goed voorbereid op privacy

Draft for discussion purposes only

•

–

–

–

–

–

–

•

–

–

–

–


•

•

•

•


Rapid technological developments that led to jeopardizing privacy

1950

European Convention on Human Rights

1995

Need for regulation:

European General Privacy Directive (95/46/EC)

2001

Dutch Personal Data Protection Act

2012

Proposal for a new EU regulation

Equal level of personal data protection

in all EU Member States


A legal ground for

processing of Personal Data

must exist

Obligation to implement

technical and organisational

measures in order to secure

Personal Data

Applicable retention periods

regarding Personal Data

Obligation to inform data

subjects

Additional requirements apply

when transferring Personal

Data outside the EU

A data processing

agreement between parties

needs to be in place

Obligation to notify the

AuthoritiesData subject rights

Personal data shall be

collected for specific,

explicitly defined and

legitimate purposes


•

•

•

•–

•–

•–

•–

•–

•–

•

•

•

•

•


Brand Risk

• Branding and

positioning

• Risk to brand from

privacy breach

• Potential

inconsistencies

between policies

and practices

• Employee privacy in

multinational companies

• Requires localized and tailored

approach

• Multiple

jurisdictions

of privacy regulations

• Country specific compliance

• Legal solutions for EU data

transfers such as Safe

Harbor or model contracts

• Industry specific privacy codes of

conduct Employee

Data Mgmt

Increased

Regulation

Customer

/Student

Sensitivity

• Sensitivity to aggressive

marketing practices

• Existing privacy policies

and client expectations

• Differing perspectives and

expectations

• Procedures for

responding to privacy

complaints

• Relationships with partners,

vendors and service providers

• Inconsistent implementation of

privacy practices among

independent organizations

• Who has responsibility

and associated

liability for privacy?

• Web-based e-commerce

applications interact with

clients online

• Use of personalization

technologies such as

cookies, smart tags, unique

identifiers, client profiles,

etc.

• Information exchange

economy

• CRM and HRIS

systems centralizes client and

employee data from around

the world

Globalization

Advances in

Technology

Extended

Enterprise


Business needs

• Direct and viral marketing

initiatives

• Centralized vs. decentralized

databases (ERP, CRM, Legacy)

• Data mining and business

intelligence

• Replication and synchronization

of information

• Personalized

client/student/employee

experiences

Privacy Requirements

• Processed fairly and lawfully

• Collected for specific, explicit, and

legitimate purposes

• Adequate, relevant, and not

excessive

• Accurate and secure

• Not kept longer than necessary

• Processed in accordance with

data subject’s rights

• Not transferred to countries with

inadequate protection


© 2012 Deloitte The Netherlands

Risk Assessment

Metrics and Reporting

Technology Procedures

Strategy

Policies

AuditAnd Compliance

EvaluationAnd Adjustment

Organization

Communications,

Training, Awareness


•

–

–

•

–

–

•

–

–


Resilience is the new protection

Static

Perimeter

Keep out

Dynamic

Open & Connected

Detect and Respond

Traditional blocking approach Next generation resilience approach

Resilience is the ability to detect a breach timely and respond adequately.


http://www.google.nl/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=Ph_5Wh5W6wQzFM&tbnid=J8p_QZT5hsNLsM:&ved=0CAUQjRw&url=http://www.bbc.co.uk/news/technology-19372299&ei=rO5vUfy9KMvWPN-4gIgG&bvm=bv.45368065,d.ZWU&psig=AFQjCNEfxZU_H78n_PVMGsJqQf3RGIkISA&ust=1366376470966039

http://www.google.nl/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=Ph_5Wh5W6wQzFM&tbnid=J8p_QZT5hsNLsM:&ved=0CAUQjRw&url=http://www.bbc.co.uk/news/technology-19372299&ei=rO5vUfy9KMvWPN-4gIgG&bvm=bv.45368065,d.ZWU&psig=AFQjCNEfxZU_H78n_PVMGsJqQf3RGIkISA&ust=1366376470966039

http://www.google.nl/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0RMxGH0Aolk-UM&tbnid=07-JwHJiLHUFaM:&ved=0CAUQjRw&url=http://www.nihaokids.nl/voor-je-spreekbeurt/chinese-muur-/&ei=5vq6Uaf0LofXPKmbgYgM&bvm=bv.47883778,d.ZWU&psig=AFQjCNFA1VRSTxONKIdfEiR3hUeDcD0NbQ&ust=1371294813012388

http://www.google.nl/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0RMxGH0Aolk-UM&tbnid=07-JwHJiLHUFaM:&ved=0CAUQjRw&url=http://www.nihaokids.nl/voor-je-spreekbeurt/chinese-muur-/&ei=5vq6Uaf0LofXPKmbgYgM&bvm=bv.47883778,d.ZWU&psig=AFQjCNFA1VRSTxONKIdfEiR3hUeDcD0NbQ&ust=1371294813012388

Deloitte Digital


Can I alter guess other accounts?

What are the other account numbers?

What else can be uploaded?

What if I alter this number?

Can I access administrator pages?

Can transaction be manipulated?


Deloitte Digital

•

•

•

•

•

•

•

•

•

•

•

•


Deloitte Digital

Annika Sponselee

Senior Manager

[email protected]

+31 (0) 6 1099 9302

Rob Muris

Senior Consultant

[email protected]

+31 (0) 6 1099 9133


mailto:[email protected]

mailto:[email protected]

goed voorbereid op privacy

Technology

processing of personal

employee data

practicesemployee privacy

eu data transfers

data subjects rightsnot

personal dataobligation

client profiles

eu member statesdraft