The conference will contextualise the changing regulatory landscape, considering the business impact of the GDPR and DPA (2018) and how it is changing policy and process in practice.
When GDPR came into force in May 2018 it significantly raised the bar of obligation and accountability, ensuring that all organisations who handle personal data adhere to strict regulations around privacy, security and consent. 18 months on from implementation, the conference will consider how data protection procedure has moved on, with insight from frontline practitioners reflecting on how practices within their organisation have changed.
The event will also provide an update from the regulator; exploring regulatory action policy, decision making for fines and penalties, and clarifying some of the most prominent areas of misconception and non-compliance.
Core conference topics include:
• Key legal issues and obligations
• Data security and encryption
• Privacy Impact Assessments
• Databases, data mapping and classification
• Privacy by design
• Practical strategy implementation
1. WELCOME TO DIGIT’S 3RD ANNUAL
DATA
SUMMIT 2019
PROTECTION
EDINBURGH - DYNAMIC EARTH - TUESDAY 10TH DECEMBER
LEAD SPONSOR
CO-SPONSORS
@digitfyi #DPscot
2. DELEGATE WIFI
Network: delegates
Password: OneTrust19
CONFERENCE APP
Mobile App
1. Go to your app store
2. Search CC Events
3. Download and register
4. Enter our event code: digitevents
Web App
Open your mobile/ laptop web browser and enter:
digiteventsapp.co.uk
DRINKS RECEPTION
3.40pm – 4.30pm in the Exhibition area
iOS (Apple) – point your phone’s camera at
the QR code above
Android – download a free QR scanner then
point to code above
GET THE OFFICIAL EVENT APP TO ENHANCE YOUR DAY.
5. 2020 EVENTS
MORE
28TH MAY DIGIT LEADERS
18TH JUNE INTELLIGENT AUTOMATION
29TH & 30TH SEPT FINTECH + AWARDS
24TH NOV DIGIT EXPO
8TH DECEMBER DATA PROTECTION SUMMIT
www.digifutures.co.ukwww.scot-secure.com
www.digitalenergyscot.com
OPEN OPEN
21. Myth 1
Consent is the only option !
• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests
22. Myth 2
You have to report every breach
▪ Only applies to personal data breaches as per the definition in
GDPR
▪ Only reportable where it is likely there is a risk to people’s
rights and freedoms
▪ Report with 72 hours of breach discovery – includes
evenings/weekends/bank holidays (not just working hours)
▪ Provide the information set out in Art 33 of the GDPR, where
feasible
23. Myth 3
We have to see every DPIA
Only consult when you have identified a high risk which cannot be
mitigated
We need :
▪ A description of the respective roles and responsibilities of any
joint controllers or processors;
▪ The purposes and methods of the intended processing;
▪ The measures and safeguards taken to protect individuals;
▪ The contact details of your DPO (if you have one); and
▪ A copy of the DPIA.
We may :
▪ Tell you that you can proceed
▪ Suggest other mitigations
▪ Issue a warning or otherwise limit your processing
24. Myth 4
We are your DPO !
Your DPO will
▪ Inform and advise you how to comply with the GDPR
▪ Monitor compliance with the GDPR and other DP laws
▪ Raise awareness of your internal data protection policies
▪ Advise on, and monitor, data protection impact assessments
▪ Be the first point of contact for the ICO and data subjects
29. Practitioner Observations
on the Evolving Data
Protection Landscape
EVIE KYRIAKIDES
CHIEF DATA PROTECTION & CHIEF PRIVACY OFFICER
MARS INCORPORATED
30. Overview
1. The evolving privacy and data protection landscape, trends, and observations
2. How have trust, privacy and customer expectation shifted
3. Tips for Boards and Business Leaders
Disclaimer: The views expressed in this presentation are those of the presenter and do not represent
Mars Incorporated.
33. Regulatory Change Considerations
1. General Data Protection Regulation & California Consumer Privacy Act – China, Russia, SE
Asia, LGPD, and more to come
2. The Speed of Change
3. Data transfers
37. Trust, privacy and customer expectations
have shifted!
GDPR
CCPA
Cambridge Analytica
38. How business can control the shift
1. View privacy as a differentiator
2. Data minimization
3. Technology
4. Clear communication
39. Privacy as a brand differentiator
1. Encourage trust and brand loyalty
2. Establish the new status quo
3. Encourage consumers to tie together trust in the product with trust in data protection
42. Consider Impact on Operations
❖Policies and procedures relating to data security and privacy
❖Employment, supplier, customer and other third- party contracts
❖IT systems dealing with data storage, transfer and security
❖Compliance programs and procedures, including ongoing monitoring
❖Preparedness plans for a data breach and related regulatory and reputational issues
❖Assess capabilities to identify and respond to the policy developments unfolding at the state
and federal levels in the US and around the globe
43. Helpful Actions
❖Adapt thinking to consider privacy
❖Prepare to hire professionals
❖Evolve and maintain a consistent approach to privacy
❖Update policies
50. DELEGATE WIFI
Network: delegates
Password: OneTrust19
CONFERENCE APP
Mobile App
1. Go to your app store
2. Search CC Events
3. Download and register
4. Enter our event code: digitevents
Web App
Open your mobile/ laptop web browser and enter:
digiteventsapp.co.uk
DRINKS RECEPTION
3.40pm – 16.30pm in the Exhibition area
iOS (Apple) – point your phone’s camera at
the QR code above
Android – download a free QR scanner then
point to code above
GET THE OFFICIAL EVENT APP TO ENHANCE YOUR DAY.
51. 2020 EVENTS
MORE
28TH MAY DIGIT LEADERS
18TH JUNE INTELLIGENT AUTOMATION
29TH & 30TH SEPT FINTECH + AWARDS
24TH NOV DIGIT EXPO
8TH DECEMBER DATA PROTECTION SUMMIT
www.digifutures.co.ukwww.scot-secure.com
www.digitalenergyscot.com
OPEN OPEN
57. FINES: THE REGULATORS TAKE THE GLOVES OFF…
● British Airways hit with a notice of intent to fine for £183M.
● Marriott International also received a notice of intent to fine for £99M.
● 22 fines during 12 months up to 31 March 2019 totalling £3,010,610 – all for fines under
the Data Protection Act 1998.
● Approx 128 fines to date throughout Europe
● Security breaches continue to dominate, but the first fines for transparency breaches
emerge….
58. TRANSPARENCY A GREATER FOCUS
● Privacy notices are “gateway” to compliance.
● An area of greater focus for supervisory authorities with enforcement action
taken against:-
Google – CNIL issued a 50M euro fine for inaccessible notices (5/6
layers of info) and unclear processing information.
La Liga - Spanish authority issued 250k euro fine for use of microphone
on mobile devices via mobile app – lack of awareness of users.
59. BOUNTY (UK) LIMITED – FINED £400K (PRE-GDPR)
● 14M individuals affected (35M records)
● ICO found breaches of the first data protection principle:-
○ Lack of transparency – insufficient information given in relation to third parties that
received data from Bounty (e.g. Sky, Equifax and third party marketing agencies);
○ Lack of fairness – failed to consider reasonable expectations and only justification
seemed to be financial gain; and
○ Consent was not specific or informed. Offline registrations gave no choice.
● Significant decision for the data brokerage industry.
60. DO WE “LIKE” THIS ANYMORE?
FASHION ID CASE
The ECJ found that FashionID could be considered a joint controller of personal
data collected by Facebook’s “Like” button to the extent that they jointly determined
the purposes and means for which data was collected by the “Like” button.
This appeared NOT to be limited to (a) collecting personal data via the “Like”
button, and (b) transferring it to Facebook for so that Facebook could display that
items had been ‘liked’.
○ Consent may be needed but a question of fact.
○ Privacy notices need carefully considered.
○ Article 26 requires an agreement in place between controllers.
61. ….AND FACEBOOK FIGHTS BACK
● Facebook were fined £500,000 by the ICO in July 2018 in the wake of Cambridge Analytica for:
○ Unfair & unlawful processing
○ Monitoring
● Facebook alleged procedural errors, unfairness and bias
● In June 2019 the First Tier Tribunal (FTT) held allegations should be considered in an appeal and asked ICO to disclose
materials on decision making process
● This was appealed by the ICO in September 2019
● Settlement reached in October 2019:
○ Facebook pays the fine in full with no admission of liability;
○ Both parties withdraw appeals and each pay their own legal costs
62. MITIGATION STRATEGIES - LIAS
● LIAs are increasingly being used by businesses as a risk mitigation measure.
● Used to demonstrate decision making process when relying on legitimate interests to
process personal data when balancing business interests vs rights and freedoms of data
subjects.
● Being sought by privacy rights groups especially in marketing space where legitimate
interests are relied upon rather than consent.
● Should be embedded within processes and documented in Register of Processing
Activities.
64. HANDLING DATA SUBJECT ACCESS REQUESTS
● 42% of all issues raised with ICO relate to DSARs. General perception that there is an
increase in DSARs, triggered in case of data breach or issues in business, e.g.
employment case.
● Technology / rights groups submitting DSARs on behalf of data subjects increasing. These
are disappearing as fast as they are appearing.
● Magnacrest fined in criminal courts for ignoring DSAR and failing to comply with ICO
Enforcement Notice.
● Follows similar action against SCL Elections (Cambridge Analytica).
65. ICO DRAFT GUIDANCE ON ACCESS – 4 DECEMBER
● Consider forms that can be submitted electronically
● 2 month extension if:
○ Complex; or
○ Received a number of requests from the individual at the same time
● What is complex?
○ Technical difficulty (electronic archive) (but no ‘technology exemption’)
○ Exemptions applied to large amounts of sensitive information
○ Issues re child and legal guardian
○ Specialist redaction work
Simply a large volume of information does NOT make a request complex
66. ICO DRAFT GUIDANCE ON ACCESS – 4 DECEMBER
● Online portal SARs can be valid if:
○ Don’t have to sign up for a service
○ It is possible to identify the data subject
○ The identity of the third party can be verified
● WHAT IS MANIFESTLY UNFOUNDED OR EXCESSIVE?
○ Individual clearly has no intent to exercise rights – offers to settle
○ Intent to cause disruption is stated / systematic sending of requests (weekly) /
unsubstantiated accusations / grudge against an individual
○ Excessive: repeats / overlaps with previous requests
○ Request focused – not individual focused
67. RUDD V BRIDLE 2019 – POST GDPR DSAR DECISION
● No stone needs left unturned when searching for documentation. A reasonable and
proportionate search is acceptable.
● Exemptions still need carefully considered, i.e. can’t be applied in a broad brush fashion.
● No right to disclosure of documents.
● Requirement to provide information about the processing undertaken as per Article 13(1).
● Categories of recipients do not need to be defined to the extent that you are disclosing the
names of the parties but you do need to factor in giving “any information available” as to
the source.
● Purposes of processing can be broadly defined.
69. A RISE IN ‘NUISANCE’ PRIVACY CLAIMS?
● Is privacy the new ‘slip & trip’?
● What damages are likely?
○ Halliday v Creation Consumer Finance (2013): nominal damages of
£1 – no evidence of distress from non-compliance
○ AB v MoJ: £2250 for distress caused by 16 month DSAR delay
(2014)
○ Art 8 & PECR claims? Watch this space…
70. CLASS ACTIONS: THE SCOPE WIDENS
● Lloyd v Google 2019
○ Court of Appeal held that damages are, in principle, capable of
being awarded for loss of control of data under the DPA, without
proving pecuniary loss or distress.
○ Claimant sued in a representative capacity on behalf of a class of
other residents of England and Wales who were also said to have
been affected.
○ English “opt out” style class action.
71. CLASS ACTIONS: THE NEW NORM?
● Morrisons is currently under appeal to UK supreme court which will consider:
○ Can vicarious liability be excluded for data protection matters
○ Can vicarious liability be excluded for common law privacy breaches
…in Morrisons there was no ICO enforcement action
● British Airways?
● Others?
73. E-PRIVACY REGULATION
● Key changes as at 4 Oct 2019 following European Presidency Draft:-
○ Soft opt in will be narrowed –
○ to “purchased” goods and services;
○ shorter time line applied to how long you can rely on right – to be agreed
by member states
○ B2B marketing impacted.
74. NEW ICO GUIDANCE
● ICO expects consent to meet GDPR standards in new guidance focussed on cookies and other
tracking technology used in most websites and apps.
● Strictly necessary cookies do not need consent but need included in a cookie policy.
○ Security cookies.
○ Shopping basket cookies.
● Anything else needs GDPR consent.
● Pre-set options (e.g. sliders, pre-ticked boxes) are not acceptable.
● Conflicts with CNIL guidance – challenge for international business.
● European Court of Justice (Planet 49 case) confirmed approach in effect outlawing pre-ticked
boxes. Spanish supervisory authority also fined Vueling 30,000 euros for failure to give granular
consent.
76. Solving Mass Data Fragmentation
Alan Gardiner, Group Marketing Director
10th December 2019
77. 77
supports 3.4 million bus journeys in the UK every day
underpins £millions of financial trades every minute
protects more than 3 million musical copyrights
helps 700 million football fans support their favourite club
enables 1 million gamers to play online each month
helps deliver local services to over 11 million people
supports the provision of over 150,000 affordable homes
iomart…
80. FRAGMENTATION ACROSS SILOS1
ARCHIVING/
LTR
FILE & OBJECT
SERVERS
TEST &
DEVELOPMENT
SEARCH/
ANALYTICS
BACKUP &
RECOVERY
Confidential & Proprietary
The Challenges Organisations Face With Managing Data
81. FRAGMENTATION ACROSS SILOS1
ARCHIVING/
LTR
FILE & OBJECT
SERVERS
TEST &
DEVELOPMENT
SEARCH/
ANALYTICS
BACKUP &
RECOVERY
Confidential & Proprietary
The Challenges Organisations Face With Managing Data
Media/Master Servers
TapeSoftware Software Shares
Appliances NAS
Servers
Search
Software
Storage
Servers
Masking Copies
Policies
Indexing Storage
Software Servers
FRAGMENTATION
WITHIN SILOS
2
82. Clouds
CLOUD
BACKUP
FILE & OBJECT
STORAGE
SEARCH/
ANALYTICS
TEST &
DEVELOPMENT
ARCHIVING/
LTR
FRAGMENTATION ACROSS SILOS
Media/Master Svrs
BACKUP &
RECOVERY
TapeSoftware
FILE & OBJECT
SERVERS
Software Shares
Appliances NAS
SEARCH/
ANALYTICS
Servers
Search
Software
Storage
TEST &
DEVELOPMENT
Servers
Masking Copies
Policies
ARCHIVING/
LTR
Indexing Storage
Software Servers
1
Data Centers/ROBOs
2
FRAGMENTATION
WITHIN SILOS
FRAGMENTATION ACROSS SILOS1
2
FRAGMENTATION ACROSS LOCATIONS3
FRAGMENTATION
WITHIN SILOS
FRAGMENTATION FROM REDUNDANT COPIES4 FRAGMENTATION FROM REDUNDANT COPIES4
And Cloud Has Just Made It Worse
Confidential & Proprietary
83. Mass Data Fragmentation noun
mass da·ta frag·men·ta·tion | ˈmas ˈdā-tə frag-mən-ˈtā-shən,
Growing proliferation of data spread across a myriad of
different locations, infrastructure silos, and management
systems that prevents organizations from fully utilizing
its value
Confidential & Proprietary
84. • First of its kind
• 900 respondents
• Senior IT decision makers
• US, UK, Germany, France, Australia,
Japan
• Multiple sectors
Global Market Study: Fielded By Vanson Bourne
Confidential & Proprietary
85. Secondary data is fragmented and
is / will become nearly impossible
to manage.
Confidential & Proprietary
Mass Data Fragmentation: The Critical Challenge
86. of organisations have between 4-15
copies of the same data.
Confidential & Proprietary
Data Copies are Multiplying
87. store data between 2-5 public clouds
Confidential & Proprietary
Data Sprawl is Growing Exponentially
88. It will also consume significantly more time
without more effective tools.
Additional Time
Confidential & Proprietary
Consequences of Mass Data Fragmentation
89. of organisations’ leadership are
concerned about the level of visibility
that the IT team has into secondary
data across all sites
Compliance Risks
Confidential & Proprietary
Consequences of Mass Data Fragmentation
96. 96
Introducing The New Architecture for Data Management
96
One Platform
- All workloads & data
One UI
- Simple global management
Run Apps & Services
- Move compute to data
• DataPlatform
powered by
• SpanFS
• Helios
• Cohesity
MarketPlace
97. Integrated and Efficient
✓ Collapse legacy silos, eliminate copies
✓ Single GUI to manage all apps & data
✓ Policy-based automation
Open and Extensible
✓ Fast self-service access to production
data
✓ Easily spin up cloud or DC
environments
✓ APIs for custom development/reports
Safe and Compliant
✓ Google-like search for regulated data
✓ Near-instant restore, sub-5 minute RPO
✓ Highly available, non-disruptive
✓ Software-defined, “install & go”
✓ One-click reconfiguration & policy
changes
✓ Run apps anywhere across DC/
Cloud/ Edge
Fast and Flexible
Confidential & Proprietary
A Clean Sheet Approach to an Old Problem
99. 99
99
Filer & Object Store aaS
Test/Dev aaSCloud Native Backup Long-Term Retention aaS
Backup as a Service Disaster Recovery as a Service
One Platform for Multiple as-a-Service Offerings
+ Analytics as a Service - Generate Value from Untapped Data
File /
object
access
100. What could be the Rewards?
Confidential & Proprietary
101. Complete visibility of all your data
Confidential & Proprietary
Get value and insight from your secondary data
Make sure you’re always compliant
Complete control of all your data
28% thought they would see revenue increase
103. • Mass Data Fragmentation is a problem for all of us, and it’s only
getting worse
• Gives you back control of your data
• Instant search capability
• Eliminates data silos, copies and sprawl
• It works across your hybrid infrastructure, simplifying everything
• It’s a PAYG model
• Helps ensure compliance
• It let’s you drive value from your data
Confidential & Proprietary
In Summary
104. For more information download the
Secondary Data Market Study by visiting:
https://info.iomart.com/cohesity-secondary-data-market-report
105. How to deliver effective GDPR
training
Megan Kane
GDPR Practitioner
iCaaS GDPR Software
106. Risks of No Training
Why are businesses not delivering it?
• Non-compliance leading to ICO fines
• Data breaches caused by employee error
• Loss of customer trust
• Reputational damage
• Unhappy employees
107. Benefits of Training
Avoid the long term consequences
• Greater consumer confidence
• Strong supply chain
• Compliancy across rights and breaches
• Reduced complaints
• Empowered staff
• Increased alignment of evolving technology
108. Delivery of Training
Making it relevant, a priority and ongoing
• Training is most effective when focused, relevant and role-
based
• Train to the necessary level
• Training reflective of your business processing
109. Useful Tips
• Evidence of training
• It’s not a one stop shop - retrain
• Less is more
• Put yourself in their shoes
• Use real life examples
• Use software to assist
114. Debunking GDPR and Data
Sharing Myths & Misconceptions
Alice Wilson & Lisa Powell
Data Protection Officer (DPO)
DPO Shared Services
115. GDPR, DPA – our approach to supporting clients
• Team of 8 DPOs
• Regional areas - assigned to FEs and HEs
• Supported clients in preparation of 25th May 2018
• Privacy Notices
• Article 30 Register
• Contracts
• Data Sharing
• Policies and procedures
• Training
• Advice and guidance
116. Data Protection in HE/FE Sector
•Legal Framework
•Staff and Students
•Legitimate Interests
•Data processors
•Data Sharing
•Vulnerable Groups
117. Data Protection in HE/FE Sector
•Research
•Public interest
•Data minimisation
•Anonymisation
•Pseudonymisation
•Big data
118. DPO Shared Services - Benefits
• DPO Shared Services benefits
• Network of experts
• Resources management where large projects involved
• Incident management
• Allows flexibility for absences
• Development of templates, guidance and training
• Economic Savings and Efficiencies
119. DPO Shared ServiceTeam role in Data Sharing
Agreements
•Benefits of a team of DPOs
•Lead assigned to liaise with other organisations
•DSAs developed
•Team response on behalf of clients
•Finalised agreements for all clients and stakeholder
organisations
120. Supporting clients in Data Sharing
•FEs/HEs share personal data for a variety of
reasons
•Government bodies and statutory purposes - e.g:
•Scottish Funding Council
•Skills Development Scotland (SDS)
•Local Authorities and schools
•Colleges sharing with Universities
•Awarding Bodies
121. MYTH BUSTING – Myth 1: Consent
•Lawful basis is new under GDPR
•Consent is the only lawful basis
•I can use another basis as a back up to consent
123. Myth 3: Subject Access Requests
If a SAR concerns a LARGE amount of personal data:
• we can refuse to comply under ‘disproportionate effort’
• it is ‘excessive’ and we can refuse to comply with the request
• Manifestly unfounded or excessive – ICO guidance https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/right-of-access/#17
• Narrowing the scope - Recital 63 https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/individual-
rights/right-of-access/#11
124. Myth 4: Data Protection Impact Assessments
•DPIAs must be done for ALL new projects
•Article 35(1)
•ICO / EDPB – Screening Questionnaire
•These must be signed off by the ICO
•Article 36(1)
125. Myth 5: Data Protection Officer
•Data Protection is the DPO’s responsibility
• Article 39 - tasks of the DPO
• Article 38(6) – other task and duties
• Slovenia’s ICO defines DPO’s additional tasks that could result
in a conflict of interests
https://eurocloud.org/news/article/slovenias-ico-defines-
dpos-additional-tasks-that-could-result-in-a-conflict-of-
interests/
126. CHANGING PERCEPTIONS
– the HEFESTIS way
•Raising staff awareness –
eLearning is not the only
answer
•Opportunities
•Be creative
132. “[E]ffective privacy and data protection needs a
globally harmonized framework… New privacy
regulation in the United States and around the world
should build on the protections GDPR provides.”
“If you share with one service, you should be able to
move it to another”
- Mark Zuckerberg, Washington Post, 30 March 2019.
A drive towards data
portability
133. What is the Right to Data Portability?
Art. 20 General Data Protection Regulation:
(1) The data subject shall have the right to receive the personal data concerning him or
her, which he or she has provided to a controller, in a structured, commonly used and
machine-readable format and have the right to transmit those data to another
controller without hindrance from the controller to which the personal data have
been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2)
[consent] or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
(2) In exercising his or her right to data portability pursuant to paragraph 1, the data
subject shall have the right to have the personal data transmitted directly from one
controller to another, where technically feasible.
134. Data Portability Today
• Since 2010, Facebook has
offered Download Your
Information
• We’re confident we can offer
people even more control
through a new generation of
data portability tools that
protect privacy and support
innovation.
• That’s why we joined the Data
Transfer Project.
Download Your
Information
136. Data Portability and Privacy
White Paper
• We recently published a white
paper that sets forth five
questions about data portability
and privacy
• We hope it will help advance a
global conversation about what it
means to build privacy-protective
data portability.
• These are complex questions—we
hope to make a small contribution
to the existing thought and
research from experts around the
world.
138. Data Portability & Responsibility
4. How should we protect privacy while enabling portability? What
responsibilities, if any, should transferring providers have with
respect to (1) requesting users, (2) others whose interests may be
implicated by a transfer, and (3) potential recipients of the data?
139. Risks – let’s explore
• Those to requesting users: informed choices; transparency; duty of
care beyond the law?
• Those to non-requesting users: data associated with other people;
accountability; consent v permissions.
• Potential recipients of personal data – and intermediaries: potential
data misuse.
Paucity – Confusion - Contradiction
147. 14
7
ICO AI Audit Framework
▪ Develop a solid methodology for the ICO to supervise the
use of personal data in AI systems.
▪ Support the development of internal knowledge,
capabilities, and toolkits to support the work of the ICO,
and in particular the assurance and investigations teams.
▪ Inform additional external guidance for organisations on
how to manage data protection risks in AI systems; and
support innovation and adoption of “safe” AI.
Framework
objectives
▪ GDPR put much more focus on automated processing and
decisions making through new technologies such as AI.
▪ It also strengthened individuals' rights (e.g. the right to
object to profiling), as well as the ICO powers (e.g.
compulsory audits and fines)
▪ The ICO made AI one of its top three strategic priorities
and appointed its first Postdoctoral Research Fellow in AI to
develop its AI Auditing framework.
Background
148. 14
8
Large data and complex sets required to train, test and
deploy AI systemsData minimisation and accuracy
Often based on data collected for another purpose
(e.g. crash analytics -> ad targeting)
Purpose limitation
Low interpretability and explainability of complex AI
models and applications
Transparency and fairness
Human input slows down and may result in
less accurate / consistent decisions
Art. 22 restricts fully automated decision making
with legal / significant effect.
SOME EXAMPLES OF TENSIONS BETWEEN DATA PROTECTION AND AI
149. 14
9
RISK APPETITE
LEADERSHIP
ENGAGEMENT AND
OVERSIGHT
DATA PROTECTION
BY DESIGN AND
DEFAULT
MANAGEMENT AND
REPORTING
STRUCTURES
COMPLIANCE AND
ASSURANCE
CAPABILITIES
POLICIES AND
PROCEDURES
1. GOVERNANCE AND ACCOUNTABILITY
DOCUMENTATION
AND AUDIT TRAILS
TRAINING AND
AWARENESS
FAIRNESS AND
TRANSPARENCY IN
PROFILING
ACCURACY
FULLY AUTOMATED
DECISION MAKING
MODELS
SECURITY AND
CYBER
TRADE-OFFs
DATA MINIMISATION
AND PURPOSE
LIMITATION
2. AI-SPECIFIC RISK AREAS
EXERCISE OF
RIGHTS
IMPACT ON
BROADER PUBLIC
RIGHTS
150. 15
0
▪ Managing training data
▪ Re-using AI models for new
purposes
FAIRNESS AND TRANSPARENCY
IN PROFILING
ACCURACY
FULLY AUTOMATED DECISION
MAKING MODELS
SECURITY AND CYBER
TRADE-OFFs
DATA MINIMISATION AND
PURPOSE LIMITATION
EXERCISE OF RIGHTS
IMPACT ON BROADER PUBLIC
RIGHTS
▪ Bias and discrimination
▪ Sensitive inferences
▪ Interpretability of AI systems
▪ Explainability of AI decisions
to data subject (ICO project
ExplAIn)
▪ Accuracy of AI outputs and
performance measures
▪ Meaningful human review in
non-fully automated decision
making AI systems
▪ Human review of decisions
made by fully automated
decision making AI systems
▪ Testing and verification
challenges and model
integrity
▪ Privacy attacks on Machine
Learning models
▪ Existing security risks
exacerbated by the use of AI
▪ Trade-offs between:
- Precision vs recall
- Accuracy vs privacy
- Fairness vs accuracy
- Fairness vs privacy
- Accuracy vs
generalisability
▪ Right to:
- Be forgotten (right to
erasure)
- Data portability
- Have inaccurate data
corrected
▪ Public legitimacy
▪ Autonomy
▪ Freedom of association
▪ Freedom of speech
▪ Individual distress: offensive
ad targeting
OVERALL RISK MANAGEMENT CONSIDERATIONS AND COMMON THEMES ACROSS FRAMEWORKS ELEMENTS (E.G. OUTSOURCING RISKS)
151. Where next for the AI framework?
Call for input through ICO
dedicated microsite
March – October 2019
Formal consultation
January 2020
AI Framework finalisation and
external guidance published
Spring 2020
Timeline
AIAuditingFramework@ico.org.uk
15
1
153. CALUM LIDDLE
EEA DATA PROTECTION MANAGER
Facebook
@InfoGovScotland
ALICE WILSON
DPO
HEFESTIS
ALI SHAH
HEAD OF TECHNOLOGY POLICY
@ICOnews
ICO
MARK STEPHEN
JOURNALIST & BROADCASTER
@markstephen60
BBC Scotland
ELIZABETH FAIRLEY
COO AND CO-FOUNDER
@EFBServices
Talking Medicines
PAUL SHERRARD
SR PROPOSITION AND DATA
PROTECTION MANAGER
@StandardLifeUK
Standard Life Assurance, part
of the Phoenix Group
@digitfyi #DPscot