Next Steps in Data Protection & Compliance

The privacy and data protection environment is highly complex and an unsatisfactory experience for everyone involved.

For individuals, the intensifying exploitation of personal data by companies creates an urgent and important problem for everyone: the risk of having to deal with unintended and undesired negative consequences on our everyday lives, and this risk increases with every day of inaction.

For companies, data protection and privacy topics will only further increase in relevance. The handling of personal data and protecting privacy continue to be top of mind for individuals, companies, investors, media and governments alike, and not many companies want unwanted attention regarding data ethics. The regulatory environment around the globe and new data processing technologies are becoming even more complex and fragmented. Based on first GDPR-based rulings, companies face significant efforts as well as reputational and financial consequences in case of neglect or non-compliance due to increasing stakeholder expectations and regulation.

Instead of continuing to accept this status quo, One.Thing.Less has developed a solution that helps both individuals and companies.

Our users feel safer and more confident by understanding and influencing how companies may use personal information.

Companies which partner with us build trust with the public, investors and authorities by demonstrating user-friendly transparency, data ethics and corporate responsibility.

Join this session to find out how One.Thing.Less connects individuals and companies.


Key takeaways:

- Delegates can shift their company conversations and strategies regarding privacy and data protection from focusing on legal and technical compliance to embracing an opportunity to engage and build trust with customers.

- Delegates can experience a tangible solution in demonstrating user-friendly transparency, data ethics and corporate responsibility.

- Delegates understand how they can mitigate the risk of unwanted public attention to customer-unfriendly privacy practices, neglect or non-compliance, resulting in significant reputational and financial consequences.

2018 saw GDPR coming into action and ripples of consent management, data minimization, and right to be forgotten taking their tolls. Some businesses complied, some stopped providing services in the EU, but most waited to see the first fines.
From 2019 on, with Vermont’s and California’s acts, and now Consumer Data Protection Act bill, businesses won’t be able to postpone a true Privacy first and by design strategy. This session will describe what’s ahead of us, already compliant to GDPR or not.
-------------------------
GDPR was always planned as the first movement of a broader privacy focused counter-revolution. 2018 generated new movements in Russia, China, Australia, and now the US amid exponential growth of data leaks, enlightenment on abusive data collection, or revelations on non-consented PII sharing contracts.
We can no longer use the heaviness and complexity of GDPR nor its main focus on European data subject as justifications to keep our old practices and to dodge the need for compliance. Vermont's Data Privacy Law, California’s Privacy act, and now the federal Consumer Data Protection Act bill will change our data collection, processing, and sharing rights as businesses. We need to understand and to prepare for:
• The new accountabilities and potential penalties that regulators will expect from our C executives;
• The new governance rules that our security officer will have to control and to enforce;
• The new law-abiding processes and capabilities that our business owners will have to include in their strategy;
• The new privacy requirements that our architects, designers, and operators will have to include into the services and solutions we deploy and operate.
It is all best practices and it is time for us to do it better.

Key takeaways:

- Understanding the new privacy controls and requirements that are coming when dealing with US citizens whatever they are already in the scope of GDPR or not
- Understanding the key differences with GDPR
- Understanding the new accountabilities to cover within the organization (C executives, Business owners, architects/designers, operators)

The Third Servile War was over. The slave army has been defeated, and the survivors are offered a pardon by their Roman captors. The only requirement was that they identify Spartacus, their leader (Kirk Douglas). Rather than give away his identity, however, they all begin to yell out “I’m Spartacus!”—thus preserving his anonymity by overwhelming the Romans with possibilities. (Spoiler alert: they all die as a result.) What lesson can we learn from them about preserving privacy through obscurity?

The right to be forgotten has been held as fundamental human right by various governments. The recent Facebook scandal and a series of large scale breaches has centered the discussion on the privacy implications of this right. Most people agree that the right to be forgotten should allow users to remove accounts and material that they have created in the past¬—but how easy is it to disappear from online social media and networks in an effort to preserve one’s privacy? 

A sample identity (and its associated accounts across 26 different sites) demonstrates how difficult deletion is for end users. Governments have not mandated these privacy protections for users—and even if they had, enforcement would be problematic; there is little incentive for businesses to prune existing user data.

Since users cannot rely on governments to ensure privacy, a different method of privacy assurance is proposed: privacy through obfuscation. Existing accounts and personal data may be protected through obfuscation techniques, common in other research such as location cloaking. An open-source proof-of-concept (“Spartacus as a Service”) is presented that allows for these techniques to be employed on several well-known online applications. This prototype seeks to ensure that privacy is maintained without relying on organizations removing all data from their systems—effectively yelling “I’m Spartacus!” on behalf of the user.

Key takeaways:

• See how current regulation around the Right to Be Forgotten continues to lag behind real-world use cases and end-user’s base expectations.
• Understand how privacy must be a consideration for services going forward—as systems are built, they must consider how to dispose of information and data responsibly; new legislation and regulations are coming that will seek to enforce the Right to be Forgotten.
• Internalize that ensuring privacy may not always mean deletion or removal of data—obfuscation of identities, data, etc. may be enough to preserve relative anonymity. 
• Explore various methods of obfuscation that might apply in different environments and organizations.