INTELLIGENT MARKETING HUB

Privacy Engineering for Big Data & Data ScienceBrussels, October 11th 2016European Data Innovation Hub @ AXA

@aureliepols

Data Governance & Privacy Advocate

Data is the New Oil – Privacy is the New Green – Trust is the New Currency

AURELIE POLS, KRUX PRIVACY ADVOCATE

• Data Governance & Privacy Advocate – Krux Digital

• Ethics Advisory Group – European Data Protection Supervisor (EDPS)

• Chief Visionary Officer – Mind Your Privacy

• Training Advisory Board – International Association of Privacy Professionals (IAPP)

• Professor of Ethics & Privacy, Big Data & Analytics Master – Instituto de Empresa (IE)

OX2 Co-founderWebanalytics.be

@aureliepols

”My” in “my information” is not the same as “my” in “my car” but rather the same as “my” in “my body” or “my feelings”; it expresses a sense of constitutive belonging, not external ownership, a sense in which my body, my feelings, and my information are part of me but are not my (legal) possessions

- Luciano Floridi, The Ontological Interpretation of Informational Privacy, Ethics and Information Technology, 7(4): 185-2005

@aureliepols

I’m not here to define Privacy

Analytics Privacy(&DataProtection)

@aureliepols

Consider before crucifying the Rule of law1. The specifics of data as an Economic Asset:

² Data in infinitely transferable without decay

2. Often forgotten Legislative Challenges² Defining and recognizing Data Harms

3. Related to evolving Privacy Legislation² Compliance is a Risk Exercise

4. Minimizing Privacy related Risks² YOUR liability within the Data Ecosystem

@aureliepols

Privacy Engineering

VALUE / ETHICSCorporate social

responsibilityRespect individuals

RISKStandard operating

procedureDo not harm

COMPLIANCELegislationDon’t hit people!

6

Parties Involved in Data Privacy

PEOPLE

Have People DataGOVERNMENTS

Laws to protect People Data

COMPANIES

Collect, use & protect People Data

INDUSTRY ORGANIZATIONS

Guidelines to protect People Data

Data QualityAd Blocking Class Actions

ComplianceSelf-Regulation

Privacy professionals?

8

Source: IAPP-EY Annual Privacy Governance Report 2016https://iapp.org/media/pdf/resource_center/IAPP%202016%20GOVERNANCE%20SURVEY-FINAL3.pdf

@aureliepols

Who owns the cookies? The jar is breaking

@aureliepols

From https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2015/15-09-11_Data_Ethics_EN.pdf

@aureliepols

Erosion of human dignity throughArticle 1 EU Charter of Fundamental Rights

• Discrimination => pothole app eg.=> representativity of population?

• Loss of choices => credit scoring=> transparency & recourse

• Loss of serendipity: tunneled vision• Loss of life?

11

@aureliepols

Privacy Risk: it depends?

Risk Ontology

12

Experiences in the Development and Usage of a Privacy Requirements Framework by Ian Oliver, Security Research Group, Bell Labs, Nokia

@aureliepols

Ethics of the Data AnalystI shall remember data are not only numbers but actual people, that could be harmed by my work;

I shall treat data that might identify individuals with the utmost care, which includes respect for their dignity, avoiding discrimination, as well as security best practices;

I will not do to personal data what I wouldn’t find acceptable for data related to my family, friends, loved ones or myself;

I understand personal data, PII &/or sensitive data is context based and often difficult to identify. In case of doubt, I will ask for help or escalate in order to take the appropriate measures;

I understand data about individuals needs to travel with initial purpose of the data – the reason why it exists - & their respective consent mechanisms;

a) I will never use data without knowing where it comes from, it’s purpose and consent mechanisms (see Quién es la Última Principle);

b) I will never sell non consented data about individuals;

c) If I sell consented data, it will be accompanied by purpose. Up to the buyer to define whether subsequent data uses are aligned.

I understand consent might be revoked and a Right to be Forgotten – i.e. deletion – could be requested, that might need to be applied;

I shall align security protocols with how personal &/or sensitive the data is;

I will keep trace and document the data used in order to minimize risk related to data uses.

13

GOVERNANCE

V I S I T K R U X . C O M F O L L O W @ K R U X D I G I TA L

Thank you.

Aurélie Pols / apols@krux.com