Understanding Privacy… … and data in personalized marketing: How to become a responsible data handler

ILLEGAL BIG DATA

You should be scared

…. ore at least awake right now. Good Morning!

Understanding Privacy…

… and data in personalized marketing: How to become a responsible data handler

EU Privacy Directive 95/46/EC

• It’s the law

• --- it must be boring

EU Privacy Directive 2016/680

• It’s the law

• --- it must stay boring

Relax …

• This is not my style

• I’m not a lawyer

• I’m an engineer.

Actually, I’m a researcher

• doing “real” research

• not “market” research

• (or do you deny that academia is “real”?)

• And: I’m a doctor

• but not a “real one”

I work for T-Labs

• Telekom Innovation Laboratories

(Deutsche Telekom’s R & D Unit)

• 300 Employees, DT-corporate and

Technical University researchers

• Our Slides look like this:

But not today

• Today I’m here to present some insights

we gained in our projects on data privacy

Privacy is NOT

• the preventer of innovative marketing

• an excuse for poor personalization

Innovative Privacy,

Privacy

Protection

Privacy

© dilbert.com

Privacy is Rather

• your opportunity for an USP

• a technology that serves your customers

• a source of deep insights to customer

preferences and fears

• A means to make the world a better place.

This talk is about

• Privacy enhancing technologies

• “Privacy By Design”

• Monetizing privacy (features)

• some trends in privacy research

• and YOUR quesitions!

This talk is NOT

• a legal training (§§)

• aimed at security experts

• a typical market research speech (sorry!)

• to be ignored

A few remarks impulses:

• Who owns user data?

• who controls them?

• who makes money with user data?

• Does privacy impact business?

YES! P.E.T. are here to

increase (your) profits!

• P.E.T. = Privacy Enhancing Technologies

• N.B.: P.E.T. also can increase your

customer’s profits/benefits (end customers)

Privacy Enhancing Technologies

• Cryptography

• Traceability

• Transparency

• Anonymization/Pseudonymization

• “artificial data”, “differential privacy” & more

• IT security

“Privacy By Design”

• by Ann Cavoukian (Privacy Commissioner of Ontario, Canada, 1995)

(https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf )

• general adoption in many countries and

companies

• a good starting point

Ann Cavoukian, PhD

Information & Privacy

Commissioner,

Ontario, Canada 10.11.2016

Concept, developed in the 1990s, still growing

Assumption:

Compliance and regulatory frameworks are not sufficient

Instead, privacy assurance must be “in the genes” of the

organization, so it will be its “default” mode of operation

and design/development.

PbD extends PETs (Privacy Extendig Technologies) to

PETplus added value!

applies to:

• IT systems, business practices,

• physical design and

• (networked) infrastructure

• … market research and CRM? …

PBD: 7 foundational principles

1. Proactive not reactive; Preventative not remedial

2. Privacy as the default setting

3. Privacy embedded into design

4. Full functionality – positive-sum, not zero-sum

5. End-to-end security – full lifecycle protection

6. Visibility and transparency – keep it open

7. Respect for user privacy – keep it user-centric

1. Proactive not Reactive; Preventative not

Remedial • The Privacy by Design (PbD) approach is characterized

by proactive rather than reactive measures. It anticipates

and prevents privacy-invasive events before they

happen. PbD does not wait for privacy risks to

materialize, nor does it offer remedies for resolving

privacy infractions once they have occurred – it aims to

prevent them from occurring. In short, Privacy by

Design comes before-the-fact, not after.

Have a privacy (by design) expert in your (design) team

2. Privacy as the Default Setting

• We can all be certain of one thing – the default rules!

Privacy by Design seeks to deliver the maximum degree

of privacy by ensuring that personal data are

automatically protected in any given IT system or

business practice. If an individual does nothing, their

privacy still remains intact. No action is required on the

part of the individual to protect their privacy – it is built

into the system, by default.

Let the user take over initiative (results in better quality insights)

3. Privacy Embedded into Design

• Privacy is embedded into the design and architecture of

IT systems and business practices. It is not bolted on as

an add-on, after the fact. The result is that it becomes an

essential component of the core functionality being

delivered. Privacy is integral to the system, without

diminishing functionality.

once done, this is easy to repeat later on in market research

4. Full Functionality – Positive-Sum, not Zero-

Sum • Privacy by Design seeks to accommodate all legitimate

interests and objectives in a positive-sum “win-win”

manner, not through a dated, zero-sum approach, where

unnecessary trade-offs are made. Privacy by Design

avoids the pretense of false dichotomies, such as privacy

vs. security, demonstrating that it is possible to have

both.

How can the “subject” of market research benefit? Think!

5. End-to-End Security – Full Lifecycle Protection

• Privacy by Design, having been embedded into the

system prior to the first element of information being

collected, extends throughout the entire lifecycle of the

data involved, from start to finish. This ensures that at the

end of the process, all data are securely destroyed, in a

timely fashion. Thus, Privacy by Design ensures cradle to

grave, lifecycle management of information, end-to-end.

security is a “must have” anyway. Why not use it for privacy too?

6. Visibility and Transparency – Keep it Open

• Privacy by Design seeks to assure all stakeholders that

whatever the business practice or technology involved, it

is in fact, operating according to the stated promises and

objectives, subject to independent verification. Its

component parts and operations remain visible and

transparent, to users and providers alike. Remember,

trust but verify.

Transparency guarantees insights (sic!)

7. Respect for User Privacy – Keep it User-Centric

• Above all, Privacy by Design requires architects and

operators to keep the interests of the individual

uppermost by offering such measures as strong privacy

defaults, appropriate notice, and empowering user-

friendly options. Keep it user-centric.

the “subject “ (end-customer) is the eventual source of your revenue

nice “side effect”: the user maintains his/her own data. So it stays

up-to-date with no extra effort (if done correctly ;-)

Example: Big Data & Privacy

New R&D project to start in Jan 2017:

• use “linked data”, a method of publishing structured

data so that it can be interlinked and become more useful

through semantic queries [Wikipedia]

• provide a “data dashboard” for tracking

• provide a “data cockpit” for control

expected outcome: more “opt ins” for survey and data usage

Benefits for the end user

reward the end user by

• money (simple but expensive and “vintage”)

• more accurate service offerings

• faster service delivery/operations

• gamification: let users compete and

compare their privacy settings/preferences

Be Open and Open Minded

• open your collection of personal data to the

end user (the source/owner of the data)

• open your derivates/conclusions of this

collection to the user. (no risk, no fun )

• open yourself and your data/findings to the

general public! (might be a challenge by itself!)

Trends in Privacy Research

• Differential Privacy

• Artificial Data

• Location Blur

• Blockchains (not always a P.E.T. !!)

• Apply to non-IT driven products (are their any?)

Thank you!

• Questions?

I hope so!

• Use the app, use your brain, and use your mouth!

• Contact me “privately”:

martin.kurze@telekom.de +49 171b864 22 46

• https://www.linkedin.com/in/kurze