lecture given in March 2021

1. Data privacy & GDPR
Jacques Folon, Ph.D.
CEO GDPRfolder
External DPO
Professor
ICHEC
Visiting professor
ESC Rennes School of Business
Université Saint Louis
HE F.Ferrer

2. GDPR : The Context

4. https://gdprfolder.eu
© 2018 GDPRFOLDER.EU SPRL All Rights Reserved.
Every company & self employed is concerned
Non profit

5. https://gdprfolder.eu
© 2018 GDPRFOLDER.EU SPRL All Rights Reserved.
employees Prospects
Contacts
Users & clients
Which Data ?

7. Privacy VS Social media
7

9. http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg

10. Average number of Facebook
« friends » 338 in 2020
30

11. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t
want anyone to know, maybe you
shouldn’t be doing it in the first place.
Eric Schmidt

12. 12
SOURCE: http://mattmckeon.com/facebook-privacy/

13. 13

14. 14

15. 15

16. 16

17. 17

18. 18

19. 19
IN 2018

21. 21
http://1.bp.blogspot.com/-NqwjuQRm3Co/UCauELKozrI/AAAAAAAACuQ/MoBpRZVrZj4/s1600/Party-Raccoon-Get-Friends-Drunk-Upload-Facebook.jpg

22. The person who took the photo
is a real friend
22
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg

23. Facebook dating…. Privacy?

24. 24

25. 25

26. 26

27. 27

32. From Big Brother to Big Other

33. http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def
Antonio Casili
• Importance of T&C
• Everybody speaks
• mutual surveillance
• Lateral surveillance

34. geolocalisation
http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png

35. data collection
1

36. 36

37. Interactions controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

38. Interactions NOT controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

39. GDPR

40. GDPR in
one slide
TER
R
ITO
R
IA
LSC
O
PE
Non-EUEstablishedO
rganizations
O
ffer goods or ser vices or engaging in
m
onitoring within the EU
.
PER
SO
NA
LD
A
TA SENSITIVED
A
TA
ENFO
R
C
EM
ENT
LA
W
FU
LPR
O
C
ESSING
C
O
NSENT
R
ESPO
NSIB
ILITIESO
FD
A
TAC
O
NTR
O
LLER
SA
NDPR
O
C
ESSO
R
S
R
IG
H
TSO
FD
A
TASU
B
JEC
TS
Transparency
Purpose
Specificationand
M
inim
ization
A
ccess and
R
ectification
A
utom
ated
D
ecision- M
aking
R
ightto D
ata
Portability
R
ightto
Erasure
D
A
TAB
R
EA
C
HNO
TIFIC
A
TIO
N
D
ataProtection
O
fficer (D
PO
)
D
ata
Protectionby
D
esign
INTER
NA
TIO
NA
LD
A
TATR
A
NSFER
D
ataIm
pact
A
ssessm
ent
R
ecordof D
ata
ProcessingA
ctivities
TH
EPLA
YER
S
D
ata
Subjects
D
ataC
ontrollers
D
ata
Processors
Supervisory
A
uthorities
Identified Identifiable
R
acial or
EthnicO
rigin
R
eligious or
Philosophical
B
eliefs
H
ealth
Trade U
nion
M
em
bership Sex
Life
Political
O
pinions
B
iom
etric
D
ata
G
enetic
D
ata
“R
ight not to be subject to a
decision basedsolely on
autom
atedprocessing,
including profiling.”
Apersonal databreachis “abr each of
security leading to the accidental or
unlawful destr uction,loss,alter ation,
unauthorized disclosure of,or access
to,personal datatransm
itted,storedor
otherwise processed.”
C
ollection and processing of per sonal datam
ust
be for “specified,explicit and legitim
ate purposes”
– withconsent of datasubject or necessar y for
C
onsent m
ust be freely
given,specific,
infor m
ed,and
unam
biguous.
M
odel
C
ontractual
C
lauses
Privacy
Shield
B
inding
C
orporate
R
ules
(B
C
R
s)
A
dequate Level of
D
ataProtection
If likely to result in ahighprivacy r isk notify datasubjects
Notify super visory authorities no later
than 72hour s after discovery.
U
pto 20 m
illion euros or 4%of total annual worldwide
turnover . Less serious violations: U
pto 10m
illion
euros or 2%of total annual worldwide turnover.
EUEstablishm
ents
M
aintain adocum
ented
r egister of all activities
involving processing of EU
per sonal data.
built in starting at
the beginning of the
design process
D
esignate D
POif core
activity involves r egular
m
onitoring or processing
large quantities of
per sonal data..
For highr isk
situations
www.teachpr iv acy.com
GDPR
W
orkforce aw
areness trainingbyProf.D
aniel J.Solove
• perform
ance of a contr act
• com
pliance with alegal
obligation
• to pr otect aperson’s
vital interests
• taskin the public
interest
• legitim
ate inter ests
Effective Judicial R
em
edies:
com
pensation for m
ater ial and
non-m
aterial harm
.
Fines
Security
Please askperm
issionto reuse or distribute

41. Is GDPR a worldwide
regulation?

45. Codes of conducts and certifications
45

54. May 25, 2018 GDPR !!!

55. 55
A.CONTEXT
B.SOME DEFINITIONS
C.THE PRINCIPLES
D.GDPR CONSEQUENCES
E.METHODOLOGY

56. A : CONTEXT
56

57. IN 3 WORDS
57
• GDPR IS A "REGULATION" ><
"DIRECTIVE"
• WORLDWIDE INFLUENCE
• CONSEQUENCES FOR COMPANIES
AND PUBLIC SECTOR

58. 58
MAY 2018
ENTRY INTO FORCE MAY
25,2018
DISCUSSED SINCE 2014
VOTED IN 2016
RISKS
PENALTIES
4% ANNUAL TO
20 M €
COMPENSATION IN COURT
REPUTATION
IMPACT
CONTRACT
PROCESSES
MARKETING
ORGANISATION

59. B : SOME DEFINITIONS…
59

60. PERSONAL DATA
60
‘personal data’ means any information relating to an
identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference
to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;

61. PROCESSING
61
‘processing’ means any operation or set of operations
which is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination
or otherwise making
available, alignment or combination, restriction, erasure or destruction;

62. CONTROLLER
62
controller’ means the natural or legal person, public authority, agency or
other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data;
where the purposes and means of such processing are determined
by Union or Member State law, the controller or the specific
criteria for its nomination may be provided for
by Union or Member State law;

63. processor or sub-contractor
63
processor means a natural or legal person,
public authority, agency or
other body which processes
personal data
on behalf of the controller

64. 64
The carrying out of processing by way of a processor
must be governed by a contract or legal act binding
the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State
in which the processor is established, shall also be incumbent
on the processor

65. data breach
65
personal data breach’ means a breach of
security leading to the accidental or
unlawful destruction, loss,
alteration, unauthorised disclosure of, or
access to, personal data transmitted,
stored or otherwise processed

66. C : 12 MAIN PRINCIPLES OF GDPR
66
1. Accountability
2. Consumer / citizen rights
3. Privacy by design
4. Information security
5. Data breach
6. Penalties
7. identity access management
8. lawfulness for processing
9. Register
10.Risk analysis and PIA
11.Training
12.Data privacy officer

67. 1/ ACCOUNTABILITY
67

68. DO-CU-MEN-TA-TION

71. PRIVACY POLICY OR REGULATION OR …

72. 2/ Consumer/citizen's right
72
TRANSPARENCY
SENSITIVE INFORMATIONS
INFORMATION COLLECTED
RIGHT OF ACCESS
RIGHT TO RECTIFICATION
RIGHT TO ERASE
RIGHT OF PROCESSING LIMITATION
PORTABILITY
RIGHT OF OPPOSITION TO PROFILING

73. RIGHT TO ACCESS

74. right to be forgotten ?

75. 3/ PRIVACY BY DESIGN
75

76. INFORMATION LIFECYCLE

77. Look at the entire data lifecycle

78. 1.CREATE
OR

79. BALANCE TEST NEEDED

80. PRIVACY POLICY OR REGULATION OR …

81. CONSENT & EVIDENCES

82. SENSITIVE DATA
IF THEN
OR

83. 2.STORE
• SECURITY
• ENCRYPTION
• AUTHENTICATION
• AVAILABILITY
• CONFIDENTIALITY
• IAM

84. 3. USE

85. 4. SHARE

86. 4. SHARE

87. 5.ARCHIVE

88. 6. DESTROY

89. 4/INFORMATION SECURITY
89

91. The weakest link

93. SECURITY
SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-
security-2/

94. Source : https://www.britestream.com/difference.html.

95. Threats

96. Who knows … now?

97. certifications

98. Control by the employer
161
SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/

99. What your boss thinks...

100. Employees share (too) many
information and also with third parties

101. Where do one steal
data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are
stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars

102. 63
RESTITUTIONS

103. DATA PRIVACY & THE EMPLOYER
45
http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg

104. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/

105. May the employer control everything?

106. Who controls what?

107. Could my employer
open my emails?
169

108. IAM

109. 109
CODE OF CONDUCTS

113. TELEWORKING

114. Employer’s control
177
http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux

116. 116

117. 48

118. 86
SECURITY IS A LEGAL OBLIGATION

119. 5/ DATA BREACH
119

120. Data breaches

121. Disastrous data breaches

122. So it is a real threat !

123. 6/ PENALTIES
123

124. 7/ IDENTITY ACCESS MANAGEMENT
124

125. 8/ LAWFULNESS OF PROCESSING
125
CONSENT MUST BE EXPLICIT

126. 126
the data subject's consent'
shall mean any freely
given specific and informed
indication of his wishes
by which the data subject signifies
his agreement to personal
data
relating to him being processed

127. 127

128. OPT IN

129. 129
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes.
Further processing of data for historical, statistical or scientific
purposes shall not be considered as incompatible provided
that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or rectifie
(e) kept in a form which permits identification of data subjects for
no longer than is necessary for the purposes for which the data
were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal
data stored for longer periods for historical, statistical or scientific use.

130. 130
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of
data concerning health or sex life

135. 9/ RECORD OF PROCESSING ACTIVITIES
135

136. 10/ RISK ANALYSIS AND PIA
136

137. 11/ TRAINING
137

138. INTERNAL TRAININGS

139. 12/ DATA PRIVACY OFFICER
139

141. D : CONSEQUENCES
141

142. E : METHODOLOGY
142

143. METHODOLOGY
143
1. PRELIMINARY AUDIT
2. RISK ANALYSIS
3. LIST OF SERVICES
4. RECORD OF PROCESSING ACTIVITIES
5. ACTION PLAN
6. SERACH FOR COMPLIANCE
7. SOLUTION FOR NON COMPLIANCE
8. CONTINUOUS PROCESSES
9. TRAINING
Préparation
Implémentation
Pérennisation

145. 154
Source de l’image : http://ediscoverytimes.com/?p=46

147. RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html

148. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University

149. Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

150. Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

151. Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education

152. Phishing
Sources/ Luc Pooters, Triforensic, 2011

153. DATA
THEFT

154. Social engineering
Sources/ Luc Pooters, Triforensic, 2011

155. 3rd Party Applications
•Games, quizzes, cutesie stuff
•Untested by Facebook – anyone
can write one
•No Terms and Conditions – you
either allow or you don’t
•Installation gives the developers
rights to look at your profile and
overrides your privacy settings!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University

156. Big data
182

157. Biometry
186

158. facial recognition
187

159. RFID & internet of things
188
http://www.ibmbigdatahub.com/sites/default/files/public_images/IoT.jpg

161. SECURITY ???

162. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin

164. ANY QUESTIONS ?