digital analytics & privacy: it's not the end of the world

Digital Analytics & Privacy: it’s not the end of the worldNovember 12th 2013

Aurélie PolsSomething (Digital) Analytics Europe

Chief Visionary Officer & Founder

@aureliepols

Expectations: no legislation, promised!

@aureliepols

@aureliepols

Datenschutz, Protección de datos, Protection des données

Privacy, a human right?

@aureliepols

Source: http://rt.com/news/germany-brazil-un-spying-resolution-394/Source: http://www.ohchr.org/EN/Pages/WelcomePage.aspx

Navi Pillay

The changing tide of public opinion

@aureliepols

Source: http://www.globalresearch.ca/25-verdades-sobre-el-caso-evo-moralesedward-snowden/5341660

Democracy in danger since the Patriot Act?

@aureliepols

Source: http://minnesota.publicradio.org/display/web/2013/01/22/daily-circuit-alexis-de-tocqueville-democracy-in-america

This is about keeping your job

@aureliepols

Source: http://toogoodtogodown.wordpress.com/2012/04/30/youre-fired-which-grimsby-town-players-will-be-offered-new-deals-and-which-will-be-released/

http://blog.kevinmaxwell.co.uk/2012/11/guess-what-youre-fired/

The confessions of a European analyst Grew up in the Netherlands, Dutch passport

French mother tongue

Most of my friends of bilingual at least!

Have Polish & Russian origins

Set-up my first start-up in Belgium in 2003

Sold it to a UK agency, Digitas LBi (Publicis), in 2008

Moved to Spain in 2009

Created Mind Your Group (Putting Your Data to Work) + sister company Mind Your Privacy in 2012 (yes, law firm)

@aureliepols

Bridging Analytics & Data Protection in Europe

European Convention of Human Rights, Article 8: Privacy is a fundamental right

you don’t have to agree ;-)

Spain = 80% of EU Data Protection fines; strict data protection legislation, breach notification & security protocols best practices

@aureliepols

The Rule of Law is the foundation of Democracy

“Democracy must be built through open societies that share information.

When there is information, there is enlightment.

When there is debate, there are solutions.

When there is no sharing of power, no rule of law, no accountability, there is abuse, corruption, subjugation and indignation.”

Atifete Jahjaga, President of Kosovo

@aureliepols

The Rule of Law is the foundation of Democracy

@aureliepols

APEC US & UK EU

Continental law influenced

Common Law Continental Law

Class actions Fines (by DPAs: Data protection Agencies)

Privacy Personal Data Protection

Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen

Sector based legislations: HIPPA, COPPA, VPPA, …

Over-arching EU Directives & Regulations

PII varies per state but lists defined Introduction of pseudo-anonymized data within the new PDP Regulation, partially trying to avoid pinning down PII exactly imho

* Again, you don’t have to agree!

Privacy is a tough cookie to crack

So was probably the Declaration of Human Rights, ask Eleanor Roosevelt!

So called Cookie Directive, good or bad idea?

- Very techno specific

- Doesn’t help when legislation lags behind…

- Raised awareness?

- Clean house?

@aureliepols

Best cookies in the world: Maison Dandoy, Brussels, since 1829, http://www.maisondandoy.com/en/home/,

Rome wasn’t build in a day

Take away #1:

The EU & the US view Privacy & data protection very differently and that is fine!

Rome wasn’t built in one day, neither was the traffic regulation in NY or Madrid!

@aureliepols

Wicked French ;-)Most EU countries talk of zebra paths France: are still talking of passages cloûtés

@aureliepols

Image source: http://images.forum-auto.com/mesimages/770027/passage%20cloute.jpg

Take away #2 related to data:

Time:

- Techno evolves faster than legislation

- Privacy procedures are new to techno players => no Privacy culture!

Data is ad infinitum transferable, without decay => new Privacy challenges, la bande de GAFA (CNIL)

Privacy tri-partite

Joint effort by:

1. Governments &/or international Associations => regulations, guidelines..

2. Businesses

3. Citizens/consumers/voters

Each party wanting to defend its rights:

- Personal Data Protection & the Rule of Law through respect of Fundamental Rights

vs.

- Profits & hopefully Sustainability

@aureliepols

If data is the new oil, is Privacy the new Green?

@aureliepols

Comparing Facebook’s Privacy policy

Source: http://mattmckeon.com/facebook-privacy/

What’s in a word? DATA LIFECYCLE

@aureliepols

Source: https://vividcortex.com/blog/2013/10/30/slides-from-making-big-data-small-at-strata

Source:http://www.simpletraining.com/lifecycle-data-management-training.html

Overlap & pieces missing

@aureliepols

Source: http://libraries.mit.edu/guides/subjects/data-management/cycle.html

Take away #3

Data:

- ad infinitum transferable

Legislation:

- Breach notification

Common sense:

- Procedures!

The evolution of Breach notification

@aureliepols

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

LinkedIn Big Data feedback loop

@aureliepols

Consent? Anyone?

Example:

Netflix

VPPA

Source: https://www.facebook.com/photo.php?v=10151708759330687&set=vb.9445547199&type=2&theater

Some basic Privacy terms, bouh!

PURPOSE:

What are you using the data for?

CONSENT:

Reasonable expectation of the use of data => Transparency

@aureliepols

Trust => Social Media reputation

(See also Breach notification for Crisis Management)

Creepy => Ethics boundary

You: Data Controller – Tools: Data Processor, ok?

@aureliepols

Source: http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm

Take away #4

Review those bloody contracts, will you?

Assure liability is clear and that you are covered!

Did Big Data kill the Privacy framework?No, it introduced a paradigm shift

Just like analytics is becoming permeable through the company

This is also the case for the legal consequences of the use of data:

Employee Training & internal debate related to what is acceptable & what is not should become part of business

@aureliepols

User consentUser consent

Fair & Legal processFair & Legal process

Information for approved useInformation for approved use

Data diving analysis / Big DataData diving analysis / Big Data

New business opportunity through data

New business opportunity through data

PurposePurpose

Security is only one solution to the problem

@aureliepols

SECURITY(TECHNOLOGY)

SECURITY(TECHNOLOGY)

DATA COLLECTIONDATA COLLECTION

The guy in the middle is a DPO: Data Protection Officer, required key personnel once the EU Personal Data Protection Regulation passes

The EU Personal Data Protection Regulation is coming

@aureliepols

#EUDataP

Source: www.iabeurope.eu/files/8813/7882/1681/IAB_Tuesday_Webinar_Data_Protection_FINAL.pdf

ICO is an outlier

Without the right support, the best security crumbles

@aureliepols

SECURITY

(TECHNOLOGY)SECURITY

(TECHNOLOGY)

DATA COLLECTIONDATA COLLECTION

Human error causes most data breaches

Source: http://www.cooldailyinfographics.com/post/data-and-security-breaches

Bridging the analytics to the legal world

@aureliepols

User consentUser consent

Fair & Legal processFair & Legal process

Information for approved useInformation for approved use

Data diving analysis / Big Data

Data diving analysis / Big Data

New business opportunity through

data

New business opportunity through

data

SECURITYTECHNOLOGY

SECURITYTECHNOLOGY

DATA COLLECTIONDATA COLLECTION

Security = Icing on the cake

Harmonising Security & Privacy

Effective Privacy management depends upon a Risk driven approach that surpasses compliance needs

- Prepare for legislative changes

- Recognise that just because something is legal, it doesn’t mean it is a good idea

- Consider how Privacy drives strategic advantage => USP?

Skill requirements & interfaces between professionals

- Identifying intersection and tackling conflict

- Finding a common language

- Developing a Privacy culture

@aureliepols

Source: http://www.rsaconference.com/writable/presentations/file_upload/grc-w07-when-worlds-collide-harmonising-governance-between-security-and-privacy.pdf

Always ask yourself these 3 questions & keep your job

What data am I collecting?

- PII vs. non-PII

- Persönlich ↔ Pseudonym ↔ Anonym

Who has access to this data?

- Both persons & tools

Where is the data stored?

- SafeHarbor vs. Binding Corporate Rules

@aureliepols

Or follow the IAB’s recommendations!

@aureliepols

Source: http://www.fanpop.com/clubs/the-good-wife/images/25049423/title/good-wife-special-alicia-season-3-photo

Thank you for your time!

Aurélie PolsSomething (Digital) Analytics Europe

Chief Visionary Officer & Founder

@aureliepols – www.mindyourprivacy.com/uk/