GDPR What (Identity Stuff) is it GOOD for?
From IIW
GDPR – What [IDENTITY stuff] is GOOD for?
Tuesday 1F
Convener: Dazza G.
Notes-taker(s): Tiemae H. Roquerre
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
GDPR Session Report Out:
Tip – Skip the first 38 pages
Website: gdpr-info.eu
Interesting App to Use - EDPS
Key Roles: Data Subject, Data Controller, Data Processor, DPO, DPA
Who does this apply to – Any person or any organization
Privacy vs. Data Protection
Key Takeaways:
- Article 7 - Will be as easy to give / revoke consent
- There are many layers to what consent is –must prove that the consent was intentional [clarify]
- Plain language requirement to make all relevant info to data subject easily understandable (Article 12)
- When Data Controller (party who determines the purpose and mean of processing) outsources the role of Data Processor then the accountability changes
- Article 13 – put a lot of the values of the HUE report into practice – pretty much whatever is done to personal data has to be communicated to the data subject by the data controller
- Article 13 (cont.) – Data controller must facilitate how the data subject has the right to request a copy of their data, correct their data, delete their data, and restrict the processing of your data
- TBD – trust services
- Paypal has published paper on what our data is used for and someone has made a map of this
- Article 14 – Data subjects must be notified when data provided by third-parties is used
- Article 15 – one of the most important mechanisms for a fair ecology for use of personal data
- You can ask a company if they have your data and ask for the company to provide it
- Huge Issue: A gaping hole is that the company needs to make sure that an individual proves that the data subject is who they say they are – there are easy endpoints now for identity thieves to access personal info from GDPR compliant companies
- Lots of opportunity to facilitate notification requirements for GDPR
- Article 20 – Right to data portability – data subject has the right to move data around to other providers
- Sensitive personal data – very careful management about how this type of data is displayed
- There are layers of rules around different data categories
- Article 21 – Shifts burden of proof to prove necessity of algorithms onto the controller and changes income model of the commercial internet (point 2)
- Article 22 – Profiling happens only if the data subject consents to it and is made clear to the data subject
- Opinion – GDPRs purpose is to be a proponent of the data subject’s rights and perspective
- GDPR provides the opportunity for companies to shift their business models to accommodate these new values
- Cloud Act??
Further Discussion Topics:
- What are the economic consequences for GDPR
- Who will be affected?
- Engineering parts of the GDPR
Add to John Fontana’s notes – jfontana@yubico.com