privacy by design
TRANSCRIPT
Privacy by Design
Tomi Mikkonen, Privaon
Tietosuoja ja standardit 13.9.2016
Company Overview
We are privacy and data protection specialists focused in helping companies utilize their data correctly and diversely
We manage our customers’ privacy challenges and implement General Data Protection Regulation (GDPR) requirements
We promise to cut through GDPR complexity. Our solution for this is Privacy as a Service.
Privaon Oy
Founded: 2014
Located: Greater Helsinki, Finland
Our story: We noticed the growing need for privacy expertise and the lack of customer- friendly service models. So, we built one.
PRIVACY BY DESIGN What is
14. syyskuuta 2016 4
(ICO)
What is Privacy by Design?
(GDPR)
What is Privacy by Design? • The most of ”official” definitions are OKish
– Privacy by Design is an approach to systems engineering which takes privacy into account throughout the whole engineering process. (Wikipedia)
• Privacy by design characteristics:
– Proactive – Not reactive (cannot be bolted-on as an after-though) – Risk management, adequacy – Lifecycle – Accountability
14. syyskuuta 2016 5
14. syyskuuta 2016 6
“Privacy by Design (PbD) refers to the philosophy and approach of embedding privacy into the design specifications of various technologies”
7 foundational principles
Ann Cavoukian, Information and Privacy Commissioner, Ontario
Proactive, not reactive Privacy as default setting Embedded into design Full functionality End-to-end security Visibility and transparency Respect for user privacy
What is Privacy by Design?
What is Privacy by Design?
14. syyskuuta 2016 7
Design Implementation
14. syyskuuta 2016 8
What is Privacy by Design?
Privacy by Design: Summary • The most of ”official” definitions are OKish
– They serve explaining what Privacy by Design is about • Privacy by Design is still “undefined” • For an official Privacy by Design definition, we need to wait for precedent
legal cases – These will be available after several years from the time being
• The key challenge is, how to implement Privacy by Design
14. september 2016 9
PRIVACY BY DESIGN Implementing
Implementing Privacy by Design • You are not running short of recommendations in implementing Privacy by
Design – A. Cavokian: Privacy by Design
https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf – Deloitte: Privacy by Design: Setting a new standard for privacy certification
https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-brochure.PDF
– ENISA: Privacy and Data Protection by Design – from policy to engineering https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design/at_download/fullReport
– … – ... ^2
14. syyskuuta 2016 11
Implementing Privacy by Design • Privacy Impact Assessment (PIA)
is a proactive tool that you can use to
1. Measure compliance 2. Identify and reduce privacy risks 3. Demonstrate accountability
• PIA will identify prioritized next steps to manage privacy risks
14. syyskuuta 2016
PIA PIA
Criteria Report
+
Implementing Privacy by Design Article 25 Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
14. syyskuuta 2016 13
Implementing Privacy by Design Article 25 Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
14. syyskuuta 2016 14
Risk assessment
R&D or operations
Accountability
Defines requirements
for
That produce evidence
for
Privacy engineering
Implementing Privacy by Design • Privacy principles • Privacy requirements
Article 25 Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
R&D or operations
Defines requirements
for
That produce evidence
for
Privacy engineering
Accountability
Big Picture
14. syyskuuta 2016 16
Design Develop Deploy Operate
Privacy Engineering
Privacy by Design
Privacy requirements Data access process
Data retention process
Other privacy processes
Privacy impact assessment Auditing
Architecture design (including privacy)
Product backlog (incl. privacy) Threat
assessment +
Implementation +
Testing (including privacy)
PETs
Certification
Evidence for accountability
Summary • Privacy by Design is still “undefined”
– “What” to do • Privacy engineering refers to activities and tools to build privacy into
products and to produce evidence for assurance – More “how” than “what” to do
• Privacy Impact Assessment (PIA) is one of the key tools in implementing Privacy by Design
• Privacy does not prevent cool things from happening but things just need to be done “in the right way”.
14. september 2016 17