Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data...
Transcript of Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data...
![Page 1: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/1.jpg)
Dr. Rula Sayaf
Algebraic Approach to Data
Protection by Design
for
Data Subjects
![Page 2: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/2.jpg)
Data Subjects
![Page 3: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/3.jpg)
The Context:
Data Protection by Design and Default (DPbD2)
Upon determining processing
meansDuring the processing
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and Organisational
Measures
Data Protection by
Design
Data Controller Data Subjects
![Page 4: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/4.jpg)
The Context:
Data Protection by Design and Default (DPbD2)
Upon determining processing
meansDuring the processing
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and Organisational
Measures
Data Protection by
Design
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
![Page 5: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/5.jpg)
Privacy vs
Data Protection by Design and Default (DPbD2)
Upon determining processing
meansDuring the processing
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
![Page 6: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/6.jpg)
Privacy vs
Data Protection by Design and Default (DPbD2)
Data Controller
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as Confidentiality
![Page 7: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/7.jpg)
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as Confidentiality
![Page 8: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/8.jpg)
Status quo
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller Data Subjects
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
![Page 9: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/9.jpg)
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
![Page 10: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/10.jpg)
Algebraic Approach
Data Protection by Design and Default (DPbD2)
Sedicii
Identity Management
Mizen Group
GDPR Compliance Management Audits for Data Controllers and Data
Subjects
Privacy Algebra
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Focus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
![Page 11: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/11.jpg)
Zero Knowledge Proof (ZKP)
Real-Time Verifications
Interactive zero knowledge proof using graph isomorphism (US Patent: 8,411,854 B2)
![Page 12: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/12.jpg)
Zero Knowledge Proof (ZKP)
Graph Isomorphism
![Page 13: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/13.jpg)
Passport Number
Surname
First Name
Date of Birth
Place of Birth
Nationality
Expiry Date
Email address
Emily’s
Golden
Record
Match
Consent
Report340020013
Smith
Emily
01/01/1980
Dublin
Ireland
05/05/2019
Passport
Office
Database
Emily’s
Bank
Passport Number
Surname
First Name
Date of Birth
Place of Birth
Nationality
Expiry Date
Email address
340020013
Smith
Emily
01/01/1980
Dublin
Ireland
05/05/2019
Passport Matching in Real-Time against Authoritative Source for ID Proofing
Report
COPYRIGHT © 2018 SEDICII INNOVATIONS LIMITED. ALL RIGHTS RESERVED..
Zero Knowledge Proof
How it Works - PassportsZero Knowledge Proof (ZKP)
How it Works - Passports
![Page 14: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/14.jpg)
Zero Knowledge Proof (ZKP)
Scenarios
![Page 15: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/15.jpg)
Zero Knowledge Proof (ZKP)
Network of Identity Providers
![Page 16: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/16.jpg)
Zero Knowledge Proofs (ZKP)
+
DPbD2
Data collection is transparent to
subjects
Data is abstracted, not encrypted
in the traditional sense.
Privacy-preserving, minimised
personal data collection, unless
the subject consents.
The subject controls data, and is
involved by running a mobile app
“I know something you know.
I can prove it without telling
you what I know.”
![Page 17: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/17.jpg)
ZKP
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
![Page 18: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/18.jpg)
Algebraic Approach
Compliance Management
Mizen Group
GDPR Compliance Mangement Audits:
- Focus on PETs
- Evidence-based compliance
- Cross-regulatory compliance management
Data Controller
![Page 19: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/19.jpg)
Algebraic Approach
Compliance Management
Mizen Group
GDPR Feedback Assessments for Data Subjects:
- What PETs
- Data controller response
- Amount of personal data
- Degree of transparency
- …
Data Subjects
![Page 20: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/20.jpg)
Data Subject Rights Automation
PersonalData.io (adversarial position)
• Data Controller
• Collected personal data
• The type of processing
Global Data Controllers
Govt. Utilities.
Telcos. Banks.
Companies. Exchanges
Banks.
Various Controllers
Type of Data
Type of Right
Data Subject Right Process
Govt.
Global Data Controllers
• Access to data
• Information about processing
• Algorithmic accountability
![Page 21: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/21.jpg)
Data Subject Rights Automation
Mizen Group PersonalData.io
Various Controllers
Type of Data
Type of Right
Data Subject Right Process
Data Subjects
Identification + Insights about Data Controllers
and the collected
data
![Page 22: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/22.jpg)
Data Protection by Design and Default (DPbD2)
Scope
Risks
SOTA
Nature
Cost Purpose
Context
Technical and
Organisational Measures
Data Protection/ Privacy by Design
PETs
Data Controller
• GDPR requirements
• Protect the rights of data subjects
Data Subjects
• Data minimisation• Purpose limitation• Accurate and update-to-date data • Storage retention• Transparent• Lawful• ….
Privacy Engineering
Privacy as PracticePrivacy as Control
Privacy as ConfidentialityFocus:
Data Register
DPIAs
Transfer
Policies
Data Subject Rights Management
Compliance Management
![Page 23: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/23.jpg)
Algebraic Approach
Data Protection by Design and Default (DPbD2)
Sedicii
Identity Management
Mizen Group
GDPR Compliance Management Audits for Data Controllers and Data
Subjects
Privacy Algebra
Data Protection/ Privacy by Design
PETs
Privacy Engineering
PersonalData.io
Data Subject Rights Automation
Capco
Deployment Support
![Page 24: Algebraic Approach to Data Protection by Design for Data ... · Design Data Controller Data Subjects. The Context: Data Protection by Design and Default (DPbD2) Upon determining processing](https://reader030.fdocuments.us/reader030/viewer/2022041121/5f34f406f290db128b648311/html5/thumbnails/24.jpg)
References
Berendt, Bettina, Sören Preibusch, and Maximilian Teltzrow. "A privacy-protecting business-analytics service for
on-line transactions." International Journal of Electronic Commerce 12.3 (2008): 115-150.
GÜRSES, S. Multilateral privacy requirements analysis in online social network services. PhD thesis, KU Leuven,
2010. pages 3, 17, 86
GÜRSES, S., AND BERENDT, B. PETS in the surveillance society: A critical review of the potentials and
limitations of the privacy as confidentiality paradigm. In Data Protection in a Profiled World. Springer, 2010, pp.
301–321. pages 7, 8, 18, 121
Veale, Michael, Reuben Binns, and Jef Ausloos. "When data protection by design and data subject rights clash."
International Data Privacy Law 8.2 (2018): 105-123.
Morton, Anthony, et al. "" Tool Clinics"–Embracing multiple perspectives in privacy research and privacy-sensitive
design." Dagstuhl Reports 3.7 (2013): 96-104.
Hoepman, Jaap-Henk. "Privacy design strategies." IFIP International Information Security Conference. Springer,
Berlin, Heidelberg, 2014.