[00:00:10.04]
good afternoon everyone my name is annie anton
i'm a professor in the school of interactive
[00:00:15.05]

[00:00:15.05]
computing at georgia tech i'm also a member of
the executive committee for our new school of
[00:00:21.12]

[00:00:21.12]
cyber security and privacy i'm honored to be able
to introduce our guest speaker today today we're
[00:00:27.03]

[00:00:27.03]
really fortunate to have someone who is both
a consummate professional as well as a stellar
[00:00:33.09]

[00:00:33.09]
member of our community and that's evan glover
evan is ncr's chief in chief privacy officer and
[00:00:41.01]

[00:00:41.01]
the corporate vp for law there he also has worked
previously at ge transportation sony sage as well
[00:00:48.15]

[00:00:48.15]
as king and spaulding his undergraduate degree
is from another fine university in the state of
[00:00:54.21]

[00:00:54.21]
georgia that happens to be situated in athens and
his law degree is from the university of alabama
[00:01:01.01]

[00:01:02.00]
it isn't often that we get to speak of
someone's involvement in the community
[00:01:07.03]

[00:01:07.03]
but evan is truly a role model for us all he
has served as a minor in atlanta public schools
[00:01:12.21]

[00:01:13.11]
he's volunteered extensively with atlanta
community food bank he's raised more than 150 000
[00:01:19.12]

[00:01:19.12]
for international humanitarian aid through the ncr
foundation so he's a leader in both his profession
[00:01:26.04]

[00:01:26.04]
and in our community and i think that's something
that we can all be inspired by and that we can
[00:01:31.11]

[00:01:31.11]
all aspire to before i hand the virtual stage over
to evan i'm going to ask that our attendees today
[00:01:38.08]

[00:01:38.08]
please make use of the chat box if you have any
questions or comments that you would like us to
[00:01:43.03]

[00:01:43.18]
um have uh presented evan for him to respond
to and i'll do my best to make sure that we
[00:01:51.01]

[00:01:51.01]
we get to your questions and evan will also
be pulling the audience a few times during his
[00:01:56.08]

[00:01:56.08]
presentation today so we look forward to your
participation in that as well and with that i
[00:02:01.03]

[00:02:01.03]
will then um ask everyone to join me in welcoming
evan today thank you evan for joining us thanks
[00:02:08.21]

[00:02:08.21]
very much annie let me share my slides um starting
uh and really building a strategic privacy program
[00:02:16.21]

[00:02:17.11]
there are a lot of elements andy can you can
you see the screen are we good on the slides
[00:02:21.20]

[00:02:22.21]
yes i see it thank you awesome great uh so
i'm evan glover i serve at mcr as the chief
[00:02:29.01]

[00:02:29.01]
privacy officer there i have some other roles
i'm a lawyer by training but um the fact that
[00:02:34.10]

[00:02:34.10]
i'm in a business role also means that i
have to take into business realities and
[00:02:38.12]

[00:02:39.05]
one of the things that i did about two years ago
was i really stood up a global privacy program
[00:02:43.11]

[00:02:43.11]
at ncr so i want to share some lessons learned
um and really give you some tips uh and some
[00:02:48.21]

[00:02:48.21]
things to think about because i imagine a lot
of you if you're not already in industry will go
[00:02:53.11]

[00:02:53.11]
and have a job whether it be in the academic
field you may go work for a non-profit you go
[00:02:58.02]

[00:02:58.02]
may go work for the government you may go work
for a small company or a large company or a
[00:03:02.13]

[00:03:02.13]
global company and all of those organizations are
faced with managing and protecting personal data
[00:03:08.04]

[00:03:09.14]
and so when i was tasked with uh growing a privacy
program at ncr two years ago i really went on this
[00:03:15.18]

[00:03:15.18]
journey and so the first thing i did was really to
go out and talk to people so the first step if you
[00:03:20.21]

[00:03:20.21]
are thinking about becoming a privacy professional
taking on a role in a company and learning about
[00:03:25.03]

[00:03:25.03]
privacy is really to use your network uh to use
your network to go and ask people who are experts
[00:03:31.16]

[00:03:31.16]
gain as much information as you can read
as much information as you can and so two
[00:03:36.15]

[00:03:36.15]
years ago when i set up our privacy program
at ncr i met with 70 folks internally at ncr
[00:03:42.17]

[00:03:42.17]
and i met with 70 folks externally and what i did
is i just started to see some common themes and
[00:03:48.13]

[00:03:48.13]
understand kind of what priorities were for folks
where i should put my uh resources where i should
[00:03:53.12]

[00:03:53.12]
focus um and and that's kind of how we built this
privacy program so i'm gonna walk through there's
[00:03:59.12]

[00:03:59.12]
a handful of slides i have a couple of videos in
a couple of polls but really the first thing that
[00:04:04.06]

[00:04:04.06]
that is really important to know is to understand
the privacy landscape the privacy landscape
[00:04:10.12]

[00:04:11.09]
continues to evolve many of you guys are maybe
familiar with europe's gdpr with california ccpa
[00:04:17.14]

[00:04:18.08]
but um the first step is really understanding
the organization that you're in and what
[00:04:22.17]

[00:04:22.17]
privacy laws might apply if you are running
a small shop in europe perhaps gdpr applies
[00:04:29.03]

[00:04:29.03]
but you're not terribly concerned about the
california privacy locks you may not do work
[00:04:33.09]

[00:04:33.09]
in california if you guys plan to enter into the
medical field there's laws that govern private
[00:04:39.05]

[00:04:39.05]
health information called hipaa in the u.s and and
other laws around the globe if you happen to go
[00:04:44.15]

[00:04:44.15]
uh work in india you might note that there's uh
some india some laws in india that are coming on
[00:04:50.15]

[00:04:50.15]
so it's really important to understand really what
laws and what regulations apply to your business
[00:04:56.00]

[00:04:56.00]
based on the nature of your business or the nature
of your organization and that's going to differ
[00:04:59.18]

[00:05:00.08]
because if you have a small um popsicle stand
in atlanta georgia you probably are not terribly
[00:05:07.18]

[00:05:07.18]
concerned with gdpr um and if you are running a
business in nigeria for example in africa there
[00:05:16.15]

[00:05:16.15]
are there are nigeria nigeria has a privacy uh
or privacy law so you're gonna try to understand
[00:05:22.13]

[00:05:22.13]
what laws might apply beyond that you're also
going to have to understand what regulations
[00:05:27.11]

[00:05:27.11]
or industry standards apply one good example
is if you're touching credit card information
[00:05:32.02]

[00:05:32.15]
there is a set of industry standards that are
put by the payment card industry called pci
[00:05:37.11]

[00:05:37.11]
that apply but in general what you'll see is there
are some trends among global privacy laws uh that
[00:05:44.02]

[00:05:44.02]
are kind of emerging the first is that there's
heightened obligation to protect personal data
[00:05:48.12]

[00:05:48.12]
they're all becoming more aware and the laws are
recognizing that people have a fundamental right
[00:05:53.01]

[00:05:53.01]
to protect their personal data you see
that across a lot of modern privacy laws
[00:05:57.03]

[00:05:57.03]
whether that be in europe whether that be in
california's privacy law or brazil's privacy law
[00:06:02.15]

[00:06:03.20]
another common theme is that most modern privacy
laws empower individuals with the right to control
[00:06:10.08]

[00:06:10.08]
the data relating to them these are known as
data subject rights um or rights to access or
[00:06:16.04]

[00:06:16.04]
data portability rights and so you see this common
theme where individuals are able to control the
[00:06:22.02]

[00:06:22.02]
data regardless of whether where that data goes
it might go to an institutional organization
[00:06:26.04]

[00:06:26.23]
another common theme that we see in the privacy
landscape is that there's more regulatory and
[00:06:31.16]

[00:06:31.16]
enforcement scrutiny so some of you may read about
enforcement actions in europe against uh facebook
[00:06:38.13]

[00:06:38.13]
and google you may see some headline fines against
marriott and british airways in the european union
[00:06:44.08]

[00:06:44.08]
um you may see the federal trade commission
issuing a five billion dollar fine against
[00:06:48.23]

[00:06:48.23]
facebook um so you see a lot of activity from
the regulators a lot of legal activity uh that
[00:06:55.03]

[00:06:55.03]
really inform how you go about building a privacy
program and finally there's also greater business
[00:07:01.16]

[00:07:01.16]
and reputational risk and what that means is
beyond just the cost of complying with the law
[00:07:06.15]

[00:07:06.15]
or building programs around the law or facing a
penalty or a fine you have to understand that your
[00:07:11.16]

[00:07:11.16]
business reputation is on the line and if you are
not a good steward of personal data of the people
[00:07:18.00]

[00:07:18.00]
that you interact with whether that be customers
or partners uh or your employees that there's
[00:07:24.06]

[00:07:24.06]
big reputational risk and you don't want your
companies or organizations named to be on the
[00:07:29.16]

[00:07:29.16]
front page of the new york times the wall street
journal uh for having bad privacy posture or bad
[00:07:34.17]

[00:07:34.17]
privacy practices um but at the same time you
see that it can be a challenge to comply with
[00:07:41.09]

[00:07:41.09]
all these privacy laws but there really is a
great opportunity for folks because if you build
[00:07:46.04]

[00:07:46.04]
strong privacy practices you build trust with your
customers if you are able to digest and understand
[00:07:52.23]

[00:07:52.23]
privacy rules you're able to um maybe enter
new market so if you have a product in the u.s
[00:07:58.12]

[00:07:58.12]
and it has really good privacy controls and good
privacy posture you may be able to bring that with
[00:08:03.01]

[00:08:03.01]
limited effort to a european market and expose
new markets for example you can have a business
[00:08:07.09]

[00:08:07.09]
or an organization expand its footprint expand
its customer base expand the market in which it
[00:08:12.15]

[00:08:12.15]
participates and finally i think you'll also if
you if you really dig in and learn privacy it's a
[00:08:19.22]

[00:08:19.22]
it's an opportunity to build on your brand as
a of an organization as an innovator because
[00:08:24.21]

[00:08:24.21]
um i can tell you candidly when i'm looking at
vendors to pick and the vendors are equal uh
[00:08:30.19]

[00:08:31.18]
if one has a better privacy posture i'm probably
more likely to pick that and and finally i would
[00:08:37.14]

[00:08:37.14]
i'm glad that you all are attending this lecture
because it's also an opportunity for competitive
[00:08:41.07]

[00:08:41.07]
differentiation for you uh because i can tell
you that uh their the biggest constraint in
[00:08:47.12]

[00:08:47.12]
all of privacy is really a lack of talent and
so i would encourage you all to learn as much
[00:08:53.05]

[00:08:53.05]
as you can around data protection and privacy
because it will differentiate you as an employee
[00:08:58.00]

[00:08:58.21]
it will set you apart from your colleagues
who are not as well versed in privacy
[00:09:02.06]

[00:09:03.01]
so at this point i want to take a quick poll
so carly if you could launch poll number one
[00:09:08.04]

[00:09:11.11]
poll number one asks how important
is the privacy posture of a company
[00:09:15.01]

[00:09:15.01]
organization to you so put on your hat as a
consumer uh you're a consumer on the marketplace
[00:09:20.02]

[00:09:20.02]
uh is it not important at all is it slightly
important is it fairly important or very important
[00:09:25.22]

[00:09:32.23]
evan it looks like the consensus is very important
excellent um so that's that's probably accurate um
[00:09:41.11]

[00:09:41.11]
and so i do want to so so that's what i expected
is that folks say very important and i want you
[00:09:45.20]

[00:09:45.20]
guys to use the chat feature now to name some
companies with a good privacy posture so who are
[00:09:51.01]

[00:09:51.01]
those companies that you look to and say wow they
have a good privacy posture or they're known or
[00:09:56.04]

[00:09:56.04]
there's a perception that they um have they they
are handling personal data in an appropriate way
[00:10:03.20]

[00:10:04.21]
i suspect there'll be a couple common names
that pop up but there might be some surprises
[00:10:09.05]

[00:10:12.06]
so we have apple amd intel
corporation okay uh anyone else
[00:10:20.10]

[00:10:23.01]
there's a few for you okay great um and and yeah
so apple is a great one and we have a we have a
[00:10:29.14]

[00:10:29.14]
video that will queue up in just a moment
around apple um and how they differentiate
[00:10:34.08]

[00:10:34.08]
themselves as compared to some of their mobile
phone competitors which um are apple by the way
[00:10:40.15]

[00:10:40.15]
it designs its products and it owns the hardware
and the chipset and the operating system obviously
[00:10:46.00]

[00:10:46.00]
can differentiate itself on privacy because it
controls the entire ecosystem by contrast android
[00:10:50.19]

[00:10:50.19]
operating system has to be a little bit different
um and so they really have kind of differentiated
[00:10:55.05]

[00:10:55.05]
themselves i'm surprised somebody didn't mention
snapchat maybe we don't have a lot of young folks
[00:11:00.06]

[00:11:00.06]
but snapchat is another company that takes it very
seriously and what these companies have done is
[00:11:04.06]

[00:11:04.06]
really gone out and said here's what we're doing
here's how we're building our products here's why
[00:11:08.23]

[00:11:08.23]
we're different and here's our marketing advantage
so carly if you could show the first video
[00:11:13.20]

[00:11:14.21]
i've browsed eight sites
for divorce attorneys today
[00:11:17.12]

[00:11:18.15]
i browsed eight sites for divorce attorneys today
my login for everything is pauline paulinefu.com
[00:11:25.09]

[00:11:27.12]
i love working with you me too red heart emoji
pink card emoji yellow heart emoji blue art emoji
[00:11:32.21]

[00:11:32.21]
i hate levo puke emoji puke emoji i
am currently reading an article titled
[00:11:38.04]

[00:11:38.04]
10 ways to keep sweaty hands from holding you back
[00:11:40.21]

[00:11:41.11]
my home is in 1 000 feet my heart rate is
currently 150 151 152 and back down to 150.
[00:11:48.23]

[00:11:48.23]
on march 15th at 9 16 a.m i purchased prenatal
vitamins and four pregnancy tests the number
[00:11:56.00]

[00:11:56.00]
on my credit card is zero two three seven one
two two one zero seven two five zero two one
[00:12:09.20]

[00:12:15.14]
and and so what we see there is really that
apple is trying to explain to the market it's
[00:12:20.06]

[00:12:20.06]
some of its privacy practices that it kind of
protects information it safeguards information
[00:12:24.23]

[00:12:25.14]
it is disclosing um how it's different how
uh it supports a private appropriate privacy
[00:12:31.20]

[00:12:31.20]
protections for those in which it interacts uh
that it has a culture of valuing the privacy
[00:12:36.15]

[00:12:36.15]
rights of individuals uh so i think it's really
important to understand that when you go to an
[00:12:42.00]

[00:12:42.00]
organization you you come you need to understand
what is the privacy posture of a company is it
[00:12:46.19]

[00:12:46.19]
is it taking a very conservative approach um and
that informs kind of what you would do to build
[00:12:51.07]

[00:12:51.07]
a privacy program or is it taking a real fast
and loose uh perspective with respect to privacy
[00:12:57.11]

[00:12:57.11]
uh you know and so that will inform kind of what
you do and how you approach some of these uh
[00:13:03.07]

[00:13:03.07]
these uh decisions i'll tell you that there's no
formula for building a privacy program there's no
[00:13:08.08]

[00:13:08.08]
checklist that says if i do these 10 things i'm
gdpr compliant or i'm compliant with privacy laws
[00:13:13.20]

[00:13:13.20]
rather building a privacy program requires you to
work across functions across the entire company
[00:13:20.02]

[00:13:20.02]
to really build priorities and think of it as
almost like a defect uh backlog list you kind
[00:13:25.01]

[00:13:25.01]
of prioritize the hot the highest ones and you're
knocking off the ones with the highest priority
[00:13:28.21]

[00:13:28.21]
and you're de-prioritizing you cannot reasonably
accommodate all of the privacy practices around
[00:13:34.10]

[00:13:34.10]
the globe for all of the products but the first
real important concept that you need to understand
[00:13:40.12]

[00:13:40.12]
when you walk into an organization or build
a privacy program is really uh the personal
[00:13:45.14]

[00:13:45.14]
data that is implicated in a company um it can
be hr information for your employees that's an
[00:13:51.20]

[00:13:51.20]
important part of personal data that might exist
at a company and there might be others so carly if
[00:13:58.04]

[00:13:58.04]
we can go to poll 2 i want to kind of take the the
uh the temperature of folks to understand uh what
[00:14:05.11]

[00:14:05.11]
what could be considered personal data
uh so we're gonna talk a little bit about
[00:14:08.21]

[00:14:08.21]
what makes up personal that and how it might
be used um and so there's poll number two
[00:14:13.05]

[00:14:13.05]
which says which of the following could be
used could be considered personal data an
[00:14:17.05]

[00:14:17.05]
email address date of birth gps location data
or ip address and please select all that apply
[00:14:22.21]

[00:14:27.22]
so far we have uh it's going
on for all of the above
[00:14:33.09]

[00:14:36.12]
i suspected we have some folks who are pretty
smart in the audience and that's great um yeah
[00:14:40.13]

[00:14:40.13]
so the poll has ended we had 92 percent uh said
all of the above and then some other combination
[00:14:46.10]

[00:14:46.10]
was eight percent that's exactly right so when you
walk into an organization you need to understand
[00:14:52.12]

[00:14:52.12]
what kind of personal data they might have and at
least in the u.s folks in the us think of personal
[00:15:00.06]

[00:15:00.06]
data as only being social security number name and
address but a lot of the modern privacy laws like
[00:15:06.13]

[00:15:06.13]
gdpr like california really broadened that and
um and really broaden it to be any data that can
[00:15:13.03]

[00:15:13.03]
be used to identify an individual and that may be
direct identifiers like your name or your address
[00:15:18.23]

[00:15:18.23]
but also indirect identifiers uh which are things
that can be paired together to identify you and so
[00:15:25.14]

[00:15:25.14]
when you walk into an organization you need to go
and help explain this to all the kinds of people
[00:15:29.22]

[00:15:29.22]
that you might encounter you need to probably
talk with the hr team and say hey what kind of
[00:15:34.08]

[00:15:34.08]
data are you getting a lot of times hr for sure
has all kinds of personal data on employees it has
[00:15:40.02]

[00:15:41.03]
you know maybe immigration information it has
social security number because it has to pay you
[00:15:45.12]

[00:15:45.12]
it might have health or benefit information or
medical information and a lot of times hr folks at
[00:15:52.08]

[00:15:52.08]
a lot of companies just think well i have social
security number and that's what i need to protect
[00:15:56.00]

[00:15:56.00]
but as new modern privacy laws come into
play you need to say there's lots of other
[00:16:00.13]

[00:16:00.13]
things that might come into play uh for
example especially with the new coronavirus
[00:16:05.16]

[00:16:05.16]
uh protocols that most companies are implementing
a lot of companies are taking temperature checks
[00:16:10.00]

[00:16:10.00]
and so is a temperature personal data and does
a company process the data and process is pretty
[00:16:18.06]

[00:16:18.06]
broadly defined under privacy laws if you if you
gather it you store it you do anything with it
[00:16:25.09]

[00:16:25.09]
you have to protect it and so there are lots of
things that can be considered personal data and
[00:16:31.18]

[00:16:31.18]
some non-obvious ones financial records passwords
criminal records um ip address and machine names
[00:16:39.11]

[00:16:39.11]
this is a real important one uh phone uh not
phone numbers but that you're actually device name
[00:16:45.05]

[00:16:46.00]
is another one where it can be used to identify
you as an indirect identifier and so when you're
[00:16:53.03]

[00:16:53.03]
building out a privacy program you need to explain
to folks that this data still is in scope for
[00:16:58.10]

[00:16:58.10]
privacy laws it's not simply the the protection
of the social security number but rather um things
[00:17:04.04]

[00:17:04.04]
like your racial or ethnic information uh your
sex life and your orientation uh even california
[00:17:11.01]

[00:17:11.01]
says um uh your sense of smell olfactory uh uh
senses is is personal to you um and so when you
[00:17:20.06]

[00:17:20.06]
go to an organization you need to understand where
the personal data is and then understand how you
[00:17:24.23]

[00:17:24.23]
might protect that personal data and apply some of
the privacy by design principles that we'll talk
[00:17:30.00]

[00:17:30.00]
about in just a moment but really this is the
important threshold inquiry is it personal data
[00:17:35.18]

[00:17:35.18]
i'll tell you also that um this is also a
threshold inquiry uh to determine if you've
[00:17:41.12]

[00:17:41.12]
had a personal data breach um and so a lot of
times there may be uh somebody may have emailed
[00:17:49.12]

[00:17:49.12]
some personal data out to a wrong person uh you
may have a server that's compromised you may
[00:17:54.17]

[00:17:54.17]
have a lost laptop and uh and so there could
be personal data that could have been exposed
[00:18:00.06]

[00:18:00.06]
or not protected appropriately and as you think
about um if there's a breach of personal data
[00:18:06.00]

[00:18:06.00]
you have to understand what that is um and then
if you do have a breach of personal data then
[00:18:10.19]

[00:18:10.19]
you have some notification obligations um under
the law so for example in europe uh you have a
[00:18:16.10]

[00:18:16.10]
very short window a couple of days to notify of a
breach of personal data in the u.s we have various
[00:18:23.07]

[00:18:23.07]
state laws that allow us up to 30 or 60 or 90 days
in some cases to notify so there's a real broad
[00:18:30.15]

[00:18:30.15]
perspective of what personal data is and it needs
to include both direct and indirect identifiers
[00:18:36.06]

[00:18:38.04]
and a lot of folks also kind of tie these
concepts together with whether it's identified
[00:18:43.05]

[00:18:43.05]
data do dynamized data de-identified and
not an anonymous data and these are all
[00:18:48.10]

[00:18:49.07]
you know how how easy is it for you to tie that
set of information to an individual and that
[00:18:56.00]

[00:18:56.00]
informs the risk tolerance of an organization
so obviously your direct identifiers those are
[00:19:01.07]

[00:19:01.07]
directly identifying a person you want to protect
those very significantly but as you remove some
[00:19:07.07]

[00:19:07.07]
of the identifiers by either maybe masking out
certain numbers so we're all very familiar with
[00:19:12.15]

[00:19:12.15]
our social security numbers for example you mask
out all but the last four digits and you've kind
[00:19:17.14]

[00:19:17.14]
of de-identified it to some to some extent and
so that will also inform as you move along the
[00:19:23.09]

[00:19:23.09]
spectrum and you remove things that tie it to an
individual then you you are employed to protect it
[00:19:31.14]

[00:19:32.06]
less significantly so if data is truly anonymous
and that is a very tough technical standard to me
[00:19:39.14]

[00:19:39.14]
but in a theoretical world if you could truly make
data anonymous then under most modern privacy laws
[00:19:46.06]

[00:19:47.18]
it's not going to be considered personal
data so under gdpr and ccpa data which is
[00:19:54.08]

[00:19:54.08]
truly anonymized is not considered personal data
but by contrast pseudonymized data is considered
[00:20:02.15]

[00:20:02.15]
personal data under gdpr and ccpa so you have to
kind of understand where your risk tolerance is
[00:20:08.04]

[00:20:08.04]
and really what implication it has for your
business uh or organization uh i want to do
[00:20:15.07]

[00:20:15.07]
a quick uh case study example here um and then
maybe pause and see if there's any questions
[00:20:22.04]

[00:20:22.04]
i do have one more video after this and
we have some certainly a lot more slides
[00:20:25.07]

[00:20:25.07]
that we're going to dig in more but i did
i'm mindful that there might be questions
[00:20:28.06]

[00:20:29.05]
so a good case study um there was a researcher at
the harvard kennedy school in 2000 so 20 years ago
[00:20:37.01]

[00:20:37.16]
and they looked at some u.s census data across
all of at the time about 250 million americans
[00:20:43.05]

[00:20:44.06]
and this researcher at harvard was able to
identify 90 of americans by just using three
[00:20:53.07]

[00:20:53.07]
pieces of information and that was the birth
date the gender of the person and the zip code
[00:20:59.09]

[00:21:00.19]
um and they were able to identify 90 of people
using these three things without name uh
[00:21:07.11]

[00:21:07.11]
without address without social security number
uh but simply by knowing a person's birth date
[00:21:14.17]

[00:21:14.17]
their gender and their zip code
uh they were able to tie together
[00:21:18.19]

[00:21:19.09]
a process that identified 90 of americans so um
you know really think about as you get more and
[00:21:26.08]

[00:21:26.08]
more data it becomes more and easier to uh to
make it personally identifiable uh so know that
[00:21:32.17]

[00:21:32.17]
there's you know a lot of risk around here and
when you are evaluating the risk of personal data
[00:21:38.00]

[00:21:38.00]
and how to protect it uh that it's important
to understand that a lot of these concepts
[00:21:42.15]

[00:21:42.15]
if put together can really um identify a person
for things that you wouldn't think could probably
[00:21:50.06]

[00:21:50.06]
if we could roll video number two and then i
want to pause to see if we have any questions
[00:21:57.20]

[00:22:57.20]
so i use a lot of videos when i'm talking to folks
because when you guys enter an organization or a
[00:23:02.19]

[00:23:02.19]
company or a non-profit or government you're gonna
have to talk to folks in hr folks uh in sales
[00:23:08.02]

[00:23:08.02]
folks in the finance organization you're really
gonna have to explain this stuff to them because
[00:23:12.00]

[00:23:12.00]
they're gonna be your eyes and ears to raise
issues for you to solve uh so one of the important
[00:23:17.12]

[00:23:17.12]
things about building a privacy program is really
training and awareness raising and it's a constant
[00:23:22.06]

[00:23:22.06]
effort so at ncr we have uh training modules on
our learning management system we have videos that
[00:23:28.19]

[00:23:28.19]
we deploy um we have mandatory annual training
and privacy i run a global privacy committee that
[00:23:35.22]

[00:23:35.22]
meets once a month and has 200 members and then
we do spot training for certain groups in hr and
[00:23:41.16]

[00:23:41.16]
marketing uh in ito organization and alike uh to
really raise awareness and help them understand
[00:23:48.06]

[00:23:48.06]
the risks and understand what they should do so
um do we have any questions annie or should i go
[00:23:53.18]

[00:23:53.18]
on to the next concept we do we have one here um
so one uh one of our uh attendees today is asking
[00:24:01.01]

[00:24:01.01]
whether it you think it's reasonable for privacy
expectations to be standardized across the world
[00:24:06.21]

[00:24:08.06]
gosh not anytime soon uh and frankly that's job
security for all of us who do privacy because
[00:24:13.14]

[00:24:13.14]
it'll take a lot of smart people to think about
reconciling those differences and harmonizing
[00:24:19.18]

[00:24:19.18]
them and then making judgment calls on where to
allocate resources and where to prioritize your
[00:24:24.10]

[00:24:24.10]
efforts so we see all kinds of existing laws like
gdpr like california um california uh the ccpa
[00:24:35.07]

[00:24:35.07]
is uh not fully enforced yet because they have
some they had some delays in the enforcement of
[00:24:42.02]

[00:24:42.02]
it and some exceptions but what happened and at
the beginning of this month uh the the ballot
[00:24:48.00]

[00:24:48.00]
initiative passed a new california law and we see
that there are laws in brazil that have come into
[00:24:54.06]

[00:24:54.06]
effect this year nigeria and serbia last year
we see uh on the horizon india china australia
[00:25:02.04]

[00:25:03.01]
canada is looking at changing its laws so i think
that there'll be a lot of variation across the
[00:25:10.23]

[00:25:10.23]
globe and maybe in five or ten years there'll
be some harmonization some industry standards
[00:25:17.07]

[00:25:17.07]
but i think of that not as a challenge
but frankly is job security because
[00:25:21.12]

[00:25:21.12]
the more that these laws come in the more that
my business counterparts are looking to me to
[00:25:27.09]

[00:25:27.09]
explain it to them to help them solve these
problems to build products that are compliant
[00:25:32.21]

[00:25:33.18]
and really advise them on what they need to do
because there's so much noise going on and the
[00:25:38.13]

[00:25:38.13]
final point that i'll make is even once these laws
are passed uh there's a lot of uh decisions that
[00:25:45.01]

[00:25:45.01]
are deferred to the regulators or to regulations
and so or courts and so they'll be open questions
[00:25:51.12]

[00:25:51.12]
that the courts will have to wrestle with for
years and years to come so i think that um we uh
[00:25:58.06]

[00:25:59.05]
i think that there will be more and more laws
popping up over the next two to three years
[00:26:04.02]

[00:26:04.02]
i think you'll see some harmonization but
that's probably a five-year time horizon
[00:26:08.12]

[00:26:09.16]
and maybe in 10 years we'll have
sort of a unified standard but
[00:26:13.03]

[00:26:13.03]
but for now it's pretty fragmented you also
see at least in the us that states are taking
[00:26:18.19]

[00:26:18.19]
different perspectives so some folks may be aware
of the illinois biometric law which is a state law
[00:26:24.02]

[00:26:24.02]
really geared at collecting biometric information
and so if your organization interacts with uh
[00:26:30.12]

[00:26:31.20]
folks in illinois or does business in illinois
and it collects biometric information you know you
[00:26:38.15]

[00:26:38.15]
need to build that into kind of how you collect
it so there was a lawsuit recently in illinois
[00:26:45.09]

[00:26:46.06]
where six flags so the theme park was taking the
thumbprint of individuals for like fast passes so
[00:26:53.07]

[00:26:53.07]
you put your thumb print down it identifies you as
being a a seasoned pass holder and you can go in
[00:26:57.22]

[00:26:57.22]
real quickly and um in that case six flags didn't
get appropriate written consent from the person
[00:27:05.20]

[00:27:05.20]
putting down the thumb in in that particular
lawsuit uh it was a minor uh so it was a child
[00:27:11.16]

[00:27:11.16]
uh but uh but they didn't get appropriate
consent and uh there was there was there
[00:27:16.02]

[00:27:16.02]
were refined the uh the illinois uh law actually
tells uh companies what the fine will be i think
[00:27:23.09]

[00:27:23.09]
it's five hundred dollars for per individual
per fine uh and then if it's intentional or
[00:27:28.19]

[00:27:28.19]
somebody does it you know uh with bad intent that
that bind gets elevated to fifteen hundred dollars
[00:27:34.10]

[00:27:35.05]
so if you're collecting biometric information um
uh you know and that can be thumbprint uh retina
[00:27:41.22]

[00:27:41.22]
scan face identify identifier all of those
things then you need to understand what the
[00:27:47.12]

[00:27:47.12]
requirements of that illinois law are i would
i would one footnote here is if you simply just
[00:27:52.04]

[00:27:52.04]
take a picture of a person it's not considered
biometric information it's if you take that
[00:27:58.02]

[00:27:58.02]
picture and somehow put uh you know uh some facial
geometry over it and then identify that person
[00:28:04.17]

[00:28:05.22]
that's a very good question
we have another question
[00:28:09.18]

[00:28:09.18]
uh about how we draw boundaries to enforce where
the data is stored or where the person lives
[00:28:15.20]

[00:28:17.14]
that's tough um and uh and so obviously at one
end of the spectrum if you're a very very small
[00:28:24.15]

[00:28:24.15]
company and you just operate a popsicle stand in
atlanta georgia you probably uh aren't terribly
[00:28:30.10]

[00:28:30.10]
concerned about gdpr because the the likelihood
of having a bunch of european folks um you know uh
[00:28:36.23]

[00:28:36.23]
and you have to comply with gdpr but by contrast
if you're a global company um that has operations
[00:28:42.08]

[00:28:42.08]
around the globe uh you kind of by default
have to comply with the most strict standards
[00:28:47.18]

[00:28:47.18]
um and so for most companies somebody said
apple intel facebook like those large companies
[00:28:53.01]

[00:28:53.01]
that that really have a global presence they have
people moving around the globe they have probably
[00:28:57.18]

[00:28:57.18]
servers or data centers in multiple locations uh
they have sales folks in different you know areas
[00:29:03.12]

[00:29:03.12]
emails are flying across the globe at a quick
speed so i think you have to um really understand
[00:29:10.08]

[00:29:10.08]
what are the common themes uh of privacy laws
and you gear your program towards the commonality
[00:29:17.09]

[00:29:17.09]
which are the privacy by design principles which
we'll talk through in a little while and then you
[00:29:22.08]

[00:29:22.08]
understand what the variations are so for example
uh gdpr requires you to have a data protection
[00:29:28.10]

[00:29:28.10]
officer uh if you meet certain minimum thresholds
by contrast california does not require a data
[00:29:34.04]

[00:29:34.04]
protection officer so so in that case um you know
in your global company you know i need to have
[00:29:39.16]

[00:29:39.16]
a data protection officer for europe by the way
you need to have them for brazil serbia nigeria uh
[00:29:46.08]

[00:29:49.03]
singapore philippines and germany those are just
some of the countries where you'll have to appoint
[00:29:54.02]

[00:29:54.02]
them and so you'll then have to look once you see
the commonality across the privacy laws you'll
[00:29:58.00]

[00:29:58.00]
have to figure out the individual levers that
are a little different another example is that
[00:30:02.10]

[00:30:03.18]
california requires you to post on your
website i do not sell my information
[00:30:07.20]

[00:30:07.20]
link and so you'll need to deploy that um and
uh if you do business in california uh candidly
[00:30:15.09]

[00:30:15.09]
uh you know we hear that some companies are
pulling out of markets because the cost of
[00:30:18.23]

[00:30:18.23]
compliance and the risk to the organization
um is is really not there so if i'm you know a
[00:30:24.12]

[00:30:24.12]
company that really is focused on the east
coast of the united states um and i only
[00:30:28.21]

[00:30:28.21]
have one customer one employee in in california
rather than having to be in scope for california
[00:30:35.16]

[00:30:35.16]
i might exit that market i might decide it's not
worth the the risk and i might exit that market
[00:30:41.11]

[00:30:43.09]
that's good yes i recently actually purchased
something and it said we do not uh sell to
[00:30:50.13]

[00:30:50.13]
residents in california yeah yeah for sure
so the next concept because i know that
[00:30:56.02]

[00:30:56.02]
there's uh georgia tech is really wise to have
launched the school of security and privacy
[00:31:00.06]

[00:31:00.06]
um and they are interrelated uh there's a little
bit of a difference uh but they're distinct um
[00:31:07.01]

[00:31:07.01]
and so the first concept really is that privacy
is impossible without data security so one of the
[00:31:14.04]

[00:31:14.04]
fundamental principles of of data protection
and data privacy is securing the information
[00:31:19.22]

[00:31:19.22]
and that may be encrypting it that
might be protecting it through
[00:31:23.16]

[00:31:23.16]
administrative access and so this is where a
privacy team really works with the in-person
[00:31:28.17]

[00:31:28.17]
the infosec team information security team or the
cso or the it organization also with application
[00:31:34.17]

[00:31:34.17]
security or application management for the
products uh and we're so we're kind of leveraging
[00:31:39.14]

[00:31:39.14]
a lot of their efforts in terms of securing the
data uh but simply um securing the data is not
[00:31:47.05]

[00:31:47.18]
uh sufficient for privacy so um a good
example is if i can in a theoretical world
[00:31:54.15]

[00:31:55.09]
encrypt the data with the highest encryption key
in the world and i have all of this information
[00:31:59.18]

[00:31:59.18]
i have vast amounts of personal data the security
professionals will say if you can truly encrypt it
[00:32:05.09]

[00:32:05.09]
then it's secure however privacy would question
things like why do you have it do you have just
[00:32:12.08]

[00:32:12.08]
the minimum amount of information are you
giving are you governing it the right way
[00:32:17.18]

[00:32:19.09]
and so know that these terms are somewhat
interrelated and the privacy world really
[00:32:23.20]

[00:32:23.20]
relies on the good work of the data security
team um and and finally most privacy laws
[00:32:30.08]

[00:32:30.23]
um require the appropriate use of technical
and organizational measures to ensure
[00:32:36.02]

[00:32:36.17]
the security appropriate to the risk um and so so
it's it's a fact-based uh decision where you're
[00:32:43.09]

[00:32:43.09]
saying okay what is the risk and then what levels
do we need to take uh to protect it you may not
[00:32:48.06]

[00:32:48.06]
need to encrypt all information at all times
um i use encryption as an example because it's
[00:32:53.20]

[00:32:53.20]
kind of easy but frankly there are times when um
you are prohibited from encrypting information
[00:33:00.12]

[00:33:00.12]
and some security professionals might be
scratching their head so if you do business
[00:33:04.06]

[00:33:04.06]
in russia for example the russian government
will not let you encrypt information so ncr has
[00:33:10.23]

[00:33:10.23]
employees in russia because we sell atms and we
sell all kinds of goods in russia and we cannot
[00:33:16.12]

[00:33:16.12]
encrypt our employees laptops so if a laptop
is stolen um we have to deal with that issue
[00:33:24.10]

[00:33:25.07]
um also uh in the payment world um if you are
an end-to-end payment processor for credit card
[00:33:31.12]

[00:33:31.12]
processing there's only about a dozen of those
in north america although ncr is actually one of
[00:33:36.12]

[00:33:36.12]
those um your vault if you're the the the uh
the indian payment processor so like the the
[00:33:43.22]

[00:33:43.22]
world pay the global pay the t system for the
world your vault of credit card information um
[00:33:50.23]

[00:33:50.23]
by uh by industry standard cannot be encrypted
because it actually has to be live data uh and
[00:33:56.17]

[00:33:56.17]
you're not allowed to encrypt it by an industry
standard so you have to understand what level of
[00:34:01.01]

[00:34:01.01]
risk your company is willing to take what level
of governance your company is willing to take
[00:34:06.12]

[00:34:06.12]
and so i want to just highlight that there
is that privacy and security go hand in hand
[00:34:11.03]

[00:34:11.03]
but oftentimes privacy layers on some additional
things around um some additional requirements
[00:34:17.14]

[00:34:18.08]
making sure that you only collect the
minimum amount of information and the like
[00:34:21.09]

[00:34:22.00]
so what a brief a bit about uh about privacy and
security that's oftentimes conflated so i just
[00:34:26.17]

[00:34:26.17]
want to spend a minute there um so the next topic
i want to dig into is really what are the key
[00:34:34.04]

[00:34:34.04]
privacy principles and how do you think through
those if you go into a company um and and you sort
[00:34:39.18]

[00:34:39.18]
of say okay what are my governing principles
i walk into an organization and they either
[00:34:43.12]

[00:34:43.12]
have to build a privacy program or i'm being
part of a privacy program or i'm frankly just
[00:34:48.17]

[00:34:49.12]
an employee and so these are the core privacy
principles that you should sort of inquire around
[00:34:54.13]

[00:34:55.07]
and understand how an organization is handling
these and again there could be variation because
[00:35:00.15]

[00:35:00.15]
some some organizations like facebook they may may
share data more freely than companies uh like like
[00:35:08.08]

[00:35:08.08]
an apple um and just a couple of these um i keyed
off on the data minimization principle uh this is
[00:35:15.12]

[00:35:15.12]
key to privacy is really gather the minimum amount
of information you need for the purpose uh just
[00:35:23.05]

[00:35:23.05]
because you can gather a slew of information just
because you can scrape the internet for a bunch of
[00:35:27.07]

[00:35:27.07]
information that doesn't mean you can under good
privacy principles it says what is the minimum
[00:35:32.04]

[00:35:32.04]
amount of information um and so think about uh uh
you going back to an office and somebody taking a
[00:35:38.19]

[00:35:38.19]
temperature to allow you to go in to the office
data minimization would say don't record that
[00:35:45.03]

[00:35:45.03]
you can have a temperature scan of somebody um and
if they meet a certain threshold below a certain
[00:35:50.00]

[00:35:50.00]
temperature scan and they're not they don't
have a fever you can let them in but there's
[00:35:53.16]

[00:35:53.16]
no need to actually retain that unless you have a
significant business interest and you justify that
[00:35:58.08]

[00:35:58.08]
but really challenge yourself to collect only the
minimum amount of information that that you need
[00:36:03.20]

[00:36:03.20]
for a business purpose you don't need four phone
numbers you don't need a home address maybe you
[00:36:09.05]

[00:36:09.05]
don't need backup emails you know collect only
the minimum amount of information um you'll see
[00:36:16.21]

[00:36:16.21]
that the second to last one integrity and
confidentiality that's the security that's
[00:36:20.19]

[00:36:20.19]
where the security team the security professionals
really come in privacy also says that you can only
[00:36:29.05]

[00:36:30.06]
process gather collect or store or use
personal data um if you've gathered it lawfully
[00:36:37.09]

[00:36:39.01]
and and and you have a reason for doing so and so
there's some lawful basis and the way you think
[00:36:44.15]

[00:36:44.15]
about this is how do i actually document this
what is my thought process uh around processing
[00:36:50.12]

[00:36:50.12]
and so uh there are several bases for which you
can say i i'm entitled to have this person this
[00:36:56.06]

[00:36:56.06]
person's information and do something with it
and that can be by their consent um by either
[00:37:01.16]

[00:37:01.16]
a written consent or a click-through consent um
that can be a contract so you have a contract
[00:37:07.01]

[00:37:07.01]
with a customer or a contract with an employee and
you need that it could be for a legal obligation
[00:37:12.06]

[00:37:12.06]
or because you have are required by law or by
some criminal statute to retain information
[00:37:17.14]

[00:37:19.12]
there could be a vital interest or other
other ways that you need to think through this
[00:37:23.16]

[00:37:24.08]
so um one of the other uh the last principle
there is accountability and that's the bedrock
[00:37:29.11]

[00:37:29.11]
principle for all privacy what that means is
you should be thinking through all of these
[00:37:33.14]

[00:37:33.14]
questions but accountability says you have to
document these things you have to document it
[00:37:38.02]

[00:37:38.02]
through a privacy policy that governs how
you're using information on your website
[00:37:43.09]

[00:37:43.09]
um and so a lot of folks are familiar with these
privacy policies and little cookies that pop up uh
[00:37:47.22]

[00:37:47.22]
and that sort of thing so you have to document it
uh how you document it in um a contract or consent
[00:37:55.11]

[00:37:55.11]
uh or your your contracts with your customers or
your employees uh you have to be accountable you
[00:38:01.18]

[00:38:01.18]
basically have to challenge yourself to write
down and show your analysis um and you also
[00:38:07.03]

[00:38:07.03]
are accountable to uh to the data subjects and
those are the folks are who are the individuals
[00:38:13.03]

[00:38:13.03]
in europe uh who have rights like right to access
a right to erasure so you have to understand if a
[00:38:19.20]

[00:38:19.20]
data subject an individual in europe for example
says i need a copy of all the data you have on me
[00:38:25.12]

[00:38:25.12]
you have to build out a process to respond to that
it could be a customer it could be an employee
[00:38:32.23]

[00:38:32.23]
it could be somebody who applied for a job and how
are you going to handle that so my recommendation
[00:38:38.02]

[00:38:38.02]
there is really to have a single point of
contact for all your data subject access requests
[00:38:43.03]

[00:38:43.22]
and then a way to verify the identity of the
person understand how they interacted with your
[00:38:48.06]

[00:38:48.06]
company organization and then really build out a
process but how do you go and actually retrieve
[00:38:52.21]

[00:38:52.21]
that information from all of the servers so
you may have to go and look at an it server
[00:38:57.07]

[00:38:57.07]
you might have an hr system that you have to that
you have to query and you have certain time limits
[00:39:02.21]

[00:39:03.18]
so you have to build out processes
for these accountability because
[00:39:07.03]

[00:39:07.03]
folks have the right to get this information
and you have to have governance around it in
[00:39:13.12]

[00:39:13.12]
a lot of cases you'll have some help from data
protection officers um and the like so i do want
[00:39:19.18]

[00:39:19.18]
to pause and see if there's any questions before
we move on to some privacy by design principles
[00:39:23.11]

[00:39:24.02]
we uh we do have a question so we have one
having to trade-off between security and
[00:39:29.11]

[00:39:29.11]
privacy in particular um the cso would presumably
use information or data for monitoring to defend
[00:39:39.03]

[00:39:39.03]
and defending um and that might compromise
privacy and so this person is wondering what
[00:39:45.16]

[00:39:45.16]
is the red line that a chief privacy officer will
not cross when it comes to making that trade-off
[00:39:51.03]

[00:39:52.21]
that's an interesting question i worked
hand-in-hand with cso organization
[00:39:56.12]

[00:39:56.12]
and i'm a big proponent of information security
um you know it's not simply a red line but what
[00:40:02.04]

[00:40:02.04]
we do is we do privacy impact assessments of of
all of our processes uh whether it's a tool or
[00:40:07.16]

[00:40:07.16]
technology whether it's a monitoring tool offer uh
for website traffic uh for uh email filters uh or
[00:40:15.14]

[00:40:15.14]
or the like or we're monitoring you know the
external world or that sort of thing so we do
[00:40:19.16]

[00:40:19.16]
have a lot of monitoring tools and technology
and i'm going to walk through an another slide
[00:40:24.23]

[00:40:24.23]
or two uh privacy impact assessments and so we
would conduct a privacy impact assessment and we
[00:40:29.18]

[00:40:29.18]
would look at all of the facts uh and this and
and what kind of information we're gathering
[00:40:34.15]

[00:40:34.15]
and we would challenge the cso organization
to say do you really need to gather that
[00:40:38.00]

[00:40:38.00]
information do you need to know a person's email
address or simply their ip address enough and so
[00:40:44.17]

[00:40:45.12]
we would draw the line at certainly illegal or
improper activities but we would inform them
[00:40:53.01]

[00:40:53.01]
that there are a lot of ways to mitigate the
privacy risk now it's always a delicate balance
[00:40:59.07]

[00:40:59.07]
and that's why privacy is a thinking exercise
that's why it takes a lot of smart folks
[00:41:03.11]

[00:41:03.11]
uh to really have a good and vigorous
debate um you may win some you may lose some
[00:41:08.06]

[00:41:08.06]
of the time but again it's accountability that
last principle there is where you actually
[00:41:12.23]

[00:41:12.23]
uh you know gdpr most privacy laws really
require you to to have evaluated it have a
[00:41:19.07]

[00:41:19.07]
fair conversation document what position you took
and why you took it the benefits and the risks and
[00:41:25.12]

[00:41:25.12]
file that away in a privacy impact assessment or
other methods and then revisit that every so often
[00:41:31.20]

[00:41:32.12]
as new products get launched as new processes get
launched as new tools get launched and then really
[00:41:37.11]

[00:41:37.11]
adjust it based on kind of the risk profile so
it's not a a one and done activity it's a constant
[00:41:42.08]

[00:41:42.08]
thing um and you may get it wrong frankly
um you know there are lots of uh regulatory
[00:41:47.22]

[00:41:47.22]
actions that have happened across europe in fact
since gdpr became effective there have been 400
[00:41:53.12]

[00:41:53.12]
enforcement actions uh so there are presumably
400 companies that that got it wrong um you guys
[00:42:00.12]

[00:42:00.12]
may have seen a lot of the fines um across europe
some of the headline ones like the marriott fine
[00:42:05.05]

[00:42:05.05]
or the british airways fine or some of the other
finds uh for google and the like um but there's
[00:42:10.15]

[00:42:10.15]
also a whole lot of smaller fines um and so you
may you may get it wrong um and so you have to
[00:42:16.21]

[00:42:16.21]
be comfortable taking a risk-based approach you
have to be comfortable making uh decisions with
[00:42:22.10]

[00:42:22.10]
imperfect information you have to be comfortable
working with stakeholders security says i want
[00:42:27.09]

[00:42:27.09]
this you say but i need you to build this in and
the finance team says we don't have the money
[00:42:31.09]

[00:42:31.09]
to do that uh and so you really have to try to do
the best you can with the facts that you have it's
[00:42:36.08]

[00:42:36.08]
a fair question um i think it's job security for
smart folks also uh because i'm always gonna be at
[00:42:41.11]

[00:42:41.11]
the table advocating for privacy and i don't think
my work will ever be done but it's a good question
[00:42:45.07]

[00:42:46.23]
uh thank you for that in our privacy class we
have students learn how to do pias and uh and
[00:42:53.11]

[00:42:53.11]
we talk about the importance of documenting these
decisions in case you are in a court of law and
[00:42:57.20]

[00:42:57.20]
you have to be able to show due diligence so that
was great thank you and i think sometimes a court
[00:43:03.03]

[00:43:03.03]
you know even if you uh get it wrong but you've
tried and you've given a really good effort you
[00:43:07.09]

[00:43:07.09]
know the the regulators of the court and the
and all these outside agencies you know they
[00:43:11.22]

[00:43:11.22]
have a tremendous amount of discretion to say
do they do they pursue a case uh do they um
[00:43:17.20]

[00:43:17.20]
do they work with you do they find you uh
and what is the amount of defined so these
[00:43:22.21]

[00:43:22.21]
regulators have tremendous discretion um
and so you know if you are you know if you
[00:43:28.17]

[00:43:28.17]
are accountable and you document your process
through privacy impact assessments or the like
[00:43:32.23]

[00:43:32.23]
you show how you have accountability for these
privacy principles that fine goes way down i'll
[00:43:37.12]

[00:43:37.12]
i'll give two examples um if any of you followed
the information of commissioner's office in the
[00:43:42.10]

[00:43:42.10]
uk had two big fines one against um british
airways and one against marriott and it said
[00:43:48.12]

[00:43:48.12]
we're gonna find each of these companies i
think it was about a hundred million dollars
[00:43:52.02]

[00:43:52.02]
each because of their their uh their security
practices and their uh their security breaches
[00:43:58.12]

[00:43:59.01]
and what happened well this was just a notice
but both of these companies uh worked with the
[00:44:03.11]

[00:44:03.11]
regulators told their story um and tried to to do
the right thing and those fines were reduced by 90
[00:44:12.08]

[00:44:12.21]
each so the ico went out and said i'm going to
find you 100 million dollars and just last month
[00:44:19.11]

[00:44:19.11]
in october they said the final find those were
the proposed fines but the final signs are a
[00:44:24.10]

[00:44:24.10]
small small fraction um of of what they thought it
was going to be so um but good questions for sure
[00:44:32.13]

[00:44:33.16]
i do want to spend a minute about privacy by
design and so this is uh some fundamental things
[00:44:38.15]

[00:44:38.15]
where um when you're walking into an organization
or understanding how you're going to really think
[00:44:43.18]

[00:44:43.18]
about privacy um these are some fundamental
principles so if you are building a new process
[00:44:49.11]

[00:44:49.11]
a new tool or encountering something where
personal data is involved um you really want to
[00:44:55.22]

[00:44:56.12]
understand some of these key privacy by design
principles that privacy is embedded in the
[00:45:02.08]

[00:45:02.08]
design it's not a bolt-on that um it's a default
setting um that there's a respect for user privacy
[00:45:10.21]

[00:45:10.21]
that there's end-to-end life cycle security
so that's where the security folks come
[00:45:14.21]

[00:45:16.13]
that you um you you really think about it from
from the from the beginning and so how does that
[00:45:22.21]

[00:45:22.21]
play out in a company well it's important that
you as a privacy professional embed yourself in
[00:45:28.17]

[00:45:28.17]
a secure development lifecycle process so for
example if a company's launching a new product
[00:45:32.17]

[00:45:32.17]
you want to get in at the ground level and inform
how they build that product if there's a new
[00:45:37.22]

[00:45:37.22]
launch of a technology in the it organization
or finance organization or you're bringing on
[00:45:42.12]

[00:45:42.12]
a new vendor you want to go in and help them
think through what settings what integration
[00:45:48.17]

[00:45:48.17]
so that privacy is considered so maybe you toggle
off who has administrative rights what level of
[00:45:55.11]

[00:45:55.11]
view people can see you might need to have um
some privacy notices that pop up and say we're
[00:46:01.14]

[00:46:01.14]
gathering this information here's what we're going
to do with it um and so you need to understand um
[00:46:08.04]

[00:46:08.04]
really how to get in and design with privacy
in mind you know a simple example is if you're
[00:46:13.07]

[00:46:13.07]
developing a mobile application you know the
minute somebody types in the first number of their
[00:46:17.07]

[00:46:17.07]
social security number they type one number and it
x's out they type the second number and the second
[00:46:21.20]

[00:46:21.20]
number x's out so that the full view isn't isn't
there so there are a lot of really good practices
[00:46:27.05]

[00:46:27.05]
that where you can build privacy from the ground
up and really be part of the conversation when you
[00:46:32.23]

[00:46:32.23]
launch a new product a tool a technology both
customer facing but also internal so if you're
[00:46:39.16]

[00:46:39.16]
launching a new email system or a new server or
a new you know i.t tool is really to have the
[00:46:48.04]

[00:46:48.04]
privacy folks involved at every step of the way
and periodically re-evaluating so privacy is not
[00:46:55.03]

[00:46:55.03]
i did my privacy impact assessment at the
beginning and i'm putting it in a file cabinet
[00:46:59.14]

[00:46:59.14]
it's really to really be involved throughout
the entire uh life cycle of a tool or technology
[00:47:06.04]

[00:47:07.01]
um and so i want to key in on this visibility
and transparency uh and so what does that mean
[00:47:12.21]

[00:47:12.21]
it means that we as privacy professionals
are supposed to explain either to anybody
[00:47:18.06]

[00:47:18.06]
uh to anybody whose personal data we collect or
process what we're doing in an easy way we have
[00:47:24.15]

[00:47:24.15]
to make sure that the individuals understand
our data use understand our privacy practices
[00:47:30.00]

[00:47:30.00]
in layman's terms and that's a real challenge for
lawyers like me because we have to kind of make it
[00:47:34.15]

[00:47:34.15]
uh really for uh geared towards a user and so i
wanted to share uh video number three uh which
[00:47:41.05]

[00:47:41.05]
is snapchat video i think snapchat does privacy by
design pretty well and here's how they articulate
[00:47:46.17]

[00:47:46.17]
uh in a simple way what kind of information
they gather your privacy is important that's
[00:47:52.06]

[00:47:52.06]
why we made this quick video to show you what we
do with your information let's get started to make
[00:47:57.18]

[00:47:57.18]
snapchat and bitmoji better we learn a bit about
you for example we learn things you share with us
[00:48:04.10]

[00:48:04.10]
like your email during sign up or information
others share with us like when a friend adds
[00:48:10.13]

[00:48:10.13]
their contact list and we learn about
you when you use our apps for example
[00:48:15.11]

[00:48:15.11]
when you subscribe to a discover channel or
update your bitmoji you're probably wondering
[00:48:21.11]

[00:48:21.11]
what do we do with this information we use it
to improve our apps and to create new features
[00:48:26.23]

[00:48:28.02]
we also use it to show you discover
content you might like and sort your
[00:48:31.20]

[00:48:31.20]
friends stories by whose you watch the most to
keep everything up and running we show you ads
[00:48:38.08]

[00:48:39.01]
so we use your information to try and make sure
those ads are for things you might like we never
[00:48:44.13]

[00:48:44.13]
sell your information to advertisers when we do
share your information it's usually when you ask
[00:48:49.22]

[00:48:49.22]
us to like when you send a snap to a friend we
sometimes share your information with other snap
[00:48:55.09]

[00:48:55.09]
companies like bitmoji partners who provide our
services or when required by law our policy is
[00:49:03.01]

[00:49:03.01]
to delete messages by default when we do store
your information it's usually because you ask
[00:49:08.04]

[00:49:08.04]
us to like when you save a snap to memories your
account and other information like the content you
[00:49:13.20]

[00:49:13.20]
like and the ads you've seen can be stored for
longer remember you can always view and update
[00:49:20.04]

[00:49:20.04]
your information and privacy settings for things
like our story and snapmap thanks for watching
[00:49:25.20]

[00:49:28.19]
it's incumbent upon organizations to really
explain how they think about privacy uh and then
[00:49:34.00]

[00:49:34.00]
let the consumer or the user decide whether
or not they agree with those practices um
[00:49:39.09]

[00:49:40.02]
so i want to shift gears because we've talked
a little bit about privacy impact assessment
[00:49:43.03]

[00:49:43.03]
so if we can actually queue poll number three
which asks whether or not you guys have been
[00:49:48.08]

[00:49:48.08]
involved in uh privacy impact
assessments uh the answers are
[00:49:52.10]

[00:49:52.10]
yes no we're not sure so we'll give folks
a minute to respond to poll number three
[00:49:56.08]

[00:49:57.18]
and evan if you wanna uh share your slides again
you'll probably have to be share i think when i
[00:50:05.09]

[00:50:05.09]
put the video up it it took it down ah got you
okay i'll do that while folks are uh uh the poll
[00:50:12.06]

[00:50:17.09]
so votes are coming in i'm hoping that the yeses
are either people uh who've done them in work or
[00:50:23.01]

[00:50:23.01]
maybe our students who've had to write two pias
for two different systems this semester in our
[00:50:27.16]

[00:50:27.16]
privacy class but right now uh we're almost at
the end of the poll we have 45 percent say yes
[00:50:36.21]

[00:50:37.16]
29 percent say no and 28 say not sure yeah so a
privacy impact assessment is really just a way
[00:50:46.17]

[00:50:46.17]
an organization understands uh the personal data
involved in a tool technology product or process
[00:50:52.17]

[00:50:53.16]
and then what the why it's gathered how it's used
the security measures um how we mitigate the risk
[00:51:02.15]

[00:51:02.15]
and all of these things and so it can be a very
informal process for companies who don't have a
[00:51:07.03]

[00:51:07.03]
lot of formality but as companies become more and
more sophisticated you'll see a lot more of these
[00:51:12.15]

[00:51:12.15]
so for example in the past year and a
half in cr we've conducted over 1200
[00:51:17.16]

[00:51:17.16]
formal privacy assessments so we assess when
we're launching a new hr tool so uh when we're
[00:51:23.12]

[00:51:23.12]
launching a new payroll tool we're launching
a new product when we're taking that product
[00:51:28.23]

[00:51:28.23]
and if it's a us-based product and we're taking it
to europe we do another privacy impact assessment
[00:51:33.22]

[00:51:33.22]
because a new set of laws might apply and folks
may not know what a privacy impact assessment is
[00:51:38.21]

[00:51:38.21]
but it's really just a series of questions
and if you ever want to have a good form
[00:51:42.15]

[00:51:42.15]
for a privacy impact assessment the information
commissioner's office which is the uk regulator
[00:51:47.22]

[00:51:48.13]
you go on their website and they have a form and
it's a series of questions and it just says what
[00:51:53.12]

[00:51:53.12]
data are you what personal data are you collecting
uh what is your justification for it how are you
[00:51:59.03]

[00:51:59.03]
protecting it how are you thinking about uh risk
mitigation how are you thinking about safeguards
[00:52:05.11]

[00:52:05.11]
um do you really need it um are there ways to
to you know to achieve the same goal without
[00:52:13.05]

[00:52:13.05]
collecting or processing that personal information
um and and for real sophisticated uh processes or
[00:52:19.18]

[00:52:19.18]
products it might be a very involved impact
assessment um but we even do them at ncr for
[00:52:25.07]

[00:52:25.07]
things that are very low risk because we want to
have that accountability for somebody to say i'm
[00:52:29.18]

[00:52:29.18]
building a new product and i'm not touching
personal data and how might that happen well
[00:52:34.10]

[00:52:34.10]
we build an atm and we ship an atm machine to a
bank and that atm sits behind the bank's firewall
[00:52:40.04]

[00:52:40.23]
we we don't have any personal data that's on that
that we would have access to relative to that atm
[00:52:46.00]

[00:52:46.00]
we're shipping them a box and and simply it
sits behind the bank's firewall so in that
[00:52:50.06]

[00:52:50.06]
case we say well we want to you know launch a
new atm machine that's being shipped to nigeria
[00:52:57.12]

[00:52:58.10]
and the the product manager says i want to do
this we say well is there any personal data and
[00:53:02.17]

[00:53:02.17]
they say nope uh it's nigeria we look at the risk
and we say okay great it could be a ten minute
[00:53:08.08]

[00:53:08.08]
assessment uh where you at least are understanding
the risk that's low risk proceed whereas some
[00:53:13.22]

[00:53:13.22]
others might be you know very long very detailed
uh but you know a privacy impact assessment the
[00:53:20.06]

[00:53:20.06]
length and the rigor is really dependent on the
risk um and the needs to safeguard information and
[00:53:27.09]

[00:53:27.09]
the needs to comply with laws i'll also highlight
that you know you may do a privacy impact
[00:53:31.16]

[00:53:31.16]
assessment in a law where there is no uh i'm sorry
in a jurisdiction where there's not really a lot
[00:53:36.19]

[00:53:36.19]
of privacy laws so you may say you know we're
we're expanding into peru but we still should
[00:53:41.03]

[00:53:41.03]
do a privacy impact assessment but there's not
a lot of regulations that we need to comply with
[00:53:45.20]

[00:53:45.20]
so we can be less rigorous with how we handle
personal data because we don't have requirements
[00:53:50.21]

[00:53:50.21]
of the law to comply there by contrast if you
do something in europe you have to you know
[00:53:54.17]

[00:53:54.17]
really look at this closely so these privacy
impact assessments are a way of just um having
[00:53:59.16]

[00:53:59.16]
a snapshot of it of documenting it of having
a thoughtful process and having accountability
[00:54:05.20]

[00:54:06.12]
and then the privacy professionals after they work
through it i recommend that privacy professionals
[00:54:10.21]

[00:54:10.21]
kind of look at it and then provide some
recommendations and a prioritized list
[00:54:14.21]

[00:54:14.21]
to the business owner of the processor tool
you know here are the top ten things we would
[00:54:19.05]

[00:54:19.05]
recommend in this order so you know you should you
should achieve number one first and then number
[00:54:23.18]

[00:54:23.18]
two and then number three um i do want to leave
some time for some questions and i know we're at
[00:54:28.15]

[00:54:28.15]
the top of the hour but i do want to uh show uh
this one final uh graphic which is uh you know
[00:54:35.18]

[00:54:35.18]
how do you really think about privacy and this
is an example of the cso i'm sorry i'm sorry the
[00:54:41.05]

[00:54:41.05]
ceo and chairman of a company called cisco uh and
he is on um squawk box on cnbc and he is saying
[00:54:48.21]

[00:54:48.21]
we believe that data privacy is a fundamental
human right um and that's what's embodied in
[00:54:53.22]

[00:54:53.22]
most modern privacy laws but frankly if your
ceo and your chairman believes that there's
[00:54:59.01]

[00:54:59.01]
going to be resources allocated there's going
to be focus on it from you know an institution
[00:55:04.00]

[00:55:04.00]
or organization and you better believe that he's
made that promise to the markets that you better
[00:55:09.18]

[00:55:09.18]
have some good processes and tools um and a good
handle of it behind the scenes so that he can
[00:55:15.14]

[00:55:15.14]
say that confidently and that that you support
that important position of your chairman and ceo
[00:55:22.17]

[00:55:24.06]
so annie are there any final questions um yeah
so what i'll i'll say that uh another question
[00:55:31.07]

[00:55:31.07]
we received is how do you address conflict between
privacy regulations and surveillance law the the
[00:55:38.10]

[00:55:38.10]
two examples were gdpr versus the patriot act yeah
um and so there are a lot of conflicts and in fact
[00:55:47.09]

[00:55:47.09]
i have a slide uh see this slide which is kind
of comparing global privacy laws and this doesn't
[00:55:52.12]

[00:55:52.12]
deal exactly with surveillance but if you have a
global privacy program you'll see that there are
[00:55:57.16]

[00:55:57.16]
oftentimes conflicts of laws with how you build
the requirements of a law or surveillance of a law
[00:56:03.03]

[00:56:03.20]
there are going to be some tough situations the
question is are you really surveilling employees
[00:56:07.22]

[00:56:07.22]
so i would challenge an organization that you
know do you really need to gather that information
[00:56:13.22]

[00:56:13.22]
are you justified in gathering it um do you need
to move it outside of a company and so again
[00:56:21.12]

[00:56:21.12]
the more sensitive the information the more that
you should push back as a privacy professional
[00:56:28.06]

[00:56:28.06]
say we don't need to gather this information what
is the need uh but of course you're always going
[00:56:32.10]

[00:56:32.10]
to have to work with law enforcement um and so
often times uh you may get a subpoena uh you may
[00:56:39.05]

[00:56:39.05]
you may have to deal with a lot of competing
things and that is just part of business uh
[00:56:43.22]

[00:56:43.22]
that is the risk that privacy professionals have
to understand and advise the business about um but
[00:56:49.18]

[00:56:49.18]
it becomes a business risk that businesses need to
understand um how to reconcile those things it's
[00:56:55.20]

[00:56:55.20]
a tough it's a tough uh job again i think it's
job security uh the other thing that i'll note is
[00:57:01.05]

[00:57:01.05]
that you may not have all of the answers and to be
smart about where can you find folks who can help
[00:57:07.07]

[00:57:07.07]
make you a better privacy professional help
you make a better decision and so you may need
[00:57:12.19]

[00:57:12.19]
to consult with law firms consultants folks
who are other privacy professionals academics
[00:57:18.04]

[00:57:19.12]
you know you may need to reach out to
folks and really get some additional
[00:57:24.00]

[00:57:24.00]
information to understand the risk and a
lot of it is fact based very fact specific
[00:57:29.16]

[00:57:33.09]
thank you so much evan uh this was a
great great discussion i think there's a
[00:57:39.05]

[00:57:39.05]
lot of students in our class who came who are
really interested in hearing from a real cpo
[00:57:44.06]

[00:57:44.06]
and how you really start your you know create
a good privacy program i think he talked a lot
[00:57:49.16]

[00:57:50.06]
about things that really instill culture
too so when you have that many pias being
[00:57:55.11]

[00:57:55.11]
performed in one company it really says a lot
about the culture of the company as well and i
[00:57:59.18]

[00:57:59.18]
think that's super important and we thank you for
that um so i'm gonna ask everyone to please join
[00:58:05.18]

[00:58:05.18]
me in thanking evan for joining us today we've
learned a lot about privacy programs a lot about
[00:58:10.13]

[00:58:11.14]
the challenges and real world challenges of
uh privacy in a very changing global landscape
[00:58:19.18]

[00:58:19.18]
nationally and internationally and um and
then i'll just point out this is our last
[00:58:25.22]

[00:58:25.22]
uh virtual cyber security lecture of the
semester i guess i should have turned
[00:58:30.02]

[00:58:32.10]
this is our last uh virtual cyber security lecture
of the suit of the semester but we uh invite you
[00:58:39.03]

[00:58:39.03]
all to join us again in january we'll we'll
have another series of outstanding speakers
[00:58:44.12]

[00:58:44.12]
um like uh like evan and i ask that you please
join me in thanking him in the uh chat today and
[00:58:51.05]

[00:58:51.05]
at this point i will start stop recording and
we look forward to seeing you again in the new
[00:58:55.11]

[00:58:55.11]
year thank you once again everyone everybody
i really enjoyed the conversation thank you
[00:59:03.20]

[00:59:11.01]
you
[00:59:11.13]