IAPP / Anonos Webinar on GDPR Compliant Data Analytics



welcome to the IEP P web conference how to comply with the gdpr while unlocking the value of big data brought to you today by Ann Annis my name is Dave Cohen I'm the IPPS knowledge manager and I'll be your host for today's programming will be getting started with the presentation in just a minute but before we do a few program details participating in today's program will automatically provide IEP P certified privacy professionals or the named registrants with one C PE credit others who are listening in can apply for those credits through an easy-to-use online form on our website we also like to remind you the phase program is being recorded it will be provided free to registered attendees approximately 48 hours following the live event a link will be provided on one of the last slides in the presentation to access the recording and we encourage you to ask questions at any time during the program by typing them into the Q&A field to the right of your PowerPoint window and your questions will be answered by the presenters on either during or after the presentation of their discretion and now without any further ado let's get started and I would like to introduce today's panelists Gary Lefevers CEO at an honest and a former partner at Hogan Lovells Gary welcome to the program and can you tell us a little bit about your professional background in privacy and security yes Dave thank you as Dave said my name is Gary Lefevre my background is actually in risk management technology and law and I'd like to personally welcome the nearly 600 people we've had registered for this event which is literally a who's who of the international privacy and security community with representation of the fortune 500 from almost every vertical as well as legislative and regulatory leaders so welcome this kind of strong turnout I think really reflects a common goal among our community of privacy leaders to comply with the gdpr but in a way that still enables us to do big data analytics and it is possible to achieve both this webinar will enable us to share information about how data protection and enhanced data value need no longer be viewed as opponents companies can more than comply with the gdpr they can improve and grow their business prior to co-founding uh nanos five years ago my prior company was the leading real time risk management technology vendor for the financial securities markets worldwide but there we focus on satisfying regulations not on improving the business lives of users but over the last five years of an Eden otto's we've leveraged our global risk management expertise to help companies go beyond merely satisfying regulations to advance their business goals as well it is a rare instance to be able to do both at the same time satisfy regulations and advance business goals terrific thanks Gary welcome to the program and thank you for your help with sponsoring the program for RIT members and others as well we really appreciate it and that joining Gary on the panel I can see is a partner agency law and this former chief privacy counsel and assistant general counsel at Microsoft Mike welcome and he tell us a little bit about your background sure as you noted I I'm a partner at henselae small Seattle based law firm five of us focused on privacy and data security exclusively and before that for joining that firm last year I was at Microsoft for eighteen years where I was the chief privacy counsel leading our work on on privacy compliance and policy and strategy I also teach data privacy law at the University of Washington law school and I'm involved in a number of professional organizations focusing terrific's thanks so much Mike it's great having you on the panel with us today too and joining us from his office in Paris so very very pleased to have with us today Gwendolyn rond who's director of technology and innovation at the Camille gwendal thanks for joining us Andy tell us a little bit about your professional background please yeah thank you hello everyone I'm going to log on the director of technology and innovation at the keel which is the French Data Protection Authority there I supervised all the people doing the technical policy the IT expert Department I also supervise the IP operations in the innovation and foresight units and also techno lab I work a lot with the article 29 especially in the work of the technology subgroup of the article 29 I'm the liaison for turkey article 29 to ISO 20 at C 27 WG 5 which is doing the standards in privacy and I have a background in computer science and telecommunications a wonderful terrific well thank you so much for joining us and as you can see we have which depth of experience in various perspectives on the panel today so that we further ado let's go ahead and get started and Gary I'll turn it over to you for that to begin to this program Gary it's all yours thank you Dave so we're going to start off I'm going to speak briefly about readily linkable and controlled linkable data as you registered for the webinar there was a link for white paper that Mike Enzi and I co-authored would strongly recommend you take a look at that if you have not already it can also be downloaded at a nanos comm slash white paper we're not going to go into a lot of detail on matters that are covered in the white paper because we really want to get to the Q&A session but I will start off with a high level overview between the difference in readily linkable and controlled linkable data Mike Enzi is then going to pick up the concept of maximizing value while staying in compliance and Wendell is going to really get to the meat of this with the technical requirements for data protection by default under the gdpr and really get into both the intent and the practice of it and then the real value of this we believe will be the Q&A afterwards so as as Dave said please enter questions in the box to the right we're already getting some and want to let everyone know that we will respond to all questions if we don't get a chance to do that during the webinar they will be done afterwards so please do not hesitate and also wanted to encourage not only questions but if you have observations recommendations suggestions etc we're going to be sharing everything that's put through the input interface and also the next 24 hours if you want to submit questions observations recommendations too big privacy at a nanos calm we will be sharing both a question the answers and the interaction between the community on this webinar so thank you this slide that you see in front of you we actually added to the presentation after we got some of the questions that were submitted in advance and those questions will get to you later but they dealt with the magnitude of the undertaking the need to get different stakeholder groups within an organization together and the question is to who those stakeholders should be and what they should represent and we thought it was important to add this slide because the reality is while most of our discussion today is going to be about compliance and existing data it's what you can do with new innovation with both existing and new data and what you can do with new data in a compliance fashion that really makes GDP our compliance very very powerful and in fact in this regard I would encourage anyone to check out the blog that Hilary Wan doll is posting today at trusty comm slash blog and you probably know trustiest but with one etrs TRUS te comm slash blog but it's great it's entitled maximizing data utility under the gdpr she mentions the white paper this webinar but more importantly she carries over a blog that she started in December talking about privacy professionals being business enablers and that's a lot of what this webinar is about and so would encourage you to check out that webinar and how it's important to both partner with the appropriate stakeholders and constituents the constituencies within your organization and to drive that constant evaluation of both both about both the value and cost of data and really the gdpr it certainly inserts new penalties and downsides if you do things wrong but I hope you will get from this webinar the message that if done right it also empowers a lot of positive business things and so those things have to be taken to the whole organization and so on this slide as I said what we're focusing on is the fact that there's a lot of positive comes from the gdpr as well this next slide and I also want to mention we purposely that all those the webinar decided that some of these slides maybe a little text heavy from what you're used to seeing in a webinar but that's done purposely by the end of the day you will all receive a copy of this deck until you'll have it to refer to and then also within the balance of the week you'll get a copy of the replay the QA and the interaction between the community so what I'm trying to show on this slide is basically on the left hand side where you have readily linkable data andrea denta fication as possible the primary thing that you will see is the relationship between the data elements are clearly evident linkable but the quality and vibrancy of the data is muted whereas on the right hand side which each of the data elements are much more vibrant they also can be viewed independently and the relationship between them is not evident unless and until an authorized party determines that will be the case so we all know by now the gdpr requires fundamental changes in data processing and I really I think the reason there's so many people on this call on this webinar is that people are realizing now that merely complying with the gdpr while that will mitigate the downside and the penalties it does not insure your ability to continue to do business and a data analytics perspective and it's because the gdpr requires much more than just privacy by design it requires the most stringent form of privacy by design data protection by default and that is a new requirement but that new requirement can actually improve data privacy security and accuracy so the benefit of the gdpr is done correctly is you actually can be in a better place for your business this slide I realize may be a little hard to read but as I mentioned you will get a copy of this and this slide is intended to show kind of a historical progression a timeline of what our focus and priorities have been in data processing initially as evidenced by the green light it was all about the data and it says here that the focus was convenience of data processing I do not mean by this the data processing was easy and a lot of innovation and effort and money has been spent and coming up with new ways to capture retain manage process data but it was focused primarily on the data then you get to the caution light and that was when we started to realize the power of linkages those linkages could enable you to make correlations discoveries all kinds of things between data particularly data from different sources but we also had to be cautious because those linkages which opened up all those value propositions also exposed identities of data subjects and that's when data privacy by design started to come into vogue we're now at the third stoplight it's a red light it's a red light because what's been realized is this convenience of data processing came at the cost of the fundamental rights of data subjects but it's viewed in the right light the GD P R actually provides an answer to that data protection by default enables us to respect honor and protect the fundamental rights of data subjects while actually opening up new business opportunities and that's why we end up at the green light because there are positive attributes to this and so while the convenience of data processing now drops down it's not going to be as easy to do things the way we've done it in the past and organizations will have to make fundamental changes in how they process data but the upside of those changes are new business opportunities and data utilization so data protection by default as required under the GD P R actually enables a whole new form of the identification and my can't see my go into detail and the white paper on the subject we chose the term controlled linkable data purposefully it is not a word that's been defined in statute it's not a word like anonymity that has many different interpretations around the globe it literally means what it says there's data that can be linked but there are adequate controls over that link ability and as a result traditional technologies that have been around for decades were invented and and refined and perfected years before data protection by default was even invented do not themselves achieve controlled linkable data and that's why new technologies and new approaches are necessary but importantly controlled linkable data supports gdpr requirements for data protection by default this slide again goes into a lot of detail I am going to go over it very quickly but details are in the white paper and what this slide shows is the fundamentals of controlled linkable data and you'll see that it mirrors the requirements of data protection by default the first thing that you do is you sever the data and to discrete elements and you protect each of those elements so that they're each protected by default also correlations between those data elements are obscured so you cannot have where it's much more difficult to have linkage attacks or re-identification by the mosaic effect so the three steps you begin with data you separate it into data elements and you replace persistent identifiers with non persistent pseudonymous tokens what does that give you it gives you the benefit of number two which is granular eyes 'dry identification and when you can show data in context with adequate controls you actually can generate greater value this next slide highlights this difference between readily linkable and controlled linkable data and it will help to give a couple of examples one is actually rather humorous as we put word out regarding this webinar we started to get very strong response as I said we've had nearly 600 people register but we still wanted to have a proactive outreach to leaders in the community that we thought should not only participate and see the webinar but all contribute to the quality of the Q&A and the follow-up and in doing so we ask the ia pp for a list of who had registered up until that time not because we wanted to reach out to them not because we wanted to link to them for the exact opposite reason we didn't want to overly inundate companies that had already sent a representative to the webinar signed up for it rather we wanted to go out to different companies and it actually took a little bit of time for us to negotiate that with the IEP P Y because the IEP P no surprise takes privacy very seriously but what they realized is we weren't asking for the who we were asking for the what not who people were but what companies are represented and that highlights the the default before the GD P R which was just about all data was tied to the WHO and so in order to get to the where why what or when of a data element you went through the who when in fact those elements have freestanding value on themselves question for yourself when you have a app on your phone that's a map app and you launched it why does the provider of that map app have to know who you are they don't they have a legitimate reason to know if you're registered for the service that doesn't require knowing who you are and they have a very important need to know who where you are and where you want to go but you could just as easily service users of a map app without finding out who they are and a different identifier could be sent every time that could be checked to make sure that the person was registered for the service and could give you their GPS location so they could get from where they are to where they want to go a simple example of why not relying on who but rather the value of the data element itself still provides high value but in a way that does not jeopardize data rights of individuals so just very quickly traditional approaches to privacy were as I mentioned before developed years before data protection by default and therefore it's not surprising they fail to support it by themselves don't get me wrong there's a lot of fantastic privacy enhancement techniques and security techniques out there and they still do a fantastic job of what they do they simply were not designed to do what we need to do today which is data protection by default they therefore providing adequate privacy protection in and of themselves by themselves and unfortunately many privacy enhancement techniques actually reduce the value of data whether it's Kay anonymity L diversity differential privacy the way they go about protecting privacy is reducing the level of accuracy as you will see in more detail on the white paper there are other ways to protect privacy where you can still leverage privacy enhancing techniques but in a way that maximizes that value and so you end up with data protection by default which actually allows you to retain up to 100% of the value at the same time you're improving security and privacy and supports greater use and sharing of data so this slide highlights the benefits to Big Data of traditional approaches the readily linkable and the new approach is the controlled linkable so with the readily linkable you're often left with binary alternatives in the example of the IEP P they felt like they either had to give us all the information which reveal the identities of registrants or nothing when in fact they could have just given us which they did the companies are represented or reduced value many privacy enhancing techniques our premise on the fact that they reduce the value of the data as compared to controlled linkable data where you actually have the ability to retain up to 100 percent of the value and because you have greater protection of privacy rights you actually now can increase the number of data sources used and the last slide before I hand it off to Mike Enzi this comes from the white paper the infographic on the left is meant as a visual to highlight that old approaches to privacy where you're using linked or readily linkable data may well actually prohibit you from doing big data analytics machine learning artificial intelligence whereas data protection by default controlled linkable data enables you to continue to do that and with that I'd like to hand this over to Mike Enzi great thanks Gary I'd like at this point to sort of take a little step back in the mitt and look at the GDP are specifically and what's required under the GDP are and obviously we don't have time to go through a full overview of everything that's new in the GDP are in this seminar but I think it's worthwhile to to look at a few things and very clearly the GDP r is a significant step beyond what was required under the 1995 directive there are more obligations on data controllers and processors both in terms of substantive obligations meeting new data subject rights and a number of procedural obligations as well around process data protection by design and by default data protection impact assessments and the like as I mentioned there's new new rights for data subjects it's potentially more difficult to rely on consent the definition of consent has changed slightly with a couple more adjectives added in there there are more prescriptive notice requirements there's new data breach obligations restrictions on profiling as Gary's talked about the the requirements for data protection by design by default obviously the the new penalties have gotten a lot of attention the four percent of companies annual worldwide revenue is potentially a lot of money much more signing Authority than existed under under existing law in most countries and add to that the fact that a lot of it is still unclear there's there's clearly direction that has been given by the regulators there's there's there's things that we know need to be done but there's there's still a lot of uncertainty and I think some people have looked at all this and sort of thrown up their hands and said you know I don't even know where to start I don't know what to do there's just there's too much here there's too much uncertainty this is just impossible well it's not impossible it's clear that compliance will require adopting a number of new measure some of which Gary talked about but there are there are fairly clear paths forward for for addressing much of what's in the GDP are so in terms of what those compliance steps are again I can't go through in this in this limited time we have and go through the full checklist of what what companies should be doing at this point but there's there's a number of things that have been called out in the GDP are that that will be required and that includes appointing new personnel ensuring your internal policies and external privacy statements are updated to meet the new requirements developing new employee training developing new or updating existing procedures practices tools and technologies based on your own internal gap analysis is kind of where you are now and where you need to get to ensure that you're at a position to comply in 2018 when the GDP code comes into effect and those require the adoption of new processes documentation around impact assessments for for high-risk activities you're doing stuff with kids there's going to be a need for new parental consent mechanisms based on the new provisions of the GDP are ways to respond to the new data subject rights like the right to a ratio or data portability and then the one thing that I really want to focus on in today is the use of pseudonymous ation do notification and on ization to help comply with a number of the different provisions of the GD P R and I've spent a fair amount of time thinking about and writing about how the GD P R addresses the identification and the the more I looked through the early drafts and then the final draft of the GD P R I realized that the GDP are much more so than the 1995 directive recognized a fuller spectrum the different gradations that exist around the identification and I think that's that's very important and that's that's a positive step forward in under the 1995 directive it was almost sort of a binary all-or-nothing either it's personal data or it's anonymous data and and under the GDP are there are different variations different gradations between those two that are that are recognized first and this actually isn't different from the 1995 directive I think one thing that's important to look at is the definition of personal data and that definition includes the concept of identified versus identifiable data includes identified and identifiable so data that's identified is clearly the data that's on its face or or some through some easy mechanism you can identify who that person is identify a bowl is a much bigger bucket where it may not be apparent on its face but but there is a at least a theoretical way to reaiiy denta fie the person behind that data but the GDP are actually recognizes and this is new to different variations in this concept of identifiable data one is the explicit addition of a definition around pseudonymous ation and pseudonymous ation is defined under article four five of the GDP are as the processing of personal data in a manner such that the personal data can no longer be attributed to the data subject without the use of additional information provided such additional information kept separately and subject to technical and organizational measures to ensure that the personal data is not attributed to identify to identify above natural person so what that means is you've got some data it's not apparent on its face but there is some other data out there that would identify that data but that other data is kept separate from from the first chunk of data through technical and organizational safeguards there's a different provision under the GDP our article 11 that talks about a stronger level of the identification in which the controller is able to demonstrate that it's not in a position to identify the data subject so certain types of siddhanam is a shoe where the data is kept separate and there's technical and organizational safeguards the controller still may be a position to identify the data subject the controller may in effect control those technical and organizational safeguards and be able to reverse them in the event of receiving a lawful order from from a government in respect in response to receiving a data subject access request from the data subject him or herself but article 11 talks about a level of D identification with control if not in a position to identify the data sent to consensus that's a stronger level that's being recognized in this under the GPR and then of course the gdpr continues to recognize the highest level it is a very high bar of anonymous data and if you reach that bar gdpr requirements don't apply just like the 95 directive didn't apply if you met that very high bar for anonymous data and I know gwendal is going to talk more about that and some of the things that the working party has said around anonymization so I'll just leave that at that but given these different gradations of the identification or identifiability that have been recognized in the gdpr you can see that it is recognizing a spectrum of the identification much more so than existing law has where it goes from identified a couple of levels of identifiable where one might be more readily identifiable and then the article 11 definition of the NSI data is a less readily identifiable and much more difficult and then the highest level of anonymous or aggregate data so what does that mean adopting D identification as a compliance mechanism can have a lot of benefits under the GD P are a lot of the provisions of Gd P are our risk based and it's quite clear that the stronger level of identification you can apply to data you're lowering the risk and so you can use the identification to help demonstrate that you have adopted data protection by design and data protection by default as Gary suggested earlier you can use the identification if you meet that higher level that article 11 type of the identification to result in relief from certain specific obligations article 12 talks about that if you meet that level of the identification you're no longer subject to having to comply with data subject access requests a racial request portability request and a list of other obligations and that makes sense because if the controller is not able to connect that data back to an individual there wouldn't be an ability to authenticate the person who's making the access request or the Oratia request and so let's just sort of you know recognizing the reality that once you reach a certain level of the edification you simply can't comply with those kinds of obligations and therefore you get the that regulatory relief from it from an obligation to comply with those things so believe it or not the gdpr does not require that you do the impossible the the identification can also help meet security obligations because those are very risk-based the security obligations under the GDP are focused on adopting measures sufficient to ensure a level of security appropriate to the risk and if you've applied the identification that level of risk goes down and the need for other security measures correspondingly can be reduced it mitigates the risk of security breaches and and notification obligations again those obligations are based on the level of risk to the data subject and if the data has been de-identified and there is a breach and the identified data has been released that can go into the calculus of what the risk is and therefore they need to provide notification this one's a little bit more controversial I think but I do believe that the identification can provide a stronger case for relying on legitimate interest as a basis for processing as opposed to data subject consent now there was an earlier draft of the GPR in which the use of pseudonymous ation gave an automatic ability to rely legitimate interest and that was that was taken out so it's not automatic that if you reach you know a certain level of the identification you therefore get to rely on legitimate interest but if you look at the rules around legitimate interest it talks about a balance between the interest of the controller and the fundamental rights and freedoms of the data subject and again it's clear that when you have applied strong the identification there is a lower risk to the data subjects fundamental rights and freedom sometimes I think that that plays into that calculus and it gives the data controller or the data processor a much stronger case for relying on legitimate interest I mean potentially several other benefits and I've gone through and in some of the things that I've written and talked about some of those others this is a chart that I put in a paper that I wrote last year that that talks about some of the things that I just mentioned and some others where if you apply stronger levels with the identification it can help you with your compliance under the GD P R and can give you ability to rely on rely on measures that may be more pragmatic may be easier may bring out the value of data to a greater degree so with that I think we will I'm sorry I clicked when I shouldn't have clicked I will turn it over to glendol at this point and and let him complete and then we'll open up with questions afterwards thank you I just love to present for you so if you can please switch to the next slide I I will you are a very quick presentation about the statement that the article 29 did about big data and also the opinion concerning normalization because I think this is really the heart of the topic that we're discussing today so there is a statement that was released by it back in 2014 you will have the links directly in the slide that is available which recognized that the there are many benefits that are expected from the development of big data actually an important the big data operations relied on the processing of personal data of individuals it also raises important questions among which concerns with regard to the privacy and data protection rights of individuals benefits of big data analysis can be reached only under the condition that the corresponding privacy expectations of users are appropriately met and that the data protection rights are respected in Europe you know we have we had the directive which was adopted in 95 now we have the GD P R and there's also other relevant EU legal instruments which ensure very high level of protection of individuals by providing them with specifics rights which which cannot be waived these rights are applicable to the processing of personal data and big data operations and the principles are still valid at the European and they've been updated when the GD P R was adopted to make the principles of the directive more effective in practice what what DPAs believe what data protection authorities believe is that complying with these principles with the rules that are enshrined in our legal framework is the key element in creating and keeping the trust to develop the stable business model that is based on the processing of such data so this means that investment in privacy friendly solutions in anonymization techniques is essential to ensure fair and effective competition between economic players now when it comes to to the use of the word Big Data what we see from from our DPA window is that big data cover is actually a great number of data processing operations and some of them most of them I would say are already very well identified indeed there's a number of developments they were qualified today as big data that have long been implemented EU member-states and that have been tackled would be would be existing legal framework in that will be tackled would be what the GDP are of course they have already been addressed with the framework of the existing data protection rules whether at the EU or at the national level because you know that in Europe the directive is 95 directive is for the moment transposed international laws this means for instance that in France we have a national law that is transposing the principles of the directive this will be harmonized with the GDP our because the GDP our is a regulation you don't need to have transposition international laws so it's a very strong also a harmonization tool at the European level indeed I mean these dis legal framework has have been addressing many big data applications because most of the time was which is that the controllers know exactly for which purposes the data is going is going to be processed there's one important point that is worth mentioning in the legal framework which which was already mentioned by the previous speakers which is that anonymization is a key trigger for big data because also in the context of the GPR and also in the context of the directive the rules do not apply the rules on personal data protections do not apply to anonymous data which means that anonymization is an alternative to data erasure once the purposes of the protesting have been fulfilled so now that we've said this the question is how do we anonymize data and how do we do this in the proper way so the working party the article 29 working party has issued a number of policy documents which are relevant to the analysis of privacy concerns which are raised with regard to Big Data and anonymization so there's an opinion that was published in 2013 on purpose lamentations another opinion I will speak more about this one was released in 2014 on anonymization techniques I can also mention probably the opinion on legitimate interest that was also published in 2014 if I can focus a little bit on the on the opinion opinion 5 2014 on the normalization techniques this is a rather I would say technical opinion in which the article 29 explained how to anonymize technically speaking a data set and what mistakes should be avoided when you use a specific non anonymization technique so I would say for the manual for anonymization its Robert a toolbox and and data controllers can pick a certain number of tools depending on their processing operations and the data set they need to know my's to design the appropriate anonymization technique that is fitted to their data set I think one of the key messages in the in the opinion is the fact that we identify three criteria to qualify the quality to qualify the how what is the quality of an anonymization technique and if the three quotes criteria met then means you're on the safe side if the free criteria are not met it means we have to be very cautious you have to be very careful and you have to do a risk analysis concerning the identification possibilities so now what are these three criteria the first one is singling out which basically corresponds to the possibility to isolate some or all of the records which identify an individual in the data set the second one is link ability is the ability to link elite to records concerning the same data subject or group of data subject so either in the same database or in two different databases the last criteria is inference which is actually the possibility to deduce where the and probability the values and attribute from the values of a set of other attributes so deducing from information based on the dataset so as I said before meeting these three criteria takes you on the safe side and means you will have a nominal data set and you can safely I would say reuse the data if you don't need the three criteria just need two out of the three then you need to be very careful and change twice before you actually reuse the data maybe you need additional safeguards maybe need the combination accretion techniques the opinion also presents a number of technical solutions to either to anonymize and they're classified into two big families of the nonon ization technique namely randomization and generalization now I I don't have time to go deeper in the different techniques that are described in the opinion that we explain what noise addition permutation differential privacy K anonymity L diversity or key proximity what they are and what type of assurance they can give you once you have applied them to e to your data set so please refer to the opinion please read the opinion and it will give you some some good guidance about how to anonymize the data set properly the last message I want to focus on which is discussed in the opinion is is about siddhanam ization it's clear in the opinion is also clear in the gdpr that saddam minimization is a leading practice it's a security measure but pseudonymous data is not anonymous data when you have pseudonymous data you can linked in individual you can identify the individual this means that the safeguards the rights in the in the TDP are still apply or just give you some quick reference is on – Donna my ization of the GDP are you have this in the definition if you want to see the definition of synonymous data there's a one of the articles where it's listed as an appropriate safeguard for instance the article on security where encryption and pseudo minimization are are listed at leading practices and also the article this is article 32 by the way on security an article 25 which is about privacy by design and by default also presents the domina's ation as a good practice that has to be implemented when we want you to protect your data adequately this is going to be my last slide and just to focus on the fact that the GDP are in addition to this I would say technical focus related to nominalization provide some additional triggers and facilitate all the economic uses of Big Data GDP our was clearly designed with big data applications in mind and of course big data applications while respecting the rights and liberties of objective subjects so I've listed here a couple references from the GDP our which you will find in the on the deck GDP are recognizes the possibility to have categories purposes this is if you refer to article five and six and more more importantly you have this principle purpose limitation but if you read during the definition of purpose limitation we also say that you need to define specific purposes for for the processing of personal data and you should not process the data in a way that is not compatible with the initial purpose for which the data was collected and once you have said this there's also some recital that related to the reasonable expectations of the data subject so it gives you some margin of maneuver to reuse data that has been collected as long as the data is we use more or less in this thing text an additional trigger in the regulation is the fact that scientific historical statistical purposes are considered to be compatible with the initial purpose for which the data was collected and now if we want to open this up a little bit I think we have a lot of companies here on the line today is some very important principles that you find in the GDP are these principle one of the objectives of the principles is to empower the data subjects to be very transparent about the way the data are being used and give possibility to data subject for data objects to actually control the way the data are being processed and the way the data are being reused so this means that in the context of big data applications I think it's very important to design solutions where you propose technical simple means for data subject to opposed to specific uses of the data specifically uses of the data I would say and one additional thing and this will be my last point probably before we answer the questions is that it's very important when data is being reused that you are very transparent about the way the data is going to be reused it means you need to find an adequate way to inform the people so they have this information and they have the tools to oppose to specific uses of their type their data and with this I'm going to turn it back to Gary for the Q&A thank you thank you Wendell so we've had quite a few questions submitted we likely will not have a chance to answer them all during the live webinar but I encourage you to continue to submit questions through the web interface and also to questions at big privacy comm because everyone that's registered will get a copy of the questions and answers also a couple of questions have come through and have asked questions that I think deep answers are in the white paper that we referred to before so if you want to refer to that as well again that's an honest comm slash whitepaper but we will answer all of them and everyone on the webinar will get copies um so what I'm going to try to do to try to get as many of these questions as possible is group a couple of them so I'm going to read three questions that are a little different but I think all deal with the same issue the first question most businesses are focusing only on bare minimum tick in the box exercises rather than using this as an opportunity to transform the way they manage and use personal data what would your advice be to them next question how do I make our technologists understand why we have to process data differently the day the gdpr goes into effect then the way our company's processed data for years prior to the GDP our and the last one of this set my company's technologists use the lack of specific requirements and specifications under the GDP are as an excuse not to change what we do and how we do it any suggestions I'll start with this and then hand it over to Mike and with Windle but I think this is actually a very important set of questions and I think this is a wake-up call the gdpr is not a rule that enables you to make minor changes it requires a fundamental shift hopefully that that one slide with the stop lights helps to convey that it does require data protection by default which has never been required before or if required the penalties have been so de minimis that people just basically engaged in regulatory arbitrage and paid the fine the penalties is currently assessed at four percent of global gross revenues and there's also it doesn't get as much press but there's also joint and several liability between data controllers and data processors so the magnitude of fines could be amazingly large and I believe Wendell can speak to this the reason they are like that is because the EU legislators and regulators want us to take the rights of data subjects seriously and that hasn't always been the case so the bottom line is you need to start the interaction with the downside of not complying and that double quote does require that the people on this call likely are the standard bearers who are saying this isn't something we can just do a check the box but that's why if you take in why we added new slide four to the deck if you take to them what these changes could mean in a positive way you'll get more engagement by management on a different approach this will likely require changes to architecture technologists hate that you need to show them it's no longer discretionary it's no longer optional and they need to be at the table together with you and together with the people who are responsible for generating revenue and value through data and through that stakeholder group you can have a productive discussion and so Mike you want to take that just kind of give your perspective on those three questions yeah and I you know I agree with with what you said I think that that there's a temptation and a natural reaction in many cases to say well you know we haven't been handed a clear roadmap by the regulators that we have to take steps one two and three and it's all very amorphous and so we're just going to throw up our hands and do nothing and that's that's exactly the wrong thing to do at this point where we you know it seems like May 2018 as a ways out but it's really not given the the types of things that need to be done to get ready for the Jeep's yard and I know a lot of companies have already done that path a lot of companies are just getting started and others are just trying to wrap their heads around what this all means but companies need to start doing something they need to start putting steps in place that way when the regulator comes knocking after may 2018 they can say look these are the things we did and and you know at the end of the day there's going to be some uncertainty and and things are going to have to be tweaked as more guidance comes out as the gdpr starts to be in force and we all collectively start to understand what it's going to look like in practice better but but taking the steps to deal with the process thing of taking in the steps to deal with the data and how data is managed stored and processed those are going to be important steps that have to be started now because you can't just flip a switch and do that overnight you can't just wake up in you know April of 2018 and say oh well now it's time to get GDP on compliance and it's going to take some time when don't they have any perspective on this you'd like to share yeah maybe if I can that to GDP are is applicable in May 2010 as you say so means we have more or less 15 months left which is a lot and not a lot of time because there's a couple of things that need to be changed in your organization's concerning the government of privacy I would say so it's clear that companies need to get prepared there's also new rights for individuals it's not the topic of our webinar today but for instance is a new right to portability there is a an obligation in certain cases to conduct the DPI eight data protection impact assessment within the company there is an obligation to notify personal data breaches to the authority into data subject so it means I mean this is feasible company to protest privacy who take causes seem to come properly we'll be ready for the GDP are but they need to think this a little bit in advance because new processes need to be implemented in place in the company sorry and one important thing I think is of course the fines can be a bit scary for the company because it goes up to 20 million euros or 4% of the annual turnover and the highest amount that counts so it's actually for big companies we were talking about 4% of the worldwide turnover of the company but it also gives a lot of leverage to privacy professionals to get to have more engagement by it by the management because when you're trying to implement from from privacy safeguards from security safeguards on your system I mean the the order of magnitude is changing completely with the GDP our so I think it's a very interesting tool for privacy professionals and this is really how they have to see it last point I want to make with respect to the questions is the fact that the article 29 and a group of the regulators is trying to help you also with respect to the implementation of GDP are we've already issued some guidelines in December on a number of topics including the right portability that I mentioned before and also data protection officer these guidelines are have been open for for Commons and we're still receiving a lot of comments by various organizations the deadline for commented today and we will produce some guidelines and other topics on the hot topics to to help company be ready for the ddim 2018 this will be announced shortly but there will be will will be now that we've issued some guidelines we on on certain topics will be working on a new set of guidelines and this will be done over and over again until the until May 2018 willing the gdpr is applicable Thank You gwendal please continue to submit questions for the sidebar and the webinar interface and also to questions at big privacy comm we will commit to answer two more questions that have been submitted but as we said the rest of them will be answered within the next week so please do not stop submitting so this question goes as follows US law focuses on weather identifiers are directly linked to data subjects the EU law is focused on weather identifiers our linkable two data subjects the GD P R requires appropriate technical and organizational measures to safeguard the rights of data subjects does this mean that persistent identifiers are not permissible under the GD P R wendel do you want to start with that one so again the question once they prove is but the GD P R is a framework to explain in what conditions you can coat that personal data it's not a ban on the processing of personal data it just says you can process personal data where you can process personal data on suit under certain conditions and these conditions of the privacy principles which are described in in the relevant article at the of the GDP are one of which is security that you mentioned before so we can siddhanam ization anonymization and also other other measures can be implemented there's a this principle the risk-based approach so you need to understand what security safeguards you need to implement in the system based on the risks that you're processing is chasing but it's not preventing the processing of personal data per se the only thing that is saying is that the GD P R is not applied to data that made anonymous yeah I think I think the follow-up very quickly and then love to get Mike's perspective the problem with persistent identifiers is who has access to those persistent identifiers and how likely are they to be subject to linkage attacks at the mosaic effect and so like gwendal says the GD P R is not intended to stop the processing personal data rather you're supposed to put in place protective measures both organizational and technical to make it harder so Mike do you have further clarification on that I mean I guess the way I would I would I would respond to the question is that you know persistent identifiers are not barred under the GD P are no type of data is barred any day that can be processed but if you're using data that is meets the definition of personal data and it not be identified in any significant way all of the requirements of Gd P are going to apply to you if you use an intermediate level of the identification if you if you meet that level let's described under article eleven that I talked about earlier you get some relief if you use any method of the identification it's at least showing or at least partially showing that you have adopted the kinds of measures that are required under the GBP are but it's not the only way that you can comply with the GBP are and if you get to the very highest level of the identification and it meets the anonymization the anonymization bar that mcwendell described then then you get sort of complete relief from the GPR so it's a it's a spectrum but there's nothing that that's absolutely barred it's just a matter of the compliance obligations provides of that data it based on the nature of that data gotcha so one last question quickly appreciate everyone saying with the webinar and will go long enough to get this answer fully or this question fully answered I'm going to group two questions here the first one is can you suggest how to get budget for gdpr compliance in 2017 when senior management views gdpr is a 2018 issue and then the second one as chief privacy officer my title has a C in it but that does not mean I have a key to the c-suite the magnitude of liabilities and obligations under the GDP are our way out of sync with budget and authority that I have in my position how do i navigate the corporate labrynth to make senior executives fully appreciate the magnitude of these issues Mike you want to take a first shot at that yeah sure you know I think it comes back to some of the things we talked about earlier in response to the first group of questions and that is you know you need to make the case that the time is now to be focusing on the GDP are like I said before the the types of things that need to be put in place all right to show compliance for the Vepr are not things that you can just flip a switch or turn on a dime they need to require they may require investment now and over the next year so sort of laying that out showing the type of things that need to be done the type of architectural changes that maybe require the type of changes the type of organizational and personnel and training training if I'll take time in the Rick what they do they require investments of time and money currently if you're waiting until 2018 to do that there's just not going to be enough time to get it done Wendel do you have any particularly insight yeah I can add to this as well of course as I said before also it is new right birthday two subjects these new processes and meet to be implemented in companies and and it did take time to be to be take time to be prepared adequately so that companies are ready and two important triggers that you can find in the in the regulation are article 3 and article 83 article 3 is about the territorial scope so it says that the regulation applies to controllers and to processors regardless to whether the processing is taking place in your union or not so if you have an establishment or if you're targeting basically users there are nd you then the genie PR will be applicable to you so that's the first thing so it means it's apply its applying to too many people if you're offering your services in Europe you need to take into account GDP our second thing is 83 are to Koyuk e free is about defined so I mean everyone has heard about this but if you go to your management and you'd say well the risk that we run as a company if we're not prepared for the GDP are is this amount of money I think this is this gives you a lot of leverage when you discuss with your management so it's not a very nice way to discuss or your management but it's I guess it's very efficient great so again appreciate everyone's questions please continue to submit through the webinar interface and also questions at big privacy calm as I think is evident just from what we were able to do during live session we're clearly at a tipping point and companies can really no longer do what they used to do and expect to comply with the GDP are they have to look at what steps they're taking to protect the rights of data subjects based on the uses of the data that they're making again would encourage you to take a look at Mike's earlier de-identification white paper as well as the one that he and I recently wrote on big data and controlled linkable data clearly readily linkable data and linked data persistent identifiers the way they've been used in the past can no longer be used quite the same way you have to have protective mechanisms in place and show that you're giving controls to the data subjects and you're respecting their rights and this requires new technical measures data protection by default did not exist prior to the gdpr and as Wendell just said if you think about what's changing on May 25th 2018 it's really as much if not more about defines as it is the requirements but with the magnitude of those fines and the potential penalties and the opportunity to embrace new technologies to improve business practices hopefully this is truly a tipping point which is not a negative it's a positive so while things like persistent identifiers can't be used as readily as they have in the past there are ways to continue business processes so processes so that everybody can be successful and we would like to think I know the ia PP has this mindset 2017 is a year about talking about solutions and approaches and working together to make things happen we invite people to continue to submit questions and be active through the follow-on to this live webinar and you will receive by the end of today a copy of the deck that was presented today and within the week you will get a copy of all the questions and answers as well so thank you very much I want to thank you at least on our part and I'll turn it over to Dave well thank you very much Gary and let me echo from the IPPR thanks to an analyst for sponsoring today's program and making all the screen information available for free to to our attendees and of course to Mike and to gwendal for he's with us today it's really a pleasure to have both of you on the panel and to work with you in preparing for this and we very much appreciate your time effort and energies to help strengthen the privacy and security community that we're all building together here as we lead up to the compliance deadline for gdpr so before you drop off the program for those of you that are still with us if if you would please take literally just two minutes and click the live link in front of you we have a very quick survey to see if today's program met your expectations and your needs and importantly there's a field in that survey that allows you to let us know what topics what subjects and issues you'd like to hear about in the future that we can put together panels for you on so we want to serve you well here at the IPP and get the information that you need to do your jobs into your hands and that we can do that we have a huge number of speakers we can draw upon and if you let us know what topics you'd like to hear about we can help put those panels together for you and and offer those programs to you in the future please take just a minute to take that quick survey if you are an IEP certified privacy professional as I mentioned at the beginning of the program and you registered for this program you will automatically be granted one CPE for the upkeep of your certification and if you're listening in and you weren't the registered attendee you can still receive that @one CPE by clicking the link in front of you which will take you to the certification tab on the IEP P website and you can apply for that credit it's very quick and easy to fill out form if you're an attorney and you're wondering about continuing legal education credits or cles they may be available for this program but you're going to need to apply within your particular jurisdiction as we don't pretty certify these programs if you need supporting materials for that application please contact me and I'll do what I can to provide them for you as Gary mentioned a moment ago you will all receive a copy of the slides in PDF format and you can also hop on over there to the enano website to find a copy of the white paper slides and again postings of the questions we weren't able to answer on the program we got a number of great questions that we just didn't have time to deal with as always love to hear from you please keep in contact with me that ITT org or give me a phone call and lefty here when you started this program and again and what you'd like to hear by the future so with that thank you Gary thank you Mike Thank You Glenn don't thank all of you for joining us today and I will take us to a program closed good day everybody

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *