Mapping the pubmed data under different suptopics using NLP.pptx
Get data without the creepiness factor, the privacy by design concept
1.
@aureliepols
Athens,
June
17
Get
Data
without
the
‘Creepiness’
factor:
The
Privacy
by
Design
concept
Aurélie Pols Mind Your Privacy
MyPermissions
2.
@aureliepols
Athens,
June
17
The
future
of
Customer
Centricity?
2
fundamental
ques>ons:
1. How
far
is
too
far
(for
data
use
&
transparency)?
2. Who
will
decide
(what
is
acceptable)?
3.
@aureliepols
Athens,
June
17
4
DATA
PRIVACY
STATEMENTS
4.
@aureliepols
Athens,
June
17
Data
=
New
Asset
Class
• Economic
asset:
– if
it’s
worth
something,
who
owns
it?
• Ownership
means
property:
– Property
law,
contract
law,
etc.
• But
Personal Data:
The Emergence of a New Asset Class
5.
@aureliepols
Athens,
June
17
DATA
IS
INFINITELY
TRANSFERABLE
WITHOUT
DECAY
#1.
The
specifics
of
Data
as
an
Economic
Asset
6.
@aureliepols
Athens,
June
17
Familiar
property
types
• House,
mortgage
&
cadaster
• A
car
looses
50%
of
it’s
value
the
day
aWer
the
purchase
• But
data?
What
is
it
really?
HYPOTEK
Fas>ghetsregistret
7.
@aureliepols
Athens,
June
17
Infinitely
transferable
without
decay
• Interes>ng
type
of
property
• The
legal
world
is
not
ready
for
• Yet
harm
is
imaginable:
– Deaths
of
dissidents
– Algorithmic
discrimina>on
– Tunneled
world
vision
– Iden>ty
theWs
– Cyber
bullying
8.
@aureliepols
Athens,
June
17
DEFINING
&
RECOGNIZING
DATA
HARMS
#2.
OWen
forgo[en
legisla>ve
challenges
9.
@aureliepols
Athens,
June
17
US:
no
harm
no
standing?
Source:
h[p://www.privacyandsecurityma[ers.com/2015/06/home-‐depot-‐moves-‐to-‐dismiss-‐
consumer-‐data-‐breach-‐claims-‐for-‐lack-‐of-‐standing/
&
h[p://www.informa>onisbeau>ful.net/visualiza>ons/worlds-‐biggest-‐data-‐breaches-‐hacks/
10.
@aureliepols
Athens,
June
17
A
Global
Privacy
Perspec>ve
US
&
UK
EU
ASIA
Common
Law
(&
the
evolu>on
of
Standing)
Con>nental
Law
Par>ally
con>nental
law
influenced
Class
ac>ons
Fines
by
DPAs:
Data
Protec>on
Agencies;
Class
ac>ons
under
civil
law
for
consumer
associa>ons
in
Germany?
Amended
New
Privacy
Personal
Data
Protec>on
(PDP)
Business
focused
Ci>zen
focused:
data
belongs
to
the
visitor/prospect/consumer/ci>zen
Patchwork
of
sector
based
legisla>ons:
HIPAA,
COPPA,
VPPA,
…
can
be
state
level
or
federal
Over-‐arching
EU
Direc>ves
&
Regula>ons.
Direc>ves
are
locally
transposed
(Cookie),
Regula>ons
are
not:
one
rule
for
all!
PII:
varies
per
US
state
Geolocaliza>on?
“Personal
Data”
=>
Risk
levels:
low,
medium,
high,
extremely
high
11.
@aureliepols
Athens,
June
17
PII:
ah
but
we
don’t
collect
it!
Medical
informaZon
as
PII
California
Arkansas
Missouri
New
Hampshire
North
Dakota
Texas
Virginia
Financial
informaZon
as
PII
Alaska
North
Carolina
Iowa
North
Dakota
Kansas
Oregon
Massachuse[s
South
Carolina
Missouri
Vermont
Nevada
Wisconsin
New
York*
Wyoming
Passwords
as
PII
Georgia
Maine
Nebraska
Biometric
informaZon
as
PII
Iowa
Nebraska
North
Carolina
Wisconsin
Source:
informa>on
based
on
current
con>nuous
monitoring
(par>al
results)
12.
@aureliepols
Athens,
June
17
1
legal
concept
to
rule
them
all
FIPPs:
Fair
informa>on
Prac>ce
Principles
1. Transparency:
No>ce/awareness
&
Purpose
=>
how
transparent?
2. Choice
Consent
=>
opt-‐in
or
opt-‐out,
ex-‐
or
implicit?
3. InformaZon
review
&
correcZon
Access
&
par>cipa>on
in
(data)
accuracy
4. InformaZon
protecZon
Data
integrity
&
security
5. Accountability
Enforcement
and
redress:
i. Self-‐regula>on,
ii. Private
remedies
through
civil
ac>ons
(Germany)
iii. Government
enforcement
(FTC,
European
Data
Protec>on
Agencies,
…)
Transparency
Choice
InformaZon
review
&
correcZon
InformaZon
protecZon
Accountability
13.
@aureliepols
Athens,
June
17
COMPLIANCE
IS
A
RISK
EXERCISE
#3.
Related
to
evolving
Privacy
legisla>on
14.
@aureliepols
Athens,
June
17
Low Risk
Medium Risk
(profiling)
High Risk
(sensitive)
R
i
s
k
L
e
v
e
l
Data type
Information Security Measures
Extremely High Risk
(profiling of sensitive data)
PII
PII
vs.
Risk
Levels
Credit
scoring
Health
data
OBA
US:
if
then
exercises
HIPAA
FCRA
Digital
exhaust
15.
@aureliepols
Athens,
June
17
When
it
comes
to
risk:
3
op>ons
I.
Denial:
nobody
⇒
We
don’t
collect
PII
⇒
The
law
is
unclear
II.
Privacy
professionals
/
Legal
council
⇒
Privacy
Impact
Assessments
PIAs
III.
Others/
Engineering
=>
Privacy
Manifesto
in
engineering
(Frog
HBRwebinar
about
consumer
Trust)
17.
@aureliepols
Athens,
June
17
Towards
a
data
value
exchange?
Source:
h[ps://hbr.org/2015/05/customer-‐data-‐designing-‐for-‐
transparency-‐and-‐trust
18.
@aureliepols
Athens,
June
17
AnalyZcs
capabiliZes
Customer
feelings
of
creepiness
Harm?
Data
quality?
Data
tension
due
to
data
leeching
19.
@aureliepols
Athens,
June
17
When
it
comes
to
risk:
3
op>ons
I.
Denial:
nobody
⇒
We
don’t
collect
PII
⇒
The
law
is
unclear
II.
Privacy
professionals
/
Legal
council
⇒
Privacy
Impact
Assessments
PIAs
III.
Others/
Engineering
=>
Privacy
Manifesto
in
engineering
(Frog
HBRwebinar
about
consumer
Trust)
20.
@aureliepols
Athens,
June
17
Risk
calcula>ons:
PIAs
• Likelihood
of
occurrence
– Remote/possible/likely
• Severity:
low/medium/high
($$$?)
• Risk
tolerance
– Avoid/assume/mi>gate/transfer
• Correc>ve
ac>ons
&
recommenda>ons
• Priori>za>on:
high/moderate/low
• Accountability
– System
admin/LC/Staff/IT
or
security
?
22.
@aureliepols
Athens,
June
17
Issues
with
PIAs
• OWen
a
list
of
ques>ons
for
a
new
project
– Hopefully
not
on
paper!
• Some
kind
of
review
process
• Issues:
– PIA
need
detec>on
– Internal
enforcement
power?
Seriously!
– Delays
23.
@aureliepols
Athens,
June
17
UNDERSTAND
YOUR
LIABILITY
WITHIN
THE
DATA
ECOSYSTEM
#4.
Minimizing
Privacy
related
Risks?
24.
@aureliepols
Athens,
June
17
Privacy
Role
Playing
in
the
EU
25.
@aureliepols
Athens,
June
17
Rights
&
obliga>ons
Roles
and
responsibili>es
Data
controller
must:
• Process
legally
&
fairly
• Collect
for
explicit
&
legi>mate
purposes
• Not
excessively
• Keep
data
accurate
&
updated
• Allow
for
rec>fica>on
• Respect
data
reten>on
periods
• Protect
personal
data,
appropriate
to
the
type
of
data
held
26.
@aureliepols
Athens,
June
17
Proposed
EU
GDPRegula>on
Harmonised
Rules
• Higher
level
of
data
protec>on
• Single
law
(not
for
employee
data
processing)
• One
Stop
Shop
with
Lead
DPA,
but
with
local
DPA
redress
for
individuals
Wider
Scope
• Controller
and
Processor
• Extraterritorial
scope
to
foreign
controller
• Wider
defini>on
of
personal
data
and
sensi>ve
data
Increased
Obliga>ons
• DP
Principles
>ghtened
• Privacy
Impact
Assessment
(PIA)
• Privacy
by
Design
(PbD)
• No>fy
breaches
to
regulators
and
invididuals
• More
obliga>ons
on
processor
• Accountability
• Mandatory
Data
Protec>on
Officer
(DPO)
Strengthened
Rights
of
Individuals
• Right
to
be
Forgo[en
(RTBF)
• Data
Portability
• Object
to
Profiling
Increased
Enforcement,
Fines,
Liability
• Regulatory
fines
up
to
5%
of
global
turnover
• Individual
Ac>on
• Class
Ac>on
• Criminal
sanc>ons
Slide
borrowed
from
Bojana
Bellamy’s
interven>on
at
NIST
December
2014,
available
at
h[p://www.nist.gov/itl/csd/global-‐privacy-‐perspec>ves-‐lecture.cfm
27.
@aureliepols
Athens,
June
17
Privacy
by
Design
(PbD)
7
founda>onal
principles:
1. Proac>ve
not
Reac>ve;
Preventa>ve
not
Remedial
2. Privacy
as
the
Default
Sewng
3. Privacy
Embedded
into
Design
4. Full
Func>onality
–
Posi>ve-‐Sum,
not
Zero-‐Sum
5. End-‐to-‐End
Security
–
Full
Lifecycle
Protec>on
6. Visibility
and
Transparency
–
Keep
it
Open
7. Respect
for
User
Privacy
–
Keep
it
User-‐Centric
28.
@aureliepols
Athens,
June
17
What
kind
of
company?
Source:
h[p://www.slideshare.net/databeers/databeers-‐20150129-‐data-‐superpowers-‐marco-‐bressan-‐bbva-‐da
Marc
Bressan,
BBVA,
DataBeers,
Madrid
29.
@aureliepols
Athens,
June
17
Privacy
&
mission
statements
31.
@aureliepols
Athens,
June
17
Privacy
evolves
per
data
type
32.
@aureliepols
Athens,
June
17
Old
garbage
adages
s>ll
apply
Add
customer
feelings
of
creepiness
Keep
customer
expectaZons
in
check
Unless
you
can
afford
to
ignore
them!
(Uber
Brussels)
33.
@aureliepols
Athens,
June
17
Aurélie
Pols
aurelie@mindyourprivacy.com