Once again, I will be speaking at the InfoSeCon security conference. Last year, I had a really great experience and met some excellent speakers as well as made a few new friends. I’m looking forward to a repeat of that experience this year.
This year, I’m going to give two presentations on privacy issues. One of them is from the business perspective, “The Man’s Got His Eye On Me”: Understanding Your Customer’s Privacy Perceptions. Here’s the presentation abstract:
You have been audited by several accredited security auditors and found to be completely in compliance with both the current EU Data Protection Directive and your local government’s implementation of that directive. Still, you are receiving a high volume of customer complaints about perceived violations of their privacy. Since you must investigate each complaint, and the volumes are so large, you’ve had to set up a special department with dedicated staff to deal with these matters. All of this affects your bottom line in two ways: overtly due to the expense of dealing with all of the complaints and covertly due to the negative reputation you are developing amongst your customers, present and future.
Does the above paragraph sound familiar to you? Do the issues raised resonate with your current thinking? If the answer to either of these questions is “Yes,” this presentation will help you understand the rationale behind the data protection directive and related privacy legislation by looking at how your customers may feel about privacy as individuals.
Several actual Data Protection complaints to the Irish Data Commissioner will be examined, along with some recent privacy related news reports and other privacy literature, in an attempt to identify and concisely articulate common themes. Exposing these themes and how they relate to the legislation will provide insight into the motivating spirit behind the law and identify core privacy concerns. Capturing the spirit of the various privacy laws will allow you to assess your current data requirements and management practices to determine if there are ways you can go beyond compliance and address your customer’s concerns proactively–to the benefit of both your business and your reputation.
The second one is more focused on people who design and build software for a living, so it’s more technical. Here’s the abstract for the second presentation, Design Considerations and Strategies for Data Protection Compliance:
If you are responsible for designing or implementing software systems and think that privacy concerns are not something you need to worry about, think again. Depending on the way a local Data Protection Controller may interpret EU and national laws, information about the way you store data and even how you’ve labeled it, may be up for public disclosure.
How can you be prepared? By thinking about privacy issues and the results of potential investigations into privacy complaints during the design of your IT systems, you can store and manage customer data in ways that are not only secure, but also sensitive to the privacy needs of your customers.
This presentation will show the impact of privacy preparation on the requirements gathering, design and implementation stages of system delivery. It will highlight specific questions to ask business owners, and show some potential pitfalls which may lead to unnecessary cost in proving system compliance, changes to the fundamental design due to questions of compliance or even embarrassing publicity for your clients or company as the result of a legitimate “right to access” request. Armed with this information, you will be able to build software systems that are not only better, but also more compliant with data protection legislation.
Hopefully, this year’s conference will be as much of a success as last year’s. If you’re in the mood for some security in the sunshine (although it did rain one of the days last year…), it’s worth the trip to Dubrovnik. Hope to see you there.