GDPR What (Identity Stuff) is it GOOD for?

From IIW

GDPR – What [IDENTITY stuff] is GOOD for?

Tuesday 1F

Convener: Dazza G.

Notes-taker(s): Tiemae H. Roquerre

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

GDPR Session Report Out:

Tip – Skip the first 38 pages 

Website: gdpr-info.eu

Interesting App to Use - EDPS

Key Roles: Data Subject, Data Controller, Data Processor, DPO, DPA

Who does this apply to – Any person or any organization

Privacy vs. Data Protection

Key Takeaways:

  • Article 7 - Will be as easy to give / revoke consent
  • There are many layers to what consent is –must prove that the consent was intentional [clarify]
  • Plain language requirement to make all relevant info to data subject easily understandable (Article 12)
  • When Data Controller (party who determines the purpose and mean of processing) outsources the role of Data Processor then the accountability changes
  • Article 13 – put a lot of the values of the HUE report into practice – pretty much whatever is done to personal data has to be communicated to the data subject by the data controller
  • Article 13 (cont.) – Data controller must facilitate how the data subject has the right to request a copy of their data, correct their data, delete their data, and restrict the processing of your data
  • TBD – trust services
  • Paypal has published paper on what our data is used for and someone has made a map of this
  • Article 14 – Data subjects must be notified when data provided by third-parties is used
  • Article 15 – one of the most important mechanisms for a fair ecology for use of personal data
    • You can ask a company if they have your data and ask for the company to provide it
    • Huge Issue: A gaping hole is that the company needs to make sure that an individual proves that the data subject is who they say they are – there are easy endpoints now for identity thieves to access personal info from GDPR compliant companies
  • Lots of opportunity to facilitate notification requirements for GDPR
  • Article 20 – Right to data portability – data subject has the right to move data around to other providers
  • Sensitive personal data – very careful management about how this type of data is displayed
    • There are layers of rules around different data categories
  • Article 21 – Shifts burden of proof to prove necessity of algorithms onto the controller and changes income model of the commercial internet (point 2)
  • Article 22 – Profiling happens only if the data subject consents to it and is made clear to the data subject
  • Opinion – GDPRs purpose is to be a proponent of the data subject’s rights and perspective
  • GDPR provides the opportunity for companies to shift their business models to accommodate these new values
  • Cloud Act??


Further Discussion Topics:

  • What are the economic consequences for GDPR
  • Who will be affected?
  • Engineering parts of the GDPR

Add to John Fontana’s notes – jfontana@yubico.com