Insights on commercial use of data Deloitte s Privacy with a view II 13 November 2014, OCEANDIVA Amsterdam Rence Damming Privacy Officer
About me Occupation: Privacy Officer of, since April 1st 2011 Works in Telecommunications for almost 15 years Studied Economics, started career as music professional Experienced on: Data protection, Legislation, Contract management, Legal Interception and Security Past jobs include: Head of Security Telfort, Manager Legal Intercept, IT Project Manager and various positions in Customer Operations
Roadmap for today - Big Data opportunities - Experiences & restrictions - Conclusions
Big Data: everybody s talking about it
What do you mean commercial use of data??
In the last years we gained some new insights on the way personal data should be processed 6
The search for opportunity 7
We prefer trust over short time benefits. 8
: Guide in big data as a business - And yes, we are cautious. Determine course, positioning & risks Ophalen Opslaan Transporteren Ontsluiting / Presentatie Verrijken gather store transport present Enrich? Want to know more? Feel free to contact: Dennis.Groot@kpn.com
10
and Big Data positioning Big Data analyses for data improvement and effictively deliver our services Big Data for value added services (creating new business) Big Data Consulting Data with consent and aggregated for billing and network management Only with customer s explicit permission given at forehand Helping our (business) customers with solutions and maintaining trust
Big Data Mission Statement: It s all about permission and clarity All (internal and external) big data initiatives will be assessed and must comply to the strict rules and principles provided in our mission statement: Everything you do with customer data could affect customer privacy All data processed and gathered from our core services can only be used for other purposes with explicit, clear approval from the data-subject Approval is only valid when (1) explicitly given (2) in advance by the datasubject based on (3) a clear explanation by the data-controller (company) about the (4) specific purpose for which the data will be used. Data-subject s approval can be withdrawn at any time
and Big Data: Building Trust Trust = Reliability +Delight.
Building Trust: Delight? New Privacy Officer (work in progress)
Building Trust: Reliability?
Is correlatable data anonymous? Is it possible to single-out one person? Could lead to mistrust
Communicate internally! Make your employees aware of where to put their ideas to maintain trust All ideas on the big data subject can be sent to the Taskforce Big Data Through: contactinformation@company.com All ideas on sales, propositions on technical infrastructure can be sent to: techdepartment@company.com All questions on privacy and our company strategy, can be sent to: privacy@kpn.com
and Big Data: Building Trust Our Strategy Breaking down our privacy strategy: Clarity, reliability and choice
Appendix
Big Data and Telecommunications Golden Rules for Processing Telco (traffic) Data Following presentation created by: Marloes Koppelaars-Stubbe 2014, HQ, Den Haag 20
Golden Rules We have captured recent insights gained from supervisory authorities in a set of Golden Rules 21
Golden Rule 1: Everything you do with customer data could affect customer privacy It doesn t matter if you actually use or look at data or not (example: traffic filtering through spam filter is processing of customer data) It is not relevant whether or not the individual can be recognized. As soon as data is correlated with a unique identity (this can be an encrypted number) privacy is at stake. 22
Golden Rule 2: Anonimised data is not personal data and can be freely used For Telco s and the processing of location related information, Data is considered anonimised when BOTH of the following conditions are met: It is impossible to trace the data to an individual. The anonimization is irreversible It has become impossible to distinguish one person from another. (if you encrypt, don t use the same key over a longer period, 24h seems to be the absolute maximum) Anonimization can take place on network element level or on customer profiles (segmentation) Chinese walls are not considered a means to anonimise. Be aware of indirect recognition. 23
Golden Rule 3: Do not collect more customer data or store data longer than required Never collect more data than is strictly needed to fullfil the purpose of the intended activities. Always minimize the amount of data needed. Never store data longer than is strictly needed to fullfil the purpose of the intended activities. Always minimize the amount of time needed. (example: don t store data for 30 days if one day storage could be enough) 24
Golden Rule 4: Use traffic and content data only for marketing or analytics with explicit approval of the customer r Without explicit approval traffic data may only be used for: The provision of telecommunication services: billing and invoicing payment of granted access, traffic control processing of service requests on behalf of the customer, fraude detection execution of a regulatory activity or court order. Without explicit approval content data may only be used for: If required to: preserve the integrity and the security of the networks to safeguard the quality of services rendered to the customer to transfer information via the networks and services of the customer to execute a regulatory activity or court order. 25
Golden Rule 5: Approval of the customer is only valid if it is (1) based on detail information, (2) given explicitly and (3) given beforehand 26