brussels data science - privacy engineering for big data & data science
TRANSCRIPT
INTELLIGENT MARKETING HUB
Privacy Engineering for Big Data & Data ScienceBrussels, October 11th 2016European Data Innovation Hub @ AXA
@aureliepols
Data Governance & Privacy Advocate
Data is the New Oil – Privacy is the New Green – Trust is the New Currency
AURELIE POLS, KRUX PRIVACY ADVOCATE
• Data Governance & Privacy Advocate – Krux Digital
• Ethics Advisory Group – European Data Protection Supervisor (EDPS)
• Chief Visionary Officer – Mind Your Privacy
• Training Advisory Board – International Association of Privacy Professionals (IAPP)
• Professor of Ethics & Privacy, Big Data & Analytics Master – Instituto de Empresa (IE)
OX2 Co-founderWebanalytics.be
@aureliepols
”My” in “my information” is not the same as “my” in “my car” but rather the same as “my” in “my body” or “my feelings”; it expresses a sense of constitutive belonging, not external ownership, a sense in which my body, my feelings, and my information are part of me but are not my (legal) possessions
- Luciano Floridi, The Ontological Interpretation of Informational Privacy, Ethics and Information Technology, 7(4): 185-2005
@aureliepols
Consider before crucifying the Rule of law1. The specifics of data as an Economic Asset:
² Data in infinitely transferable without decay
2. Often forgotten Legislative Challenges² Defining and recognizing Data Harms
3. Related to evolving Privacy Legislation² Compliance is a Risk Exercise
4. Minimizing Privacy related Risks² YOUR liability within the Data Ecosystem
@aureliepols
Privacy Engineering
VALUE / ETHICSCorporate social
responsibilityRespect individuals
RISKStandard operating
procedureDo not harm
COMPLIANCELegislationDon’t hit people!
6
Parties Involved in Data Privacy
PEOPLE
Have People DataGOVERNMENTS
Laws to protect People Data
COMPANIES
Collect, use & protect People Data
INDUSTRY ORGANIZATIONS
Guidelines to protect People Data
Data QualityAd Blocking Class Actions
ComplianceSelf-Regulation
Privacy professionals?
8
Source: IAPP-EY Annual Privacy Governance Report 2016https://iapp.org/media/pdf/resource_center/IAPP%202016%20GOVERNANCE%20SURVEY-FINAL3.pdf
@aureliepols
From https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-09-11_Data_Ethics_EN.pdf
@aureliepols
Erosion of human dignity throughArticle 1 EU Charter of Fundamental Rights
• Discrimination => pothole app eg.=> representativity of population?
• Loss of choices => credit scoring=> transparency & recourse
• Loss of serendipity: tunneled vision• Loss of life?
11
@aureliepols
Privacy Risk: it depends?
Risk Ontology
12
Experiences in the Development and Usage of a Privacy Requirements Framework by Ian Oliver, Security Research Group, Bell Labs, Nokia
@aureliepols
Ethics of the Data AnalystI shall remember data are not only numbers but actual people, that could be harmed by my work;
I shall treat data that might identify individuals with the utmost care, which includes respect for their dignity, avoiding discrimination, as well as security best practices;
I will not do to personal data what I wouldn’t find acceptable for data related to my family, friends, loved ones or myself;
I understand personal data, PII &/or sensitive data is context based and often difficult to identify. In case of doubt, I will ask for help or escalate in order to take the appropriate measures;
I understand data about individuals needs to travel with initial purpose of the data – the reason why it exists - & their respective consent mechanisms;
a) I will never use data without knowing where it comes from, it’s purpose and consent mechanisms (see Quién es la Última Principle);
b) I will never sell non consented data about individuals;
c) If I sell consented data, it will be accompanied by purpose. Up to the buyer to define whether subsequent data uses are aligned.
I understand consent might be revoked and a Right to be Forgotten – i.e. deletion – could be requested, that might need to be applied;
I shall align security protocols with how personal &/or sensitive the data is;
I will keep trace and document the data used in order to minimize risk related to data uses.
13
GOVERNANCE
V I S I T K R U X . C O M F O L L O W @ K R U X D I G I TA L
Thank you.
Aurélie Pols / [email protected]