?
• Where is the guidance and support within 1st line i.e. accessible SME
knowledge?
• Stay abreast of privacy law with evolving of business !!
• Are GDPR controls stifling business growth resulting in lost opportunities ?
Public
182. 183
GDPR MISSION STATEMENT
“Successful implementation of GDPR is not just
about new processes, but equally about
empowering the business to take a
proactive approach to encourage the right
behaviours in order to maintain a culture where
privacy is a default position”
Public
183. Why Data Stewardship?
• Need for a Conduit between Legal, DPO and shop floor !! “speak the language with local
knowledge”
• 1st line DP SMEs “Human Interaction”: First point of call for data protection
• Accountable:. Embed and Develop BAU compliance processes: SAR, Breach Notification Process,
DPIA & LIA (HEALTHCHECKS)
• Evidencing and documentation: “Maintenance” Records of Processing Activities (RPA), Privacy
Notices, DPIA LIAs
• Escalation: 1st line compliance coordination and escalation path to 2nd line DPOM
• Management Information: “Process efficiency” Monitoring MI: Daily/ Weekly / Monthly MI
reports to 2nd Line
• Issue management : Undertaking investigations and taking remediation actions
• 1st line Attestation with risk management framework evidencing
• Communication and awareness: reinforcing key educational and training messages, promoting a
proactive culture of data protection and information managementPublic
185. Public
Data Steward Accountabilities
SME Understand local business processing and systems
Day 2 Day Application of the Data Protection framework
Communication Policy Compliance: local business leadership vs 2nd Line -facilitate two way
communication
Security: Liaison with IT Security when appropriate (TOM) and data governance activity
Evidencing &
Accountability
Record of Processing Activities Art 30
Data Privacy Impact Assessment (DPIA)
SARs/ Rights process MI and coordinate
Data Breach Escalation Process / investigation
Data
Governance
Provide local support and oversight in the delivery of the Data Protection Framework,
Support for Data Classification Data Retention & Deletion
Management
Information (KPIs)
Data Governance Framework performance reporting:
Support of DPOM through the provision of needed management information.
Production and reporting of data breaches related management information .
Training &
Awareness
Provision of training in support of the Data Governance Framework
Data Classification training of updates and new entrants.
GDPR training of updates and new entrants, in line with dedicated Training Resource
Support local business leadership and the DPOM in GDPR capability development.
187. Data Steward Awareness Campaigns
Public
CLAP Campaign Classify, Label And Print
• Posters & Large Banners (Communications /
awareness)
• Introduction of Data Stewards to BU
• Posters notice boards, printing areas, communal areas
• Animations “Tina the Trainer”, brand, and characters
from GDPR programme
• News letters from internal comms-
• Data Stewards conduct training, presentation, emails,
189. Professional development of Data
Stewards?
Public
Data Steward
Handbook
Training
(professional
certificate)
DPO Support &
encouragement
Weekly Stand-
ups (forums)
Share
knowledge
190. Success through the Stewardship
Approach
• Accountability and ownership driven approach
• Documented and accurate RPA- transparency and ownership
• Evolving processes fully embedded in 1st line: periodic reviews
• Proactive approach and knowledge sharing through stewardship
community
• MI up-do-date with evidence to support compliance for executive
attestation
• Business understand privacy risks and accountable for mitigation
actions
• 2nd line SME oversight and support for 1st line Privacy SMEs
Public
192. AtheneSecure
Mark Evans MBA B.Sc.(Hons) FIP
The
New
Business
Opportunity
CIPP/E, CIPM, CISM, CISSP
Director – Athene Secure Ltd
Pragmatic Data Protection. Emphatic Cyber Security.