analyzing gdpr compliance through the lens of privacy
play

Analyzing GDPR Compliance Through the Lens of Privacy Policy - PowerPoint PPT Presentation

Feb 03, 2023 •129 likes •500 views

Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman, Vijay Chidambaram General Data Protection Regulation (GDPR) Respect the rights of data owner Personal Gathered legally, Protect it from Data

  1. Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman, Vijay Chidambaram

  2. General Data Protection Regulation (GDPR) Respect the rights of data owner Personal Gathered legally, Protect it from Data for a purpose misuse/exploitation Non-compliance can result in hefty fines and penalties

  3. 2019 : The year of enforcement! Taxa 4x35 ( $180 K) Google ( $55 million) Haga Hospital ( $550 K) March 2019 Jan 2019 July 2019 No timely deletion Lack of explicit consent Lax controls over logging and transparency and access Mariott British Airways ( $124 million) ( $230 million) July 2019 July 2019 Poor data security Poor data security

  4. 2019 : The year of enforcement! Taxa 4x35 ( $180 K) Google ( $55 million) Haga Hospital ( $550 K) March 2019 Jan 2019 July 2019 No timely deletion Lack of explicit consent Lax controls over logging and transparency and access Mariott British Airways ( $124 million) ( $230 million) July 2019 July 2019 Poor data security Poor data security

  5. Transparency Google ( $55 million) Jan 2019 Lack of explicit consent and transparency

  6. What GDPR Requirements did Google fail to meet? “L “Lack of transparency, inadequate information and lack of valid consent regard re rding a ads p pers rson onali lization on” Transparency GDPR Article 12 The controller sha The hall take appropriate measures to provide any information… re relat lating to o proce rocessing to o the dat ata a subject ct in a a con conci cise, , tran ranspare arent, , intelli lligible le an and ea easily a acces essible f e form, u using ng c clea ear a and p plain l language. e. Clear and Concise Privacy Policy

  7. Privacy Policy Ask consent and establish user rights via privacy policy Data Processor/ Controller Users/ Customers

  8. Privacy Policy Long Use jargons Difficult to comprehend How can users consent to their personal-data use if they cannot read/understand privacy policies?

  9. Main takeaways 1. What are the key information any GDPR compliant system should provide to its user in a straight-forward way? 2. Identifying GDPR dark patterns : Case study of privacy policy of 10 popular cloud services 3. A systems perspective on solving GDPR dark patterns

  10. Main takeaways 1. What are the key information any GDPR compliant system should provide to its user in a straight-forward way? 2. Identifying GDPR dark patterns : Case study of privacy policy of 10 popular cloud services 3. A systems perspective on solving GDPR dark patterns

  11. Outline • GDPR-compliant privacy policy • Case study of privacy policy of 10 cloud services • GDPR dark patterns • Future directions

  12. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  13. GDPR Compliant Privacy Policy 1 WHO uses the collected data Processing Entities : The source of data, and the entities with whom data is shared.

  14. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 Data categories: Attributes of personally identifiable information collected

  15. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected Purpose: The legal basis for collection and processing of each data category

  16. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted Retention: The policy or period of retention for each data category

  17. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data User controls: How can users access/enforce their rights over data

  18. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data 6 DOES the controller ensure safety of user data Data Protection: Measures taken to ensure safety and protection of user data

  19. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data 6 DOES the controller ensure safety of user data 7 DOES the controller appropriately notify users of changes in policy Policy updates: Notify users appropriately of changes to privacy policy and ask consent

  20. GDPR Compliant Privacy Policy 1 WHO uses the collected data WHAT personally identifiable data is collected 2 3 WHY is the data being collected 4 WHEN will the collected data expire and be deleted 5 HOW can a user exercise control over his/her data 6 DOES the controller ensure safety of user data 7 DOES the controller appropriately notify users of changes in policy

  21. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  22. Purpose Controls Protection Updates Processing Data Retention Bloomberg Onavo Instagram Uber edx Snapchat icloud Whatsapp Flybe Metro bank

  24. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  25. GDPR Dark Patterns Oftentimes we simply click ‘I agree’. What are we signing up for ? • 4 common dark-patterns in cloud service

  26. 1. User rights : All or Nothing One checkbox to access all services Deactivate account to object to processing any piece of collected info No fine-grained control over personal data Uber’s Privacy Policy “U “Uber may continue to process your information notwiths hstanding the he objection to the extent permitted under GD GDPR” edx’s Privacy Policy “Deleting user information does not apply to "hi “D historical activity logs or arch archive ves unle less an and until l these log logs an and dat ata a nat aturally rally ag age-of off ”

  27. 2. Purpose bundling Promotions Ads Affliates • No option to opt of specific services • All the processing is bundled into one Services consent box Instagram: “Our Service Providers will be given access to your information as is re reas ason onab ably ly necessary to provide the Service under re reas ason onab able le confidentiality terms” Google was fined $55 Million for a similar charge “Go Google’s consent flow doesn’t comply with the GD GDPR according to the CNIL. L. By default, Go Google really pushes you to sign in or sign up to a Go Google account. The com accou compan any tells lls you ou that at you our r exp xperi rience ce will ll be wors orse if you ou don’t have a Go Google account. According to the CNIL, L, Go Google should separate the actio se ion of creatin ing an account from the actio ion of se settin ing up a device — consent bundling is illegal under the GD de GDPR.”

  28. 3. Notifications • Notify users of changes in privacy policy by appropriate means • Ask for consent to the modified policy • Show users the new additions to privacy policy instead of asking them to accept the new terms by reading the entire policy document Edx, Bloomberg ”Label the Privacy Policy as "Revised (date)[...]. By accessing the Site after any changes have been made, you accept the modified Privacy Policy and any changes contained therein"

  29. 4. Data Protection Many services including Uber and Onavo state nothing about data protection strategies used ( encryption ) or international transfer policies Highest GDPR fine so far was levied on British Airways for negligent data protection UK Information Commissioner on BA fine : “P “People’s personal data is just tha hat – pe personal. Wh When an org organ anisat ation on fa fails to protect it fr from loss, da damage or theft ft it is mo more than an inconvenience. That’s ’s wh why the law w is clear – wh when you are entrusted wi with personal data you mu must look after af r it. Thos ose that at don on’t will ll face ace scru crutiny from rom my of office ce to o ch check ck they have ave take aken ap approp ropri riat ate steps to o prot rotect ct fun fundamental privacy rights.”

  30. Outline • GDPR-compliant privacy policy • Case study • GDPR dark patterns • Future directions

  31. Is it enough if companies get their privacy policy right? Are users able to enforce their rights that the privacy policy claims to provide?

  35. Enable users a hassle-free control over their personal data GDPR-compliant systems Simple, straight-forward privacy policies Write clear, concise privacy policies Understand how GDPR affects the design and operation of Internet companies [Seven GDPR Sins : HotCloud’19] Translate these to the need for infrastructural Tools to parse and identify GDPR compliance and changes user rights from a privacy policy [Impact of GDPR on Storage Systems: HotStorage’19] [Polisis: Security’18]

  36. Security & Policy Privacy Access Control Systems

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations

something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations

Privacy is no longer something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations Statistics from EY Surveys Page 2 When is privacy not something to keep quiet about? Data protection and data privacy compliance

884 views • 24 slides
How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
Ian Bernhardt Head of Governance & Compliance GDPR: The Journey Today Privacy Notice v What

Ian Bernhardt Head of Governance & Compliance GDPR: The Journey Today Privacy Notice v What

Data Protection. IT issues and Solutions Ian Bernhardt Head of Governance & Compliance GDPR: The Journey Today Privacy Notice v What information is being collected? v Who is collecting it? v How is it collected? v Why is it being collected?

198 views • 18 slides
Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect Microsoft Denmark This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law. 1. Data Privacy and

900 views • 21 slides
privacy regulations impact Australia What to consider as an Australian researcher. JACINTA

privacy regulations impact Australia What to consider as an Australian researcher. JACINTA

Tough European Union (EU) privacy regulations impact Australia What to consider as an Australian researcher. JACINTA OPIE 12 th August 2019 Overview Non GDPR Compliance Our Experience Core Principles TrueNTH GDPR Global Registry

452 views • 16 slides
Blockchain, GDPR & cryptography zkSNARKs for scaling and privacy. Alexandre Poltorak

Blockchain, GDPR & cryptography zkSNARKs for scaling and privacy. Alexandre Poltorak

Blockchain, GDPR & cryptography zkSNARKs for scaling and privacy. Alexandre Poltorak Blockchain, Sustainable Development and Privacy 26-27 November 2019 Berlin, Germany The problem with GDPR and blockchains : Bitcoin & Privacy

395 views • 7 slides
Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require?

Welcome Agenda GDPR is in force now and applies to Australian businesses What does GDPR require? How does an Australian business comply? Action Plan Section 1: GDPR is here Privacy in the digital age Historically, privacy was almost

513 views • 40 slides
GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner

GDPR Obligations & Rules Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Advising, Monitoring, Enforcing European Data Protection Board Art. 68 - 73 (replacing the Art. 29 Working Party) advise Supervisory

626 views • 8 slides
IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko Ltd FCA compliance consultants * BIBA Compliance Manual * Engaging Events * Tailored Solutions Format 1. GDPR (the important bits!) 2. ICOBS

716 views • 67 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
The Concept of Privacy Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0

The Concept of Privacy Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0

The Concept of Privacy Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Early History of Privacy Aristotle: public sphere of politics ( polis ) vs. private/domestic sphere of the family ( oikos) Long practiced

583 views • 8 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
Basic Privacy Principles Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0

Basic Privacy Principles Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0

Basic Privacy Principles Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Basic Privacy Principles (part of OECD Privacy Guidelines & most Privacy/Data Protection Law s) Lawfullness of processing , e.g. by

296 views • 4 slides
Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin

Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin

Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin Aslan Legal Counsel - Sinequa Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR takes effect on May 25, 2018 with no further

285 views • 26 slides
Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR

Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR

Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Privacy Legislation - History 1950 Art. 8 ECHR: Everyone has the right to respect for his private and family

413 views • 4 slides
Analyzing the Impact of GDPR on Storage Systems Aashaka Shah, Vinay Banakar, Supreeth Shastri

Analyzing the Impact of GDPR on Storage Systems Aashaka Shah, Vinay Banakar, Supreeth Shastri

Analyzing the Impact of GDPR on Storage Systems Aashaka Shah, Vinay Banakar, Supreeth Shastri Melissa Wasserman and Vijay Chidambaram General Data Protection Regulation (GDPR) May 25, 2018 Fundamental right Adopted after 2 years of public debate.

168 views • 16 slides
Objectives To provide participants with: Information on how to provide evidence that any

Objectives To provide participants with: Information on how to provide evidence that any

10/29/2012 Indicator 13 Webinar Series: Webinar #8 Consent to Invite an Outside Agency Ali Alison Lowenthal L th l Secondary Special Education Coordinator Sponsored by: Idaho State Department of Education Division of Student Achievement

720 views • 6 slides
Our working group appreciates that the GDPR aims to ensure that information society

Our working group appreciates that the GDPR aims to ensure that information society

Our working group appreciates that the GDPR aims to ensure that information society services providers: appoint a data protection officer treat users data transparently and fairly are unable to transfer personal data to

186 views • 7 slides
Announcements CS 4100: Artificial Intelligence Markov Decision Processes Homework k 3: Game

Announcements CS 4100: Artificial Intelligence Markov Decision Processes Homework k 3: Game

Announcements CS 4100: Artificial Intelligence Markov Decision Processes Homework k 3: Game Trees s (lead TA: Zhaoqing) Due Tue 1 Oct at 11:59pm (deadline extended) Homework k 4: MDPs s (lead TA: Iris) Due Mon 7 Oct at 11:59pm

442 views • 7 slides
Mike Salop Senior Vice President, Investor Relations 2 Safe Harb rbor This presentation

Mike Salop Senior Vice President, Investor Relations 2 Safe Harb rbor This presentation

Mike Salop Senior Vice President, Investor Relations 2 Safe Harb rbor This presentation contains certain statements that are forward-looking within the meaning of the Private Securities Litigation Reform Act of 1995. These statements are not

465 views • 25 slides
International Monetary Policy 8 IS-LM Model and Economic Policies 1 Michele Piffer London School

International Monetary Policy 8 IS-LM Model and Economic Policies 1 Michele Piffer London School

International Monetary Policy 8 IS-LM Model and Economic Policies 1 Michele Piffer London School of Economics 1 Course prepared for the Shanghai Normal University, College of Finance, April 2011 Michele Piffer (London School of Economics)

668 views • 19 slides
Macroeconomic equilibrium in the short run Introduction The big picture IS- TR Model TR curve

Macroeconomic equilibrium in the short run Introduction The big picture IS- TR Model TR curve

Macroeconomic equilibrium in the short run Introduction The big picture IS- TR Model TR curve IS-TR today and Monday AS-AD: lecture AS: Ch 12 notes (+ IS-TR with parts of capital flows: Ch 13) Wednesday Outline Cyclical

941 views • 45 slides
Market Design and Walrasian Equilibrium with Wolfgang Pesendorfer and Mu Zhang May 12, 2020 the

Market Design and Walrasian Equilibrium with Wolfgang Pesendorfer and Mu Zhang May 12, 2020 the

Market Design and Walrasian Equilibrium with Wolfgang Pesendorfer and Mu Zhang May 12, 2020 the unit demand economy with transfers Shapley and Shubik (1971) there are N agents and N (indivisible) goods each agent can consume at most one

1.18k views • 96 slides
Midterm review 1 1. Some sample quiz questions 2. Some ideas on elasticity of demand 3.

Midterm review 1 1. Some sample quiz questions 2. Some ideas on elasticity of demand 3.

P1 SepOct 2012 Timothy Van Zandt Prices & Markets Page 1 Session R1 Midterm Review Midterm review 1 1. Some sample quiz questions 2. Some ideas on elasticity of demand 3. An exercise on (a) medium run and (b) long run

244 views • 13 slides

More recommend