Upon completion of this module you will:
- Be able to recognize the necessity of regulating big data
- Understand the difference between privacy and data protection
- Know how to implement actions of data protection into your own (future) company
Duration of the module: approximately 1 – 2 hours
Age Friendly Economy - Legislation and Ethics of Data Use
1. This programme has been funded with
support from the European Commission
Module 4:
Legislation
2. – Ethics of Big Data
– Aspects of Big Data Ethics
How about Ethics?1
– Privacy vs. Data Protection
Legislation
– The Basics of GDPR
– Individual Rights
– GDPR Implementation
GDPR
Legal Glossary
2
3
4
This programme has been funded with support from the
European Commission. The author is solely responsible for
this publication (communication) and the Commission
accepts no responsibility for any use that may be made of
the information contained therein.
Upon completion of this module you will:
- Be able to recognize the necessity of regulating big data
- Understand the difference between privacy and data protection
- Know how to implement actions of data protection into your own (future)
company
Duration of the module: approximately 1 – 2 hours
Module 4:
Legislation
3. HOW ABOUT ETHICS?
AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
1. Ethics of Big Data
2. Aspects of Big Data Ethics
4. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
With the increase of computing power,
electronic devices and accessibility to the
Internet, more data than ever is being
produced, collected and transmitted.
Nowadays Big Data is big enough to raise
practical rather than merely theoretical
concerns about ethics. Big data itself, like all
technology, is ethically neutral.
The use of big data, however, is not.
5. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Data can be either useful or
perfectly anonymous but never
both.
Paul Ohm
Collecting and analysing big data has become a powerful way to unlock
actionable insights across any business, but it also brings with it some
concerns about big data ethics that need to be addressed.
Because accessing and storing data is so easy, some organizations collect
everything and keep it forever. It is not just the large governmental
agencies collecting data like this, many major grocery store chains,
investment banks and even the postal services have a predictive
analytics function with the sole purpose of collecting and analyzing data
in order to predict buyer behavior.
QUESTIONS FOR STUDENTS
What if all this data collection takes a negative turn?
ETHICS OF BIG DATA
6. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Aspects Of Big Data Ethics
Big data is already outpacing our ability to understand its implications.
Businesses are innovating every day, and the pace of big-data growth is
practically immeasurable. To provide a framework for dissecting the
often nuanced and interrelated aspects of big data ethics, the following
key components can help untangle the situation.
Identity Privacy
Ownership Reputation
7. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
“Is online existence identical to
offline existence?“
If our historical understanding of what identity means is being
transformed by big-data technologies, then understanding our values
around the concept itself enhances and expands our ability to
determine appropriate and inappropriate action.
Big data provides others the ability to quite easily summarize,
aggregate, or correlate various aspects of our identity—without our
participation or agreement.
If big data is evolving the meaning of the concept of identity itself, then
big data is also evolving our ethical relationship to the concept the
word represents.
Identity Privacy
Ownership Reputation
8. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
“Who should control access to data about
you?“
Plenty of people would argue that we have gained a degree of control over how the world
perceives us e.g. Victims of abuse or people who suffer from the same disease can share
their experiences and gain an invaluable sense of connection and community through the
use of anonymous online identities.
But, have we lost or gained control over our ability to manage how the world perceives
us?
There are two issues.
Why do we expect the ability to self-select and control which facets we share with the
world online to be the same as it is offline? The difference between online and offline
expectations regarding the degree of control individuals have over open access to data
about themselves is a deeply ethical inquiry.
The goal is to understand how to balance the benefits of big-data innovations with the
risks inherent in sharing more information more widely.
Identity Privacy
Ownership Reputation
Second, should individuals have a
legitimate ability to control data about
themselves, and to what degree?
First, does privacy mean the same thing in
both online and offline in the real world?
9. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Identity Privacy
Ownership Reputation
“What does it mean to own data about
ourselves?“
The degree of ownership we hold over specific information about us
varies as widely as the distinction between privacy rights and privacy
interests.
Does the information about our family history, genetic makeup, and
physical description, preference for Coke or Pepsi, or ability to shoot
free throws on the basketball court constitute property that we own?
As open data markets grow in size and complexity, open government
data becomes increasingly abundant, and companies generate more
revenue from the use of personal data, the question of who owns
what—and at what point in the data trail—will become a more vocal
debate.
10. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Identity Privacy
Ownership Reputation
“How can we determine what is
trustworthy?“
One of the biggest changes born from big data is that now the
number of people who can form an opinion about what kind of
person you are is exponentially larger and farther removed than it
was even a few short years ago. And further, your ability to manage or
maintain your online reputation is growing farther and farther out of
individual control. There are entire companies now whose entire
business model is centered on “reputation management”. We simply
don’t know how our historical understanding of how to manage our
reputation translates to digital behavior.
At a minimum, this is sufficient reason alone to suggest further inquiry.
11. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Privacy on the
internet? That‘s an
oxymoron.
Catherine Butler
LEGISLATION
1. Privacy vs. Data Protection
12. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Most users have been unaware of the
volume of personal data retained by entities
for various purposes. This is beginning to
change as awareness of the data privacy
debate is increasing. The two trends—
increasing popularity of big data and
increasing awareness of data privacy—
are beginning to come to a head and
companies that intend to capitalize on this
era of big data need to be conscious about
and address these basic ethical concerns.
13. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
PRIVACY DATA
PROTECTION
vs.
Is there any difference?
YES
14. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
PRIVACY DATA
PROTECTION
vs.
Is there any difference?
YES
• Privacy relates to the appropriate use
and control of data
• Data privacy protocols around the world
address the control people have over
their personal data and how they can
protect it from unwanted or harmful
uses
• It covers issues such as: what type of
data will be processed, where will it be
held, how long will it be held for
• Privacy applies whenever the data is:
- Collected
- Processed
- StoredWhich relates to a living individual
person who can be identified by that data.
• Data protection relates to the
confidentiality, availability and
integrity of data
• It focuses on two main areas –
the physical security of premises
and the logical security of data
and digitized information
• It covers issues such as: the
confidentiality, integrity and
availability of data, the
protection of networks, the
physical security of sites,
equipment, transport and
people
15. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Data privacy, also called
information privacy, is the
aspect of information
technology that deals with
the ability an organization or
individual has to determine
what data in a computer
system can be shared with
third parties.
PRIVACY
EU data protection rules mean that your personal data can only be
processed in certain situations and under certain conditions, such
as:
– if you've given your consent (you must be informed that your data is
being collected)
– if data processing is needed for a contract, for a job application or a loan
request
– if there is a legal obligation for your data to be processed
– if processing is in your 'vital interest’, e.g. doctor needs access to your
private medical data
– if processing is needed to carry out tasks in the public interest or tasks
carried out by government, tax authorities, the police or other public
bodies
Personal data about your racial or ethnic origin, sexual orientation, political
opinions, religious or philosophical beliefs, trade-union membership or
health may not be processed except in specific cases (e.g. when you've
given explicit consent or when processing is needed for reasons of
substantial public interest, on the basis of EU or national law). These rules
apply to both public and private bodies.
Collection and processing of personal data
16. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
Data protection is the
process of safeguarding important
information from corruption,
compromise or loss. The
importance of data protection
increases as the amount of data
created and stored continues
to grow at unprecedented
rates.
DATA PROTECTION
Data protection applies whenever we deal with 2 types of information:
...is data which relates to a living
individual who can be identified:
•from that data, or
•from that data and other
information which is in the
possession of the data controller,
And includes any expression of
opinion about the individual and any
indication of the intentions of the
data controller or any other person
in respect of the individual.
Personally Identifiable
Information
PII
...is PII data, consisting of
Information as to:
• the racial or ethnic origin of
the data subject,
• his political opinions,
• his religious beliefs or other
beliefs of a similar nature,
• whether he is a member of a
trade union,
• his physical or mental health
or condition,
• his sexual life,
• the commission or alleged
commission by him of any
offence.
Sensitive Personal
Information
SPI
17. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
It is no exaggeration to say that we are
nothing more than a collection of data to
most of the institutions—and many of the
people—with whom we deal.
Big data poses enormous challenges for
data protection— both by processors and
regulators. It simultaneously changes the
context and raises the stakes for Data
protection.
18. Impact: 145 million users compromised
Details: The online auction giant eBay
reported a cyber attack in May 2014 that
it said exposed names, addresses, dates
of birth and encrypted passwords of all
of its 145 million users. The company
said hackers got into the company
network using the credentials of three
corporate employees, and had complete
inside access for 229 days, during which
time they were able to make their way to
the user database.
With an increasing number of data breaches splashed across
front page news, companies have good reason to take
security seriously.
Impact: 3 billion user accounts
Details: In September 2013 Yahoo
announced it had been the victim of
the biggest data breach in history,
likely by “a state-sponsored actor,” in
2014. The attack compromised the
real names, email addresses, dates
of birth and telephone numbers of
500 million users. The company said
the "vast majority" of the passwords
involved had been hashed using the
robust bcrypt algorithm.
Impact: Credit/debit card
information and/or contact
information of up to 110
million people
compromised.
Details: The breach of
Target costumers began
before Thanksgiving, but
was not discovered until
several weeks later. The
retail giant initially
announced that hackers
had gained access through
a third-party HVAC vender
to its point-of-sale (POS)
payment card readers, and
had collected about 40
million credit and debit
card numbers.cc
19. GDPR
AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
1. The Basics of GDPR
2. Individual rights
3. Implementation of GDPR
As we were approaching this Big Data industrial revolution,
the laws governing its protection had reached a point where
they were a bit like an old operating system. In need of an
update or they would have become unfit for purpose. Each
country, concerned about citizens’ personal data, big data
analytics and security, was attempting to come up with its
own legislation to control data. In the European Union
companies have to follow the GDPR legislation.
20. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
General Data Protection
Regulation (GDPR) is a single
set of legislation across
Europe that gives individuals
get better control of their
personal data. GDPR
What is the
GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process data
under the
GDPR?
What are
the
consequenc
es of not
acting by
GDPR?
THE BASICS OF GDPR
21. GDPR
What is
the
GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
The EU's General Data Protection Regulation (GDPR) is the
result of four years of work by the EU to bring data protection
legislation into line with new, previously unforeseen ways that
data is now used.
Currently, the UK relies on the Data Protection Act 1998,
which was enacted following the 1995 EU Data Protection
Directive, but this will be superseded by the new legislation. It
introduces tougher fines for non-compliance and breaches,
and gives people more say over what companies can do with
their data. It also makes data protection rules more or less
identical throughout the EU.
22. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
Firstly, the EU wants to give people
more control over how their personal
data is used
By strengthening data protection
legislation and introducing tougher
enforcement measures, the EU hopes
to improve trust in the emerging
digital economy.
Secondly, the EU wants to give
businesses a simpler, clearer legal
environment in which to operate,
making data protection law identical
throughout the single market.
The GDPR will apply automatically in all EU
member states from 25 May 2018.
While the overwhelming majority of IT
security professionals are aware of GDPR,
just under half of them are preparing for its
arrival, according to a snap survey of 170
cyber security staff by Imperva. Just 43%
are assessing GDPR's impact on their
company and changing their practices to
stay in step with data protection
legislation, Imperva found.
When will
the GDPR
apply?
23. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
'Controllers' and 'processors' of data need to abide by the
GDPR.
A data controller states how and why personal data is
processed, e.g. government, while a processor is the party
doing the actual processing of the data, e.g. IT firm.
Even if controllers and processors are based outside the EU,
the GDPR will still apply to them so long as they're dealing
with data belonging to EU residents.
It's the controller's responsibility to ensure their processor
abides by data protection law and processors must
themselves abide by rules to maintain records of their
processing activities. If processors are involved in a data
breach, they are far more liable under GDPR than they were
under the Data Protection Act.
24. GDPR
What is
the GDPR?
Why was
the GDPR
drafted?
When will
the GDPR
apply?
Who does
the GDPR
apply to?
When can I
process
data under
the GDPR?
What are
the
consequen
ces of not
acting by
GDPR?
Once the legislation comes into effect, controllers must
ensure personal data is processed lawfully, transparently, and
for a specific purpose. Once that purpose is fulfilled and the
data is no longer required, it should be deleted.
Penalties for violation of record keeping, security, breach
notifications and privacy impact assessment are greater of
$10 million or 2% of entity‘s global gross revenue.
Penalties for violations olegal justification for processing
(consent), data subject rights and cross-border data transfers
are greater of $20 million or 4% of entity‘s global gross
revenue.
What are the
consequence
s of not
acting by
GDPR?
25. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
INDIVIDUAL RIGHTS
A key part of the regulation requires consent to be given by the
individual whose data is held.
Organisations will need to be able to show how and when
consent was obtained. This consent does not need to be explicitly
given, it can be implied by the person‘s relationship with the
company.
However, the data obtained must be for specific, explicit and
legitimate purposes.
Individuals must be able to withdraw consent at any time and
have a right to be forgotten; if their data is no longer required for
the reasons for which it was collected, it must be erased.
26. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
The right to be informed
- The right to be informed
encompasses your obligation
to provide ‘fair processing
information’,
typically through a privacy
notice.
- It emphasizes the need for
transparency over how you
use personal data
The right of access
- Individuals have the right
to access their personal
data and supplementary
information.
- The right of access allows
individuals to be aware of
and verify the lawfulness
of the processing.
The right to rectification
- The GDPR gives individuals
the right to have personal data
rectified.
- Personal data can be
rectified if it is inaccurate or
incomplete.
The right to erase
- The right to erasure is also known
as ‘the right to be forgotten’.
- The broad principle underpinning
this right is to enable an individual
to request the deletion or
removal of personal data where
there is no compelling reason for
its continued processing.
The right to restrict
processing
- Individuals have a right to ‘block’ or
suppress processing of personal data.
- When processing is restricted, you are
permitted to store the personal data, but
not further process
it.
- You can retain just enough information
about the individual to ensure that the
restriction is respected
in future.
The right to data
portability
- The right to data portability
allows individuals to obtain and
reuse their personal data for their
own
purposes across different services.
- It allows them to move, copy or
transfer personal data easily from
one IT environment to another in
a safe and secure way, without
hindrance to usability.
The right to object
The right to object
Data Protection gives people the
right to object to the use of their
personal information in certain
circumstances.
You have the right to object to
your data being used for direct
marketing.
Rights in relation to
automated decision
making and profiling
- The GDPR has provisions on:
automated individual decision-making
(making a decision solely by automated
means without any
human involvement);and
profiling (automated processing of
personal data to evaluate certain things
about an individual).
- Profiling can be part of an automated
decision-making process.
27. AWARENESS
INFORMATION
YOU HOLD
COMMUNICATI
NG PRIVACY
INFORMATION
INDIVIDUAL
RIGHTS
SUBJECT ACCESS
REQUESTS
LAWFUL BASIS
FOR
PROCESSING
PERSONAL DATA
CONSENT CHILDREN
DATA BREACHES
DATA
PROTECTION
OFFICERS
INTERNATIONAL
AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
GDPR IMPLEMENTATION
Companies are required to implement appropriate technical and organisational measures in
relation to nature, scope, context and purposes of their handling and rocessing of personal data.
Data protection safeguards must be designed into products and services from the earliest stages
of development.
12 steps you can make in your company to implementate GDPR
1 2 3 4
5 6 7 8
9 11 12
28. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
AWARENESS
1
You should make sure that
decision makers and key
people in your organization
are aware of GDPR and they
appreciate the.
Implementing the GDPR
could have significant
resource implications,
especially for larger and more
complex organizations.
You may find compliance
difficult if you leave your
preparations until the last
minute.
INFORMATION
YOU HOLD
2
You should document what
personal data you hold, where it
came from
and who you share it with. GDPR
requires you to maintain records
of your processing activities.
You can’t confirm that data is
correct or that your organisation
is in compliance unless you know
what personal data you hold,
where it came from and who you
share it with. You should
document this. Doing this will
also help you to comply with the
GDPR’s accountability principle,
which requires organisations to
be able to show how they comply
with the data protection
principles, for example by having
effective policies and procedures
in place.
29. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
COMMUNICATING
PRIVACY
INFORMATION
3
You should review your current
privacy notices and put a plan in
place for making any necessary
changes in time for GDPR
implementation. Currently when
collecting data you must give
people certain information, e.g.
identity and intended use.
This is usually done through a
privacy notice. There will now be
additional requirements.
INDIVIDUAL
RIGHTS
4
Check your procedures to ensure they
cover all the rights individuals have.
The GDPR includes the following
rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to
automated decision-making including
profiling.
30. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
LAWFUL BASIS FOR
PROCESSING
PERSONAL DATA
6
You should identify the lawful basis
for your processing activity in GDPR
and update your privacy notice to
explain it.
Under the GDPR some individuals’
rights will be modified depending on
your lawful basis for processing their
personal data.
The most obvious example is that
people will have a stronger right to
have their data deleted where you
use consent as your lawful basis for
processing. You will also have to
explain your lawful basis for
processing personal data in your
privacy notice and when you answer a
subject access request.
SUBJECT ACCESS
REQUESTS
5
You should update your procedures and
plan how you will handle requests to
take account of the new rules:
- In most cases you will not be able to
charge for complying with a request.
- You will have a month to comply, not
the current 40 days.
- You can refuse or charge for requests
that are manifestly unfounded or
excessive.
- If you refuse a request, you must tell
the individual why and that
they have the right to complain to the
supervisory authority and to
a judicial remedy.
You must do this without undue delay
and at the latest, within one month.
.
31. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
CONSENT
7
You should review how you seek,
record and manage consent and
whether you need to make any
changes. Refresh existing
consents now if they don’t meet
the GDPR standard.
You should read the guidance the
ICO has published on consent under
the GDPR, and use our consent
checklist to review your practices.
Consent must be freely given,
specific, informed and
unambiguous.
CHILDREN
8
Do you need to put systems in place to
verify individuals’ ages? Or obtain
parental consent.
GDPR will bring in special protection
for children’s personal data,
particularly in the context of
commercial internet services such as
social networking.
The GDPR sets the age when a child
can give their own consent to this
processing at 16 If a child is younger
then you will need to get consent from
a person holding ‘parental
responsibility’. This could have
significant implications if your
organisation offers online services to
children and collects their personal
data.
32. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
DATA BREACHES
9
You should make sure you have the
right procedures in place to detect,
report and investigate a personal data
breach.
GDPR introduces a duty on all
organisations to report certain types of
data breach to the ICO, and in some
cases, to individuals
You should put procedures in place to
effectively detect, report and
investigate a personal data breach.
You may wish to assess the types of
personal data you hold and document
where you would be required to notify
the ICO or affected individuals if a
breach occurred. Larger organisations
will need to develop policies and
procedures for managing data
breaches. Failure to report a breach
when required to do so could result in
a fine, as well as a fine for the breach
itself.
DATA PROTECTION
OFFICERS
10
You should designate someone to take
responsibility for data protection
compliance.
You may need to designate a DPO
It is most important that someone in
your organisation, or an external data
protection advisor, takes proper
responsibility for your data protection
compliance and has the knowledge,
support and authority to carry out their
role effectively.
33. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
DATA PROTECTION
OFFICERS
11
You should consider whether you are
required to formally designate a Data
Protection Officer (DPO). You must
designate a DPO if you are:
- a public authority (except for courts
acting in their judicial
capacity);
- an organisation that carries out the
regular and systematic
monitoring of individuals on a large scale;
or
- an organisation that carries out the
large scale processing of special
categories of data, such as health
records, or information about criminal
convictions. The Article 29 Working Party
has produced guidance for organisations
on the designation, position and tasks of
DPOs.
INTERNATIONAL
12
If your organisation operates in more
than one EU member state, you should
determine your lead data protection
supervisory authority and document this.
The lead authority is the supervisory
authority in the state where your main
establishment is. Your main
establishment is the location where your
central administration in the EU is or else
the location where decisions about the
purposes and means of processing are
taken and implemented.
.
34. AGE FRIENDLY ECONOMY | FUTURE OPPORTUNITIES FOR SMES
No matter what volumes of data they’re
dealing with, it’s crucial for businesses to
get a good handle on where their data is,
how it’s stored and who has access to it.
The GDPR comes at a time when
customer expectations have never been
higher over the privacy of their data.
Putting the power back into the hands of
customers can only serve the businesses
who rely on them, helping to build a far
more positive relationship and engender
consumer trust.
35. LEGAL GLOSSARY
PERSONAL DATA
Any information relating to a person who can be identified,
directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social
identity of that person.
CONTROLLERS
Owners of the data, who are responsible for data protection and
make sure processors are compliant.
PROCESSORS
Work with the data and have to take responsible actions with
the data. The relationship between Controllers and Processor
must be documented.
PROFILING
Any automated processing of personal data to determine
certain criteria about a person.
BREACH AND NOTIFICATION
A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or otherwise
processed.
DATA SUBJECT ACCESS REQUESTS
The right of the individual to understand what is stored and
how it is used.
DATA PROTECTION OFFICERS
Public Authorities who have expert knowledge on data
protection laws. They deal with a large scale processing of
special types of personal data.