Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (16)
Similar a IS/DPP for staff #3a - Data
Similar a IS/DPP for staff #3a - Data (20)
Más de Tommy Vandepitte
Más de Tommy Vandepitte (20)
Último
Último (20)
IS/DPP for staff #3a - Data
- 1. - Internal - IS/DPP Baseline Training E-learning – Part 3 – Data & Classification
- 2. Data in the Center Environment Physical Human Device Application Repository Carrier Network Data 3rd Parties
- 3. 3 - Internal - Page No Data, No Worries: Data Minimization
- 4. 4 - Internal - Page Don’t Spread the Word
- 6. 6 - Internal - Page Why?
- 7. 7 - Internal - Page Data is everywhere, we organise it, to be able to manage it
- 8. 8 - Internal - Page Levels of Organising data 1,267.04 EURCardholder C Shop N249.99 EUR 319.00 EUR 1,415.00 EUR 14/8 20/8 26/8 2/8 x 0.5 loyalty points 3,251.03 EUR 1,625 Shop M Shop O Shop P Total for August Loyalty points
- 9. 9 - Internal - Page Data / Information
- 10. 10 - Internal - Page Data that gives ABC a Competitive Advantage Indicator: “confidential” nature
- 11. 11 - Internal - Page Data that gives ABC a Competitive Advantage Examples “in scope”: – Creative Ideas – Strategy Indicator: “confidential” nature
- 12. 12 - Internal - Page Data that gives ABC a Competitive Advantage Examples “in scope”: – Creative Ideas – Strategy – Contracts with customers – Policies on rebates, complaint compensation,… Indicator: “confidential” nature
- 13. 13 - Internal - Page Data that gives ABC a Competitive Advantage Examples “in scope”: – Creative Ideas – Strategy – Contracts with customers – Policies on rebates, complaint compensation,… – Personal Data (PDP Act / GDPR) Information related to identified or identifiable natural person – Cardholder data (PCI-DSS) Transaction data Indicator: “confidential” nature
- 14. 14 - Internal - Page Data that gives ABC a Competitive Advantage Examples “in scope”: – Creative Ideas – Strategy – Contracts with customers – Policies on rebates, complaint compensation,… – Personal Data (PDP Act) Information related to identified or identifiable natural person – Cardholder data (PCI-DSS) Transaction data Indicator: “confidential” nature
- 15. 15 - Internal - Page Processing personal data HAVE TO: Data Protection Act / GDPR
- 16. 16 - Internal - Page Data Protection Act - Personal data Any information relating to an identified or identifiable natural person.
- 17. 17 - Internal - Page Data Protection Act - Personal data In general not legal persons (e.g. limited companies) BUT - In some countries similar regime for legal persons - Next to personal data protection there may be a (professional) duty of confidentiality. e.g. consumer customers, staff members, individuals related to corporations (legal representatives, UBOs, …), Any information relating to an identified or identifiable natural person
- 18. 18 - Internal - Page Data Protection Act - Personal data An identifiable person is one who can be identified, directly or indirectly, in particular by reference to • An identification number or •To one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Any information relating to an identified or identifiable natural person
- 19. 19 - Internal - Page Data Protection Act - Personal data Any information relating to an identified or identifiable natural person
- 20. 20 - Internal - Page Data Protection Act - Personal data Any information relating to an identified or identifiable natural person
- 21. 21 - Internal - Page Data Protection Act - Personal data Any information relating to an identified or identifiable natural person
- 22. 22 - Internal - Page Data Subject Processing personal data Data Protection Act – Data Subject
- 23. 23 - Internal - Page Data Protection Act - Personal data (perception of) “sensitivity”/”intimacy” is irrelevant Any information relating to an identified or identifiable natural person
- 24. 24 - Internal - Page Your CardYour Card and how you use it
- 25. 25 - Internal - Page Your CardYour Card and how you use it
- 26. 26 - Internal - Page Your CardYour Card and how you use it
- 27. 27 - Internal - Page Your Search Results
- 28. 28 - Internal - Page Your Phone Number
- 29. 29 - Internal - Page Your Location
- 30. 30 - Internal - Page Your Heartbeat
- 31. 31 - Internal - Page Your Keystroke Speed
- 32. 32 - Internal - Page Your Shoe Size
- 33. 33 - Internal - Page Data Protection Act / GDPR - Personal data Any information relating to an identified or identifiable natural person.
- 34. 34 - Internal - Page Data Protection - Processing digital AND paper
- 35. 35 - Internal - Page Data Protection - Processing Collection, recording, organization, Storage, Adaptation or alteration, rectification, retrieval, consultation, use, Disclosure by transmission, dissemination or otherwise making available, alignment or combination, Blocking, erasure or destruction
- 36. 36 - Internal - Page Data Subject Processing personal data Data Controller Data Protection Act / GDPR – Data Controller
- 37. 37 - Internal - Page Processing personal data Data Protection Act / GDPR – Data Controller Data Subject Data Controller Bank ABC Application form
- 38. 38 - Internal - Page Control Processing personal data Data Protection Act / GDPR – Control in 4 Pillars Data Subject Data Controller
- 39. 39 - Internal - Page Control Processing personal data Finality Data Protection Act / GDPR – Control in 4 Pillars Respect the (original) purpose Data Subject Data Controller Legitimacy Have one of the legal bases
- 40. 40 - Internal - Page Control Processing personal data Finality Legitimacy Transparency Data Protection Act / GDPR – Control in 4 Pillars Respect the (original) purpose Have one of the legal bases Inform data subject and sometimes authorities Data Subject Data Controller
- 41. 41 - Internal - Page Control Processing personal data Finality Legitimacy Transparency Organisation Data Protection Act / GDPR – Control in 4 Pillars Respect the (original) purpose Have one of the legal bases Inform data subject and sometimes authorities Accountability and technical and organisational measures Data Subject Data Controller
Notas del editor
- Welcome to the third part of the baseline training IS/DPP. Herein we look at data and the different classifications we give it in order to be able to better handle it.
- In IS/DPP we basically set up a number of measures to protect our data, or as we call it in the jargon “information assets”. Around those we build a number of layers of security. And those layers interconnect and overlap. But data is always in the center. So that is where we start.
- Not having data is the easiest way to protect it. Obviously as a company and especially one where data is at the core of our activity, not having data is not an option. But… it is always good to keep in mind that when we don’t need the data, it is best not to collect it. when we no longer need the data, to delete it. as much as possible, avoid duplication.
- An example is a journalist protecting his source by not revealing its identity to anybody.
- Of course even respecting data minimization, we are still left with quite a large collection of all different types of data. And when we have data, we need the classify it.
- Why? Because data is such a broad concept, that in our digital world can boil down to zeros and ones, looking at it at that level would make no sense.
- That is why we create order out of the chaos data is, by putting it together in data sets that make sense. In theory we call that “information”.
- So a number would be data. A number and the currency “euro” would already make some sense. That amount of money connected to a sender (the cardholder) and a receiver (the shap) makes a fine transaction. All transactions in a month for one cardholder makes for a monthly statement, but also the basis – perhaps – for the calculation of loyalty rewards. And so forth.
- You understand that even in the theoretical distinction data/information there are a number of levels. That is why generally data and information are used as synonyms.
- Looking at the data we want to protect, we are focussing on data that can give the ABC Group an advantage on the competition. Running ahead of things that kind of data has a confidential nature. Examples of data that is “out-of-scope” is any data that is on the website, like general terms and conditions for customers, general terms and conditions for suppliers (procurement), investor information,...
- What is in scope? Creative ideas, like marketing campaigns, unique features to bolt on products or services, etc. Strategy, like what customers we target, how we want to service the customer in 3 years, etc.
- Who our customers are. If we gave them special conditions. If we gave them a compensation after a complaint.
- Cardholder data, transaction data, … and basically all information related to an identified or identiable natural person.
- Some data we legally have to protect, and for the other data we want to keep to ourselves because it is good for business.
- One important framework is the general data protection act (or in the future the general data protection regulation also known as GDPR). That legislation is all about “processing personal data”. We’ll go deeper into those two concepts, and build up from there to the other general concepts of that legislation.
- Personal data is defined as “any information relating to an identified or identifiable natural person”. Let us drill down on those components.
- Legal persons are not in scope of the Belgian Data Protection Act or the GDPR. As a little sidenote: some companies like hospitals, governments, banks insurances,…, even if the data protection legislation does not apply (or next to it), have to respect a (in principle contractual) duty of discretion. Also, the individuals related to corporate customers (the contacts, the legal representatives, the ultimate beneficial owners, the cardholders, the administrators,…) are very well in scope of the data protection legislation.
- The individual needs to be identified (that is quite easy) or identifiable. The identifiability is tricky, because in this day and age where computers can very quickly make a lot of calculations and combinations, an identity can sometimes be put on a data set where you would not have expected it.
- Fingerprints don’t have a person’s name on them, but the police can match them against a database.
- Your badge may not be personalised on the outside, but when it is used, the system registers “you” as badging scanner x, near door y at time z.
- Your picture may not be recognized by 6 billion + people on the planet, but facebook makes your friends tag you on it or google compares your facial features to determine with 99% certainty that it is you.
- In the data protection legislation the person identified is referred to as the data subject.
- The information that can be related to a person is only limited by the imagination.
- It can be as straightforward as your name, your eID number,
- your card number,
- or the way you use your card,
- your search results in google,
- your phone number,
- the geolocation from your cell phone,
- your heatbeat,
- the rythm with which you type texts on your keyboard,
- - sometimes just your shoe size can give away who you are.
- It is clear: personal data is very broad.
- The second component of the scope definition of the data protection legislation is “processing”; it is basically anything you do with data in an ordened way - on paper e.g. in a filing cabinet or automated by a computer (where the actual neat order is of less importance as the computer can overcome that with computing power).
- From collection… To deletion… And everything in between.
- Here the second player of the data protection act enters the stage: the data controller. He is the “entity” (in general a company) that processes the data and more importantly: determines what happens with the data and how?
- An example: the information in the application form, is it used only to assess the credit risk and determine the credit limit or is it also used for to send the new customer information about our services, marketing (upselling and cross-selling), partner mailings, …?
- The data protection legislation sets out quite a number of rather (legal) technical requirements. But it basically requires the data controller to be… in control of the data.
- The data controller must have a firm basis to collect and further process the personal data for certain purposes, for example - a legal requirment like performing anti-money laundering checks for banks, insurance companies, notaries public, etc. or sharing information on employment an make payments to the social security governmental bodies implicit consent to execute the contract, or even just to assess whether we want to enter into the employment, credit or insurance contract explicit consent to send email marketing, newsletters, etc.
- Being transparent about how the data controller processes personal data in a privacy statement is one way that makes that visible for the data subject and the outside world.
- The data controller must organise itself, which includes setting up technical measures and procedures to guard some important characteristics of the data.