Upload
digital-catapult
View
63
Download
0
Embed Size (px)
Citation preview
Personal Data ReceiptsReal Consent & GDPR ReadinessJanuary 16th, 2017
Michele NatiLead Technologist Personal Data and Trust
Lucie Burgess, Head of Personal Data and TrustDavid Ponsford, Senior Product Manager
Digital Catapult, London@michelenati
Motivation• Personal Data availability is growing• By 2019, total shipments will reach 214.6 million units, a five-year
Compound Annual Growth Rate (CAGR) of 28% (IDC)• … and business digital transformation is
leveraging that• … with transparency and trust becoming of
paramount importance• Only 1 in 5 Consumers read privacy statement; 15% feels to have control over how their data are
used (Source: Data Protection Eurobarometer)
• And regulatory framework now in place to measure it (GDPR)
http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_eurobarometer_240615_en.pdf
Trust and GDPR
Trustworthiness
ReputationTrust
- Transparency (Article 12-14, Information notice)
- Accountability (Article 4 and 7, Consent)
- Level of Control (Article 17-19, Data erasure and portability)
Background• Summer 2016 intern • Understanding what transparency means for consumers• Data discovery, interviews, user-centric design, prototyping, measuring• Findings: transparent, clear and concise summary of collected data,
increase trust
https://pdtn.org/designing-consent-receipts-future-personal-data-sharing/
Personal Data ReceiptsMulti-disciplinary team:- UX Lead- Marketing experts- Lawyer- Lead Tech
Lawyer advice:According to DPA, consent is not required for:a) the “legitimate interests” of the
data controller so long as they do not override the fundamental rights of the data subject;
b) data that it is necessary to collect or process the data to fulfill a contract the data subject asked to enter
• PDRs are a super-set of consent receipt• First full transparency, then control
Current Benefits• Individuals:• Simplify understanding of privacy policies• Track and control the use of personal data
• Organizations:• Increase transparency, by simplifying privacy policies
• For both:• Simplify Subject Access Requests (by providing a link to Data Controller)
Technical integration – Logic view
User interfaces: collect, stores and manage PDRsPDR generator: uses secure APIs from different corporate legacy systems (e.g. Salesforce)Audit trail: authenticity, integrity, confidentiality, non-repudiability
Technical integration – Digital Catapult system
Preserving privacy:• No new personal information is
created; nor passed and stored across different systems
• Secure meta-data communication• Pseudonyms to link PDRs and users• PDRs only sent the first time, with
random delay, to avoid traceability• Audit trail: including PDR version
for maintain consistency (in case of Privacy Policy change)
PDR trial ambitions• Educate consumers (visitors) about
their personal data sharing• Measure the value of PDR for
consumers• Promote best practices and adoption
to increase businesses transparency and trust
PDR trial summary
80%
20%
Yes No
51%49%
Opened NOT opened
Overall visitor engagement
1504PDRssent
20 27 13 16 0 0 0 0
Visitors: Total Page views :Contact via website:Requests to be removed:
Website engagement
303 339128 18347% 44%4% 4%
Centre Visitors:PDRs sent:Email open rate:Click thru rate:
This week Last week
Catapult Centre engagement
DCC visitors*
95Closed Data
191IoT
94Licensed
Data157
P D & T
Would you like all services you signed up for to send you a PDR?
80%
20%
Yes No
Would you consider implementing something similar within your company?
Yes - 80%
Yes - 80%
020406080
100120140 Total Vis-
itorsPDRs sent
3892Total visitors
1950Total fist time visitors
1504Total receipts sent
*figures taken cumulative since 13/09/16
PDRs sent by interest area
GDPR compliance• Article 12-14, Information notice• Use of icons and simple text to explain: what, how and for what purpose• (could be extended to target different demographic groups)
• Article 4 and 7, Consent• Provides a record for both individual and organization• Includes data collected under consent• (currently only in human-readable format; could be extended with link to
remove consent)
• Article 17-19, Data erasure and portability
• Provides link to contact Data Controller• (could be extended with link to automatically trigger data erasure or
portability; but needs strong identity and identification, Article 29 WP)
Next steps• Report to be released soon• Commercial• Promote adoption• Organizations collecting personal data and needing GDPR compliance• SMEs providing personal data management solutions (e.g., e-wallets)
• Technical• Understand requirements, formulate and test assumptions, deliver
technology to:• Provide additional functionalities• Simplify adoption (process vs toolkit)• Increase scalability (e.g. PDR as a service)• Foster interoperability (standardized human and machine readable format)
BSI PAS 4891 – Privacy Labels
• Recommendation on how organizations communicate how they use customers personal data online
• Define the categories of information• Provide an initial icons mockup• Can be used in layered privacy
policies (and PDRs)
THANK YOU!
#DigiCatapult
[email protected] 1233 101
Digital Catapultdigicatapult.org.uk
/DigitalCatapult
@DigitalCatapult