www.drupaleurope.org

GDPR and�Privacy Experience

Be good, and benefit from it.

TOC

1. Why privacy matters
2. Impact of GDPR
3. Global legal environment
4. Tools available
5. Organizational level solutions
6. Wrap-up: benefits of PX

Why privacy matters

Glenn Greenwald (2014)

​

SEND ME YOUR MAILBOX PASSWORD NOW!

I won’t steal your money :)

​

​

​

We are social creatures,

but we all need privacy.

“Mass surveillance creates �a prison in the mind.”�Glenn Greenwald, Why Privacy Matters (2014)

Mass surveillance

China is ranking their citizens in a social credit system

​

​

Facebook – Cambridge Analytica scandal

Facebook plummeted 24 percent,

$134b loss in market value

Yahoo

• Fine: £250,000 in June, 2018 over 2014 data breach
• Failed to take "appropriate technical and organizational measures"
• "failed to take appropriate measures" in making sure that Yahoo Inc., the data processor, complied with data protection standards

Google/Mastercard Secret Data Deal to track in-store purchases

For the past year, selected Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S.

​

British Airways customer data stolen from its website

380,000 payment cards affected

​

​

​

1ST EMAIL

Received less than 72 hours after end of breach and contained:

• Duration of data breach
• Types of info compromised
• Apology and recommendations

​

​

​

2ND EMAIL

Follow up 18 hours afterwards

Contained

• Duration of data breach
• Reminder of data compromised
• Additional apology
• Reimbursement info
• “Action you need to take”
• Contact info for BA DataPO

Austrian banks ordered to provide historical account info for free

Right to access personal info collected

​

​

Privacy matters

Decide whether you want to be on the right side.

Impact of GDPR

GDPR was something new

• Massive fines
• You need to prove your compliance
• Extends globally

First decisions and fines

GDPR related fines, decisions, and number of cases

​

GDPR�the first decisions and fines

European authorities issue their first GDPR based decisions:

in Germany against ICANN

​

​

Not only big companies are affected:

An administrator of a Facebook page shares responsibility with Facebook

​

Responses from the authorities �a 1-week response test

​

​

1. Estonia 129 cases, almost 30% up compared to last year
2. Sweden 77 cases since 25th of May
3. Romania 1424 complaints, 81 notices
4. Denmark: 4082 total cases: 1682 closed, 2400 open
5. U.K. initial response - detailed response by October 3rd.
6. Slovakia: 25 ongoing cases, zero closed

Updated 12.09.2018

Some statistics: Organizations React to GDPR

How Org Leaders have responded to GDPR

​

​

​

How Orgs have responded to GDPR (227 responses)

​

How Organizations have responded to GDPR

(227 responses)

Customer Experience Impact

Global legal environment

There is much more than GDPR

​

​

​

Privacy has become a global trend

https://www.brainsum.com/blog/ubiquitous-privacy-experience-data-protection-enforcement-global-level

The era of Privacy and Data Protection

Let’s benefit from it!

​

​

• Accelerate digital transformation, improve processes
• Develop a Single Customer View
• Improve customer confidence and engagement
• Reduce unnecessary risks

How can we get this �DP monkey off our backs?

Tools available

You don’t necessarily need tools or systems in place to become compliant.

​

You do need documented processes. �Why not to automate them?

Visible at first sight

• Cookie consent
• Consent checkboxes on forms

Visible but usually harder to find

• CMPs
• Privacy policy, cookie policy
• User rights (export, delete etc.)
• Data breach reporting

​

Totally hidden but fundamentally important

• Security incl. anonymization and encryption
• Systems for data retention
• Systems ensuring compliance by logging and monitoring

Data breaches are increasing rapidly!

Cookie consent solutions

Free and / or Open Source

Cookie consent

solutions�ePR vs GPDR

• Prior consent is required for every cookie which is not strictly necessary
• Categorisation at least by purpose
• What’s the status now? There is a study for that already!

​

Third-party cookies per page by country �(April-July change in parenthesis)

​

​

SaaS cookie consent services

https://www.onetrust.com

https://www.trustarc.com�http://cookiepro.com

https://www.cookiebot.com�...

​

A free and Open Source personalized �cookie consent solution

https://github.com/brainsum/cookieconsent

https://brainsum.github.io/cookieconsent/

​

Developed by BRAINSUM

Sponsored by Tieto

Managing Complexity

• Gdpr module set: anonymization via gdpr dump, consent tracking, user rights
• Inactive user module https://github.com/brainsum/inactive_user
• Encryption, Fields encryption + external service integration e.g. Lockr.io

Overview of GDPR Drupal contrib modules

​

Our challenges

and answers

How many of you feel comfortable when asked about the status of GDPR compliance?

PX HUB

Review and track your compliance to the regulation and more.

​

BRAINSUM’s internal tool is also

available for agencies or organizations with multiple systems.

​

​

​

​

​

Changing the mindset

​

Adhere privacy by design,

and use monitoring to stay on the right side!

​

Privacy Experience - how?

1. Instantly visible
2. Security related
3. Privacy branding

Key takeaways

• Good PX is beneficial
• Systems already exist, many tools are open source
• Think on an organizational level

​

Thank you!

Questions?

Riley Cunningham

Digital Solutions Consultant

rcunningham@brainsum.com � @RileyCunningh12

Peter Pónya

Founder and CIO

pedro@brainsum.com � @pedroleoman