BEYOND CONSULTING | EXCELLENCE IN EXECUTION
KIMON ZORBAS
Big Data & PrivacyHow to address privacy concerns and fears
AND gain better insights and data
SAS Forum BeLux 2014 Louvain-la-Neuve
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Is Privacy an issue for you?
• Financial Times survey (non-representative) on
• Respondents who have changed their online behaviour in past year because of privacy concerns:
• 65 % or Europeans; 87 % of US Americans
• (Of course, high-income earners, educated: you)
• But if you are worried, shouldn’t your clients be?
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Privacy – Business relevance?Source:BCG Global Consumer Sentiment Survey 2013
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Privacy – Business relevance?You have to deal with privacy – in your own interest
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
“Privacy concerns must be addressed—and giving consumerscontrol can help …
Our analytics leaders were unanimous in their view that placingmore control of information in the hands of consumers, alongwith building their trust, is the right path forward.”
Source:McKinsey QuarterlyInsights & Publications, March 2014,“Views from the front lines of the data analytics revolution”
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Overview
• Status quo on privacy and business issues
• Business challenge / User issues
• Legal outlook
• Managing the challenge
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Status quo: privacy framework
• Data Protection Directive (95/46/EC)
– Dating back to 1995 – pre-internet
– For data processing that allows directly or indirectly identification of an individual
– 32 variations - national implementations: 28 EU countries, 3 EEA countries (NOR, ICE,
LIE) & CH
– Allows processing in frame of contract or through (explicit) consent
– ICT industry avoided regulation (use of pseudonymous / anonymous data)
– Not fit for purpose (e.g. favours platforms that can easily obtain users’ explicit consent)
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Status quo: privacy framework
• E-Privacy Directive (2002/58)
– 32 national variations
– Regulates telecoms AND cookies (information stored or accessed on a device)
• What about fingerprinting? Pre-installed identifiers? Google ID?
– Requires “consent” (to be interpreted according to Data Protection Directive, 95/46/EC)
– Currently, implied consent accepted in most countries (see pop-ups)
– (But likely to change to an explicit consent due to regulatory changes)
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Business challenges
• Workforce shortage (lack of data analysts) – technology can address some of it
• Lots of (unstructured) data
• Often poor data quality (e.g. OBA)
• Legal restrictions
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Business challanges
• Data ownership
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Business challenges / User issues
• Snowden aftermath
• NSA, GCHQ, BND, CIA …. tapping
• iCloud breach
• JP Morgan breach
• Google WiFi sniffing; cookies circumvention; data unification
• WhatsApp who’s online sniffing
• …
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Business challenges / User issues
• Online advertising most issues
• Ad-management (Adblock Plus; Ghostery; Privowny)
• Bad ads (see amazon example)
• Retargeting – disturbance (small segment, large damage)
• In a nutshell: users are feel insecure
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Legal outlook
• Data Protection Regulation (draft, COM 2012/11)
– Applicable as is, no transposition required (grace period 1.5-2 years)
– Currently passed at European Parliament Committee (LIBE Committee) level
– Needs to be approved by European Council (slow progress – could go fast)
• E-Privacy Directive:
– Revision announced
– Likely to become a regulation
– Probably to link to “tracking”, not cookies (storing / accessing technologies)
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Legal outlook: details
• Personal data definition (Regulation is only applicable if personal data is processed):– Any identifier that allows direct or indirect identification of an individual is now personal data– Pseudonymous data (“personal data that cannot be attributed to a specific” …user… “without
the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”): allows for a less strict regime
• User rights (notification: clear and easily understandable; right of access; rectification; erasure; right to object to profiling; right to compensation and damages)
• Explicit consent– Limitation to get consent via terms & conditions (“… a contract … shall not be made
conditional on the consent to the processing of data that is not necessary for the execution of the contract ...”)
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Legal outlook: details
• Legitimate Interest– Data processing is relevant for a contract– Data is disclosed to a third party and that is “reasonable user expectation”
• Presumed for pseudonymous data• Profiling (“any form of automated processing of personal data intended to evaluate certain personal aspects
relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour”)– (Notification that profiling takes place!)– Possible in a contract relationship; consent or national law allows it; and only if not solely based on
automated processing (i.e. some human intervention required).– But prohibited if it discriminates, based on sensitive data categories (“race or ethnic origin, political opinions,
religion or beliefs, trade union membership, sexual orientation or gender identity”)– Profiling based on pseudonymous data is permitted.
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Managing the challenge & Opportunity
• Objective: move towards quid pro quo: receive better data from users that provide you with better data and deeper insights
• How to get there? Dashboards
• Some examples:
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Yahoo dashboard
• https://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/
• 1st generation
• Shows collected data – very limited user interaction
• Conclusion: Very poor
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Google Dashboard
• https://www.google.com/settings/u/1/dashboard?hl=nl
• Rather …overwhelming
• Too much data
• No meaningful insights
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Nugg.ad Dashboard
• http://mtm.nuggad.net/en
• Nugg.ad collects few data
• Limited oversight
• Limited interaction
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Privowny – data management
• www.privowny.com
• User centric (‘on user’s side’)
• Data management
• Not yet linked to account
• Meaningful insights
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Experience
• Privacy = Board room issue
• All agree that we are before paradigm shift
• Companies struggle with giving up control (don’t want to admit they have non to only very limited control)
• Shift will happen
• Better be first or better getting it right?
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Competition
How much time do you have to respond to new data protection regulation, once it’s adopted?
• A: 5.5-6 years
• B: 3.5-4 years
• C: 1.5-2 years
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
Discussion / Q&As
BEYOND CONSULTING | EXCELLENCE IN EXECUTION
@kimon_zorbas
Kimon Zorbas