This cartoon is about data breach notification. All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe. And, as is often said in data security, it’s not whether a breach will happen, but when . . .
All posts in Humor
I’ve been creating security and privacy awareness training for years, and I am always in the hunt for good stock photos to illustrate these issues. I thought I’d share with you some of the most ridiculous ones I’ve come across.
For the past four years, I’ve posted just the funniest hacker stock photos, but this year, I thought I’d broaden the focus and include more privacy and security topics. Without further delay, here they are . . .
This cartoon about artificial intelligence is based on something I often hear — that it is impossible to understand how certain decisions are made by certain algorithms. I wonder whether this problem is due to the fact that not enough effort is being devoted to addressing ethical issues such as the transparency of the decisionmaking process. It’s easy to say in the abstract that ethics is important. But to truly matter, ethics must be a part of the primary design process, not a secondary consideration. The amount of innovation going into new technology is staggering. Although time and effort are being spent on ethics, far less innovation is going into developing the ethical part of technological design.
Happy Halloween! I hope you enjoy this privacy cartoon about Halloween and Big Data.
This cartoon is about consent under the GDPR. Under the GDPR Article 6, consent is one of the six lawful bases to process personal data. Article 7 provides further guidance about consent, including the data subject’s right to withdraw consent. The meaning of what “consent” requires is most thoroughly stated in Recital 32:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Here’s a new HIPAA cartoon. This cartoon is about protected health information (PHI). In the HIPAA regulations, the definition of PHI is quite complicated, as it is splintered into at least three separate parts that appear in HIPAA’s definitions section. Pursuant to HIPAA, 45 CFR 160.103:
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
This cartoon is about the GDPR’s right to data portability under Article 20. This right allows data subjects to take their data from one organization and transfer it easily to other organizations. Pursuant to the GDPR Article 20:
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
This cartoon is based on a fairly recent trend – countries that are requiring data localization. Data localization involves requirements that personal data collected in a certain country reside on servers within that country’s borders.
Here are some articles on data localization worth looking at:
• Bret Cohen, Britanie Hall, and Charlie Wood, Data Localization Laws and their Impact on Privacy, Data Security, and the Global Economy (ABA Antitrust)
• Manuel Maisog, Making the Case Against Data Localization in China (IAPP)
• Jyoti Panday, Rising Demands for Data Localization a Response to Weak Data Protection Mechanisms (EFF)
For global organizations as well as organizations in the EU, the GDPR has brought significant attention and resources to privacy. Finally, many executives are beginning to take privacy seriously. As I recently wrote in my article, Prime Time for Privacy, at Bloomberg Law:
The GDPR has taken privacy to the next level. Before the GDPR, nothing had fully gelled around what protecting privacy actually entailed. The consequences of poor privacy were also rather vague in many cases. There was no clear blueprint for protecting privacy. Organizations would do just one or two things, such as provide a notice of privacy practices and keep data secure, and then claim they were protecting privacy. But they were only doing a fraction of what was truly needed to protect privacy.
The GDPR has changed all that. It provides a blueprint for protecting data that is more thorough and complete than nearly any other privacy law. The GDPR contains provisions that require governance measures, data mapping, assessment, data protection by design, and vendor management, among other things. It provides for individual rights such as the right to access one’s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability. The GDPR has a broad definition of personal data, and it applies across different industries, so it provides a comprehensive baseline of privacy protection.
Now, privacy professionals can point to a definitive source of the various norms, best practices, standards, and rules that have long existed in fragmentary form. The GDPR has penalties that will keep the CEO awake at night. Privacy professionals can point to it and say, “This is what we need to do, and this is why.”
In the past few weeks, with enforcement of the General Data Protection Regulation (GDPR) beginning on May 25, countless organizations launched emails and pop up notices about changes in their privacy notices in light of GDPR. This cartoon pokes a little fun at the blizzard of changed privacy notice notices.