GDPR and
Privacy Experience

Be good, and benefit from it.

1. How many of you have played a role in helping your organization (or one of your client’s) work towards GDPR compliance?

2. How many of you are developers/running agencies or development companies?

3. How many of you are site or system owners? (data controllers)

  • You should care about privacy.
  • Agencies, developers are responsible to adhere to the new approaches.
  • Data privacy brings value.

Let’s start!

Riley Cunningham

Head of Business Development

rcunningham@brainsum.com
@RileyCunningh12

Peter Pónya

Founder and CIO

pedro@brainsum.com
@pedroleoman

2 strong messages:

TOC

  • Why privacy matters
  • Impact of GDPR
  • Global legal environment
  • Tools available
  • Organizational level approaches
  • Wrap-up: benefits.

You shouldn’t care about privacy

Mark Zuckerberg (2014)

Facebook – Cambridge Analytica scandal

Facebook plummeted 24 percent,

$134b loss in market value

https://www.cbsnews.com/news/facebook-stock-price-recovers-all-134-billion-lost-in-after-cambridge-analytica-datascandal/

https://www.zdnet.com/article/yahoo-fined-250000-by-uk-watchdog-over-data-breach/

We are social creatures,

but we all need privacy.

We close the bathroom door.

Mass surveillance

China is ranking their citizens in a social credit system

Recent data breach showed that they are tracking movements of millions minorities.

Meanwhile in China

Mass surveillance creates a prison in the mind.

We don’t have to refer to Orwell’s 1984 anymore.

By 2020, the Chinese government expects to integrate private and public cameras, leveraging the country's tech industry's expertise in facial recognition technology to build a nation-wide surveillance network.

the most important purposes of such a smart surveillance system is to crack down on social unrest triggered by petitioners and dissidents

https://www.theguardian.com/world/2019/feb/18/chinese-surveillance-company-tracking-25m-xinjiang-residents

https://en.wikipedia.org/wiki/Mass_surveillance_in_China

China is ranking their citizens in a social credit system

Google/Mastercard Secret Data Deal to track in-store purchases

For the past year, selected Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S.

For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for.

https://globalnews.ca/news/4423814/google-mastercard-secret-deal-privacy/

@todo Riley

https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales

Impact of GDPR

GDPR was something new

  • Massive fines
  • You need to prove your compliance
  • Extends globally

https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the-biggest-data-breaches-and-the-shocking-fines-that-would-have-been/#36283acc6c10

British Airways customer data stolen from its website

380,000 payment cards affected

1ST EMAIL

Received less than 72 hours after end of breach and contained:

  • Duration of data breach
  • Types of info compromised
  • Apology and recommendations

2ND EMAIL

Follow up 18 hours afterwards

Contained

  • Duration of data breach
  • Reminder of data compromised
  • Additional apology
  • Reimbursement info
  • “Action you need to take”
  • Contact info for BA DataPO

https://www.forbes.com/sites/kateoflahertyuk/2018/09/20/how-the-british-airways-breach-will-reveal-the-true-cost-of-gdpr/

Austrian banks ordered to provide historical account info for free

Right to access personal info collected

First decisions and fines

GDPR related fines, decisions, and number of cases

GDPR
decisions and fines

European authorities issued their first GDPR based decisions:

in Germany against ICANN

Not only big companies are affected:

An administrator of a Facebook page shares responsibility with Facebook

https://medium.com/@miranova/gdpr-on-trial-first-decisions-3915d56b84e2

https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the-biggest-data-breaches-and-the-shocking-fines-that-would-have-been/#36283acc6c10

Google fined by the French authority for 50 million EUR

Terms of services were too hard to find!

“for failing to provide transparent and easily accessible information on its data consent policies”

Compare this to massive Yahoo data breached and the fines issued by ICO:

GDPR is not a lex Google or lex Facebook

Responses from the authorities
a 1-week response test:

  • Estonia 129 cases, almost 30% up compared to last year
  • Sweden 77 cases since 25th of May
  • Romania 1424 complaints, 81 notices
  • Denmark: 4082 total cases: 1682 closed, 2400 open
  • U.K. initial response - detailed response by October 3rd.
  • Slovakia: 25 ongoing cases, zero closed
  • Norway: 79 cases; 314 data breaches (July 20 - Sept 27)
  • Bulgaria: 343 cases; 2 fines

Updated 12.09.2018

SMEs are regularly face inspections and potential fines.

41 GDPR Fines Issued by German Data Protection Authorities

Knuddels.de €20,000 fine as a result of a data breach.

Austrian entrepreneur €4,800 because of CCTV issues.

Hungary 2019: First organisation fined for neglecting a data export request.

Updated 1.03.2019

https://hvg.hu/tudomany/20190218_Megvan_az_elso_magyar_GDPRbuntetes - CCTV data export

Central Hospital of Barreiro Montijo

Fine: €400,000

985 doctors had access to the data despite only 296 were working there. Other people who weren't doctors also had access to these data, even though it was supposed to be for doctors only.

Violation of the articles 5 (1) (c) ‘Data Minimisation’ and 83 (5) (a) ‘processing basics’ - 150 000€

Violation of article 5 (1) (f) ‘Technical and Organisational Measures’ - 150 000€
Lack of protection measures to ensure data confidentiality

And violation of the article 32 (1) (b) ‘ongoing confidentiality’ - 100 000€

59000 data breaches reported

91 fines so far

source: DLA Piper

Updated: February 2019

https://www.gamingtechlaw.com/2019/02/data-breach-notifications-eu-gdpr.html

Some statistics: Organizations React to GDPR

How Org Leaders have responded to GDPR

How Orgs have responded to GDPR (227 responses)

LEADERS

vs

LAGGARDS

A Change to Build Customer Trust and Loyalty

An EU Issue That Doesn’t Impact Our Business

A Call to Action to Overhaul Organizational Perspectives on Customer Data

An Overwhelming Burden That we Don’t Know How To Tackle

How Organizations have responded to GDPR

(227 responses)

https://digiday.com/media/gdpr-publishers-adopting-cmps-fear-losing-ad-revenue/

Customer Experience Impact

Commercial data mining and profiling threats

Hard to tell who owns the data, hard to find the boundaries between personally identifiable data and anonymized statistics.

The only good answer is to choose services which are transparent.

When you build a system use privacy by design

https://www.cmocouncil.org/thought-leadership/reports/351/download/GDPR-Impact-and-Opportunity.pdf

Global legal environment

There is much more than GDPR

Privacy has become a global trend

https://www.brainsum.com/blog/ubiquitous-privacy-experience-data-protection-enforcement-global-level

https://www.brainsum.com/blog/ubiquitous-privacy-experience-data-protection-enforcement-global-level

The era of Privacy and Data Protection

Let’s benefit from it!

  • Accelerate digital transformation, improve processes
  • Develop a Single Customer View
  • Improve customer confidence and engagement
  • Reduce unnecessary risks

Understanding where your data is coming from, the purpose of processing that data, determine where and how to store data, the intended goal of processing that data and having your employees be concerned about the processing of personal data can greatly benefit an organization by allowing the organization to clear out unstructured data, develop trust with your customer base, boost company image and, hopefully, increase value from the potential ROI benefits of data protectioncompany policies and procedures.

Tools available

You don’t necessarily need tools or systems in place to become compliant.

You do need documented processes.
Why not to automate them?

Better Together - the Open Web Privacy Working Group

Speaker(s): heatherburns, yautja_cetanu

Scheduled day Sunday

Room ELG02

Session Time 12.05 - 12.50

Visible at first sight

  • Cookie consent
  • Consent checkboxes on forms

https://digiday.com/media/gdpr-publishers-adopting-cmps-fear-losing-ad-revenue/

Visible but usually harder to find

  • CMPs
  • Privacy policy, cookie policy
  • User rights (export, delete etc.)
  • Data breach reporting

https://www.proctors.co.uk/chatter/gdpr-great-wake-call - Matt Skinner, PROCTOR + STEVENSON

Totally hidden but fundamentally important

  • Security incl. anonymization and encryption
  • Systems for data retention
  • Systems ensuring compliance by logging and monitoring

Data breaches are increasing rapidly!

https://reutersinstitute.politics.ox.ac.uk/sites/default/files/2018-08/Changes%20in%20Third-Party%20Content%20on%20European%20News%20Websites%20after%20GDPR_0.pdf

@Balazs grafikonok, domain-es.

Cookie consent solutions

Free and / or Open Source

Cookie consent

solutions
ePR vs GPDR

  • Prior consent is required for every cookie which is not strictly necessary
  • Categorisation at least by purpose
  • What’s the status now? There is a study for that already!

(66)

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32009L0136

GDPR

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

Third-party cookies per page by country
(April-July change in parenthesis)

Data from: 2017-2018

https://reutersinstitute.politics.ox.ac.uk/sites/default/files/2018-08/Changes%20in%20Third-Party%20Content%20on%20European%20News%20Websites%20after%20GDPR_0.pdf

SaaS cookie consent services

https://reutersinstitute.politics.ox.ac.uk/sites/default/files/2018-08/Changes%20in%20Third-Party%20Content%20on%20European%20News%20Websites%20after%20GDPR_0.pdf

@Balazs grafikonok, domain-es.

https://www.onetrust.com/ On https://www.accenture.com/hu-en you can see it in action. Seems like to market leader, the most advanced solution.

https://www.trustarc.com/ It's used on https://www.petarmor.com

http://cookiepro.com but they are using onetrust for their own cookie settings

https://www.iubenda.com/en/help/3081-introduction-to-prior-blocking-of-scripts#module - they are using server side tools too, they have apache, IIS and ngins modules to block 3rd party sources.

https://www.cookiebot.com/

A free and Open Source personalized
cookie consent solution

Developed by BRAINSUM

Sponsored by Tieto

https://www.brainsum.com/blog/ubiquitous-privacy-experience-data-protection-enforcement-global-level

Managing Complexity

  • Gdpr module set: anonymization via gdpr dump, consent tracking, personal data mapping, user rights
    https://www.drupal.org/project/gdpr
  • Inactive user module https://github.com/brainsum/inactive_user
  • Encryption, Fields encryption + external service integration e.g. Lockr.io

James will give a presentation

Our challenges

and answers

How many of you feel comfortable when asked about the status of GDPR compliance?

Privacy HUB

Review and track your compliance to the regulation and more.

Available for agencies or organizations with multiple systems.

ICO template included.

Changing the mindset

Adhere privacy by design,

and use monitoring to stay on the right side!

Key takeaways

  • Good PX is beneficial
  • Systems already exist, many tools are open source
  • Think on an organizational level

Thank you!

Questions?

Riley Cunningham

Head of Business Development

rcunningham@brainsum.com
@RileyCunningh12

Peter Pónya

Founder and CIO

pedro@brainsum.com
@pedroleoman

beyond GDPR | PX | DruaplCamp London - Google Slides