Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Transcription

1 Creating a Big Data Strategy: Managing Risk and Enabling Innovation Meghan Farmer and Brooke McGuffey 2016 Kilpatrick Townsend

2 What is Big Data? Traditional definition: high-volume, high-velocity and/ or high-variety information assets that demand costeffective, innovative forms of information processing that enable enhanced insight, decision making, and process automation. Big Data and the Internet of Things (IoT): Big Opportunity? As of 2013, there were 3 ½ billion sensors in the marketplace. This number is expected to increase into the trillions by the end of the decade. 2

3 Risks Liabilities What are the key risks that a Company faces by entering the IoT ecosystem? Intellectual Property o The value of IoT is the predictive power of data. Because of the potential to turn the value into revenue, it is key to be able to clearly determine which party can exploit the data. Liability for Personal Injury/Death o E.g.: Failure to notify of an unsafe condition, which resulted in consumer harm. Products Liability o Additional duties may be created as a result of: o Collecting, possessing and analyzing the data; or o Designing the process by which the data is analyzed. o Marketing materials for IoT products can create a variety of unintended warranties o Design Defect / Failure to Warn 3

4 Risks Liabilities Security o Enabling unauthorized access and misuse of personal information o Facilitating attacks on other systems o Creating safety risks Privacy o Direct collection of sensitive personal information (precise geolocation, financial account numbers, or health information) o Collection of personal information, habits, locations, and physical conditions over time o Systematic bias leading to discriminatory decision making Increasing Regulatory Oversight o EU: GDPR, eprivacy Regulation o US: pending bill in California legislature 4

5 Polling Question How prepared do you feel your company is for GDPR compliance? Highly Prepared Prepared Somewhat Prepared Not Prepared Unsure Not Applicable 5

6 EU General Data Protection Regulation GDPR will be effective on May 25 Extraterritorial Reach - applies to any processing of personal data related to EU citizens and non-eu citizens living in the EU, even where the data controller is located in a country outside of the EU, if processing relates to the offering of goods/services to such individuals or monitoring their behavior. Fines companies could be fined up to the greater of 4% of global turnover or 20 million Euros 6

7 GDPR and IOT Definition of Personal Data- "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 7

8 GDPR and IOT Security Breach Notifications controllers must notify DPAs within 72 hours of the breach. The Right to Be Forgotten individual's right to demand deletion of online content. Data Portability - individuals must be able to transfer personal data from one service provider to another more easily. Consent - stricter rules on obtaining consent, with companies no longer able to rely on "opt-outs or prechecked boxes to justify data processing. Consent must be either (i) unambiguous consent for general processing of personal data; or (ii) explicit consent for processing of special categories of personal data. 8

9 GDPR and IOT Profiling - automated decision-making (including profiling) that either produces a legal effect or significantly affects individuals must be (i) authorized by law; or (ii) necessary to enter into or perform a contract with that individual; or (iii) based on individual s explicit consent. Minors - consent must be obtained from parents or legal guardians when information society services are provided to minors below the age of 16. Processors - direct obligations placed on data processors for the first time, including specific new requirements for existing and new data processing contracts. 9

10 GDPR and IOT Privacy by Design / Privacy by Default - GDPR introduces new concepts of privacy by design and privacy by default. The controller must implement appropriate technical and organizational measures, which are designed to integrate the necessary safeguards into the processing. Data Protection Impact Assessments - data controller must carry out a data protection impact assessment prior to processing data, where the processing is likely to result in a high risk to the rights / freedoms of individuals due to (i) the use of new technologies; (ii) the nature, scope, context, and purposes of processing. 10

11 eprivacy Regulation and IOT eprivacy draft regulation was published by the European Commission in January. It has equally large fines and an equally wide territorial application. Introduces new rules for processing electronic communications data which includes electronic communications content and electronic communications metadata. Will apply to telcos, ISPs, Over the Top (OTT) providers and anyone using cookies or similar tracking technologies. IOT and machine-to-machine communications will be within the scope of some rules. 11

12 Objectives Protect data assets and their value Reduce risk and liability Prevent consumer and regulatory claims Provide new ideas in governance, compliance & building customer trust 12

13 Polling Questions How well do you think your company protects your data assets and their value? (scale 1-5 low to high) Does your company conduct a privacy impact assessment prior to implementing new technologies, processes or projects that involve processing of personal data? (yes or no)? 13

14 Risks Liabilities What are the best practices to protect your data assets and their value? Work with the business and sales leads to develop an overall strategy for engaging with customers that prioritizes ownership. Draft clear ownership provisions for customer contracts that expressly states that your company is the owner of the data and has the rights to exploit it. Contract carefully with your third party suppliers o Don t give up ownership rights in the data to the supplier o Carefully consider any rights you grant to the supplier to aggregate or combine the data o Avoid representations and warranties regarding data accuracy and infringement 14

15 Risks Liabilities How can you leverage the contracting process to mitigate risks and reduce liability? Customer side: o Disclaim duties in the customer contract; o Allocate risk through indemnification obligations; o Review marketing materials for the product to avoid unintended claims; o Review documentation for the product to ensure that it includes appropriate warnings; and o Don t agree to security standards requested by a customer without passing that liability upstream to your supplier. Supplier side: o Assess vendor s security program and controls prior to contracting; o Contractually bind the supplier to appropriate security standards; o Ensure that you have the right to audit the vendor s security controls; and o Allocate risks appropriately in the contract. 15

16 Risks Liabilities What operational steps can you take to reduce liability? Privacy and Security by Design Privacy Impact Assessments Pseudonymization New contexts for consents, user choices & preferences 16

17 Privacy (and Security) By Design The GDPR requires all organizations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they take data governance seriously. Implementing Privacy and Security by design is also good practice for IOT. Organizations must implement technical and organizational measures to show that they have considered and integrated data compliance measures into their data processing activities. Adopting appropriate staff policies is specifically mentioned, as is the use of pseudonymization (to ensure compliance with data minimization obligations). 17

18 Privacy Impact Assessments (PIAs) A PIA is an assessment to identify and minimize noncompliance risks. The GDPR requires that controllers conduct a DPIA on any high-risk processing activity before it is commenced focused on the risk of infringing a natural person s rights and freedoms. Large scale processing of sensitive data, or profiling activities, are cited as illustrative examples of high-risk processing. DPAs will publish details of further examples and guidance. Conducting PIAs on new products or projects that will involve personal data, or when a change to an existing product or project is likely to impact privacy, can help organizations identify and mitigate privacy risks. 18

19 Pseudonymization The technique of processing personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution. Pseudonymized information is still a form of personal data, but the use of pseudonymization is encouraged, for instance: it is a factor to be considered when determining if processing is incompatible with the purposes for which the personal data was originally collected and processed; it is included as an example of a technique which may satisfy requirements to implement privacy by design and by default ; it may contribute to meeting the GDPR s data security obligations; and for organizations wishing to use personal data for historical or scientific research or for statistical purposes, use of pseudonymous data is encouraged. 19

20 Obtaining Consent in IOT Under the GDPR "Consent" means any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action. The FTC expects clear notice and choice. Consent helps build and maintain trusted relationships with consumers. 20