BEYOND CONSULTING | EXCELLENCE IN EXECUTION

KIMON ZORBAS

Big Data & PrivacyHow to address privacy concerns and fears

AND gain better insights and data

SAS Forum BeLux 2014 Louvain-la-Neuve

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Is Privacy an issue for you?

• Financial Times survey (non-representative) on

• Respondents who have changed their online behaviour in past year because of privacy concerns:

• 65 % or Europeans; 87 % of US Americans

• (Of course, high-income earners, educated: you)

• But if you are worried, shouldn’t your clients be?

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Privacy – Business relevance?Source:BCG Global Consumer Sentiment Survey 2013

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Privacy – Business relevance?You have to deal with privacy – in your own interest

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

“Privacy concerns must be addressed—and giving consumerscontrol can help …

Our analytics leaders were unanimous in their view that placingmore control of information in the hands of consumers, alongwith building their trust, is the right path forward.”

Source:McKinsey QuarterlyInsights & Publications, March 2014,“Views from the front lines of the data analytics revolution”

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Overview

• Status quo on privacy and business issues

• Business challenge / User issues

• Legal outlook

• Managing the challenge

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Status quo: privacy framework

• Data Protection Directive (95/46/EC)

– Dating back to 1995 – pre-internet

– For data processing that allows directly or indirectly identification of an individual

– 32 variations - national implementations: 28 EU countries, 3 EEA countries (NOR, ICE,

LIE) & CH

– Allows processing in frame of contract or through (explicit) consent

– ICT industry avoided regulation (use of pseudonymous / anonymous data)

– Not fit for purpose (e.g. favours platforms that can easily obtain users’ explicit consent)

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Status quo: privacy framework

• E-Privacy Directive (2002/58)

– 32 national variations

– Regulates telecoms AND cookies (information stored or accessed on a device)

• What about fingerprinting? Pre-installed identifiers? Google ID?

– Requires “consent” (to be interpreted according to Data Protection Directive, 95/46/EC)

– Currently, implied consent accepted in most countries (see pop-ups)

– (But likely to change to an explicit consent due to regulatory changes)

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Business challenges

• Workforce shortage (lack of data analysts) – technology can address some of it

• Lots of (unstructured) data

• Often poor data quality (e.g. OBA)

• Legal restrictions

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Business challanges

• Data ownership

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Business challenges / User issues

• Snowden aftermath

• NSA, GCHQ, BND, CIA …. tapping

• iCloud breach

• JP Morgan breach

• Google WiFi sniffing; cookies circumvention; data unification

• WhatsApp who’s online sniffing

• …

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Business challenges / User issues

• Online advertising most issues

• Ad-management (Adblock Plus; Ghostery; Privowny)

• Bad ads (see amazon example)

• Retargeting – disturbance (small segment, large damage)

• In a nutshell: users are feel insecure

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Legal outlook

• Data Protection Regulation (draft, COM 2012/11)

– Applicable as is, no transposition required (grace period 1.5-2 years)

– Currently passed at European Parliament Committee (LIBE Committee) level

– Needs to be approved by European Council (slow progress – could go fast)

• E-Privacy Directive:

– Revision announced

– Likely to become a regulation

– Probably to link to “tracking”, not cookies (storing / accessing technologies)

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Legal outlook: details

• Personal data definition (Regulation is only applicable if personal data is processed):– Any identifier that allows direct or indirect identification of an individual is now personal data– Pseudonymous data (“personal data that cannot be attributed to a specific” …user… “without

the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”): allows for a less strict regime

• User rights (notification: clear and easily understandable; right of access; rectification; erasure; right to object to profiling; right to compensation and damages)

• Explicit consent– Limitation to get consent via terms & conditions (“… a contract … shall not be made

conditional on the consent to the processing of data that is not necessary for the execution of the contract ...”)

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Legal outlook: details

• Legitimate Interest– Data processing is relevant for a contract– Data is disclosed to a third party and that is “reasonable user expectation”

• Presumed for pseudonymous data• Profiling (“any form of automated processing of personal data intended to evaluate certain personal aspects

relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour”)– (Notification that profiling takes place!)– Possible in a contract relationship; consent or national law allows it; and only if not solely based on

automated processing (i.e. some human intervention required).– But prohibited if it discriminates, based on sensitive data categories (“race or ethnic origin, political opinions,

religion or beliefs, trade union membership, sexual orientation or gender identity”)– Profiling based on pseudonymous data is permitted.

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Managing the challenge & Opportunity

• Objective: move towards quid pro quo: receive better data from users that provide you with better data and deeper insights

• How to get there? Dashboards

• Some examples:

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Yahoo dashboard

• https://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/

• 1st generation

• Shows collected data – very limited user interaction

• Conclusion: Very poor

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Google Dashboard

• https://www.google.com/settings/u/1/dashboard?hl=nl

• Rather …overwhelming

• Too much data

• No meaningful insights

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Nugg.ad Dashboard

• http://mtm.nuggad.net/en

• Nugg.ad collects few data

• Limited oversight

• Limited interaction

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Privowny – data management

• www.privowny.com

• User centric (‘on user’s side’)

• Data management

• Not yet linked to account

• Meaningful insights

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Experience

• Privacy = Board room issue

• All agree that we are before paradigm shift

• Companies struggle with giving up control (don’t want to admit they have non to only very limited control)

• Shift will happen

• Better be first or better getting it right?

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Competition

How much time do you have to respond to new data protection regulation, once it’s adopted?

• A: 5.5-6 years

• B: 3.5-4 years

• C: 1.5-2 years

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

Discussion / Q&As

BEYOND CONSULTING | EXCELLENCE IN EXECUTION

kimon@dbcg.eu

@kimon_zorbas

Kimon Zorbas