Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Similar documents
Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Pension Trustees. Final Countdown to the GDPR

Data Processing Appendix

GDPR CCPA LGPD. Protected information

The New EU General Data Protection Regulation (GDPR)

General Data Protection Regulation. Asked Questions

The General Data Protection Regulation s Impact on M&A

Privacy Statement v 1.1

CHARITY & NFP LAW BULLETIN NO. 419

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

All Sorts UK Limited Data Protection Policy 17 th May 2018

Pension Trustees Final Countdown To GDPR

General Data Protection Regulation (GDPR)

Data Processing Addendum

FRAMEWORK FOR CONSUMER PRIVACY LEGISLATION

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Appropriate Policy Document

Privacy Policy Statement

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

DATA PROCESSING ADDENDUM

2018 Australian privacy outlook

What U.S.- Based Investment Advisers Should Know

Guidance: The new EU General Data Protection Regulation: Implications for Australia

The Race to GDPR: A Study of Companies in the United States & Europe

California s Consumer Privacy Act Vs. GDPR

Impact of the European General Data Protection Regulation on U.S. M&A

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

DATA PROCESSING AGREEMENT/ADDENDUM

CLOUDINARY DATA PROCESSING ADDENDUM

Webinar: Deep Dive into Risk, High Risk and Risk Assessments in the GDPR

Data Processing Addendum

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

DATA PROCESSING ADDENDUM

Moxtra, Inc. DATA PROCESSING ADDENDUM

World Bank Group Policy

ON24 DATA PROCESSING ADDENDUM

Man and Machine - Data Protection Policy

GDPR: Frequently Asked Questions to Brokers Ireland, February 2018.

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

The contract is important so that both parties understand their responsibilities and liabilities.

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

Please note that these terms and conditions cover and the Typhoo online shopping service provided within.

WHAT DOES THE GDPR MEAN FOR PENSIONS?

GDPR : We protect your data

DEAL BY SEA LTD PRIVACY NOTICE

Amgen Binding Corporate Rules (BCRs) Public Document

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

A guide for the insurance industry

Big Web Warehouse Ltd GDPR Data Processor Policy Warehouse and Fulfilment April 2018

Management of Personal Information Policy (Privacy Policy)

GDPR Data Processing Addendum (DPA) Instructions for Area 1 Security Customers

DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

DATA PROCESSING ANNEX

PERSONAL DATA PROCESSOR AGREEMENT

DATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Customer GDPR Data Processing Agreement

Transborder data transfers briefly explained

DATA PROCESSING ADDENDUM

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

Processing under the GDPR: risk and liability shifts

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

HOW TO EXECUTE THIS DPA:

The Allied Group Privacy Shield Policy

CLIENT DATA PROCESSING AGREEMENT

The Information Commissioner s response to the Financial Conduct Authority s call for inputs on big data in retail general insurance

Personal Data. Protection Policy

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

Privacy Policy and Personal Data

Blockchain, data protection, and the GDPR

DATA PRIVACY & FAIR PROCESSING NOTICE

Rigor, Inc. GDPR Data Processing Addendum

GDPR update and its impact on accountancy practices

DATA PROCESSING ADDENDUM

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

DATA PROCESSING TERMS AND CONDITIONS

THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

Your Data Your Rights

European Union General Data Protection Regulation

CUSTOMER DATA PROCESSING ADDENDUM

a publication of the health care compliance association SEPTEMBER 2018

Data Processing Addendum

BREXIT AND DATA PROTECTION Q & A

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

DATA PROCESSING AGREEMENT (GDPR, Privacy Shield, and Standard Contractual Clauses)

EU Data Processing Addendum

New legislation brings changes to how data is handled

CCPA and GDPR Comparison Chart

DATA PROTECTION POLICY

The BVRLA Guide to. The General Data Protection Regulation British Vehicle Rental and Leasing Association

Transcription:

Creating a Big Data Strategy: Managing Risk and Enabling Innovation Meghan Farmer and Brooke McGuffey 2016 Kilpatrick Townsend

What is Big Data? Traditional definition: high-volume, high-velocity and/ or high-variety information assets that demand costeffective, innovative forms of information processing that enable enhanced insight, decision making, and process automation. Big Data and the Internet of Things (IoT): Big Opportunity? As of 2013, there were 3 ½ billion sensors in the marketplace. This number is expected to increase into the trillions by the end of the decade. 2

Risks Liabilities What are the key risks that a Company faces by entering the IoT ecosystem? Intellectual Property o The value of IoT is the predictive power of data. Because of the potential to turn the value into revenue, it is key to be able to clearly determine which party can exploit the data. Liability for Personal Injury/Death o E.g.: Failure to notify of an unsafe condition, which resulted in consumer harm. Products Liability o Additional duties may be created as a result of: o Collecting, possessing and analyzing the data; or o Designing the process by which the data is analyzed. o Marketing materials for IoT products can create a variety of unintended warranties o Design Defect / Failure to Warn 3

Risks Liabilities Security o Enabling unauthorized access and misuse of personal information o Facilitating attacks on other systems o Creating safety risks Privacy o Direct collection of sensitive personal information (precise geolocation, financial account numbers, or health information) o Collection of personal information, habits, locations, and physical conditions over time o Systematic bias leading to discriminatory decision making Increasing Regulatory Oversight o EU: GDPR, eprivacy Regulation o US: pending bill in California legislature 4

Polling Question How prepared do you feel your company is for GDPR compliance? Highly Prepared Prepared Somewhat Prepared Not Prepared Unsure Not Applicable 5

EU General Data Protection Regulation GDPR will be effective on May 25 Extraterritorial Reach - applies to any processing of personal data related to EU citizens and non-eu citizens living in the EU, even where the data controller is located in a country outside of the EU, if processing relates to the offering of goods/services to such individuals or monitoring their behavior. Fines companies could be fined up to the greater of 4% of global turnover or 20 million Euros 6

GDPR and IOT Definition of Personal Data- "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 7

GDPR and IOT Security Breach Notifications controllers must notify DPAs within 72 hours of the breach. The Right to Be Forgotten individual's right to demand deletion of online content. Data Portability - individuals must be able to transfer personal data from one service provider to another more easily. Consent - stricter rules on obtaining consent, with companies no longer able to rely on "opt-outs or prechecked boxes to justify data processing. Consent must be either (i) unambiguous consent for general processing of personal data; or (ii) explicit consent for processing of special categories of personal data. 8

GDPR and IOT Profiling - automated decision-making (including profiling) that either produces a legal effect or significantly affects individuals must be (i) authorized by law; or (ii) necessary to enter into or perform a contract with that individual; or (iii) based on individual s explicit consent. Minors - consent must be obtained from parents or legal guardians when information society services are provided to minors below the age of 16. Processors - direct obligations placed on data processors for the first time, including specific new requirements for existing and new data processing contracts. 9

GDPR and IOT Privacy by Design / Privacy by Default - GDPR introduces new concepts of privacy by design and privacy by default. The controller must implement appropriate technical and organizational measures, which are designed to integrate the necessary safeguards into the processing. Data Protection Impact Assessments - data controller must carry out a data protection impact assessment prior to processing data, where the processing is likely to result in a high risk to the rights / freedoms of individuals due to (i) the use of new technologies; (ii) the nature, scope, context, and purposes of processing. 10

eprivacy Regulation and IOT eprivacy draft regulation was published by the European Commission in January. It has equally large fines and an equally wide territorial application. Introduces new rules for processing electronic communications data which includes electronic communications content and electronic communications metadata. Will apply to telcos, ISPs, Over the Top (OTT) providers and anyone using cookies or similar tracking technologies. IOT and machine-to-machine communications will be within the scope of some rules. 11

Objectives Protect data assets and their value Reduce risk and liability Prevent consumer and regulatory claims Provide new ideas in governance, compliance & building customer trust 12

Polling Questions How well do you think your company protects your data assets and their value? (scale 1-5 low to high) Does your company conduct a privacy impact assessment prior to implementing new technologies, processes or projects that involve processing of personal data? (yes or no)? 13

Risks Liabilities What are the best practices to protect your data assets and their value? Work with the business and sales leads to develop an overall strategy for engaging with customers that prioritizes ownership. Draft clear ownership provisions for customer contracts that expressly states that your company is the owner of the data and has the rights to exploit it. Contract carefully with your third party suppliers o Don t give up ownership rights in the data to the supplier o Carefully consider any rights you grant to the supplier to aggregate or combine the data o Avoid representations and warranties regarding data accuracy and infringement 14

Risks Liabilities How can you leverage the contracting process to mitigate risks and reduce liability? Customer side: o Disclaim duties in the customer contract; o Allocate risk through indemnification obligations; o Review marketing materials for the product to avoid unintended claims; o Review documentation for the product to ensure that it includes appropriate warnings; and o Don t agree to security standards requested by a customer without passing that liability upstream to your supplier. Supplier side: o Assess vendor s security program and controls prior to contracting; o Contractually bind the supplier to appropriate security standards; o Ensure that you have the right to audit the vendor s security controls; and o Allocate risks appropriately in the contract. 15

Risks Liabilities What operational steps can you take to reduce liability? Privacy and Security by Design Privacy Impact Assessments Pseudonymization New contexts for consents, user choices & preferences 16

Privacy (and Security) By Design The GDPR requires all organizations to implement a wide range of measures to reduce the risk of their breaching the GDPR and to prove that they take data governance seriously. Implementing Privacy and Security by design is also good practice for IOT. Organizations must implement technical and organizational measures to show that they have considered and integrated data compliance measures into their data processing activities. Adopting appropriate staff policies is specifically mentioned, as is the use of pseudonymization (to ensure compliance with data minimization obligations). 17

Privacy Impact Assessments (PIAs) A PIA is an assessment to identify and minimize noncompliance risks. The GDPR requires that controllers conduct a DPIA on any high-risk processing activity before it is commenced focused on the risk of infringing a natural person s rights and freedoms. Large scale processing of sensitive data, or profiling activities, are cited as illustrative examples of high-risk processing. DPAs will publish details of further examples and guidance. Conducting PIAs on new products or projects that will involve personal data, or when a change to an existing product or project is likely to impact privacy, can help organizations identify and mitigate privacy risks. 18

Pseudonymization The technique of processing personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution. Pseudonymized information is still a form of personal data, but the use of pseudonymization is encouraged, for instance: it is a factor to be considered when determining if processing is incompatible with the purposes for which the personal data was originally collected and processed; it is included as an example of a technique which may satisfy requirements to implement privacy by design and by default ; it may contribute to meeting the GDPR s data security obligations; and for organizations wishing to use personal data for historical or scientific research or for statistical purposes, use of pseudonymous data is encouraged. 19

Obtaining Consent in IOT Under the GDPR "Consent" means any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action. The FTC expects clear notice and choice. Consent helps build and maintain trusted relationships with consumers. 20

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback