An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on the concept of data, reasons for protecting data, personal data and data processing.
The slides come with notes that in short explain the visuals on the slides.
7. 7
- Internal - Page
Data is everywhere, we organise it, to be able to manage it
8. 8
- Internal - Page
Levels of Organising data
1,267.04 EURCardholder C
Shop N249.99 EUR
319.00 EUR
1,415.00 EUR
14/8
20/8
26/8
2/8
x 0.5 loyalty points
3,251.03 EUR
1,625
Shop M
Shop O
Shop P
Total for August
Loyalty points
10. 10
- Internal - Page
Data that gives ABC a Competitive Advantage
Indicator: “confidential” nature
11. 11
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
Indicator: “confidential” nature
12. 12
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
– Contracts with customers
– Policies on rebates, complaint
compensation,…
Indicator: “confidential” nature
13. 13
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
– Contracts with customers
– Policies on rebates, complaint
compensation,…
– Personal Data (PDP Act / GDPR)
Information related to identified or
identifiable natural person
– Cardholder data (PCI-DSS)
Transaction data
Indicator: “confidential” nature
14. 14
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
– Contracts with customers
– Policies on rebates, complaint
compensation,…
– Personal Data (PDP Act)
Information related to identified or
identifiable natural person
– Cardholder data (PCI-DSS)
Transaction data
Indicator: “confidential” nature
15. 15
- Internal - Page
Processing personal data
HAVE TO: Data Protection Act / GDPR
16. 16
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person.
17. 17
- Internal - Page
Data Protection Act - Personal data
In general not legal persons (e.g. limited companies)
BUT
- In some countries similar regime for legal persons
- Next to personal data protection there may be a
(professional) duty of confidentiality.
e.g. consumer customers, staff
members, individuals related to
corporations (legal
representatives, UBOs, …),
Any information
relating to
an identified or identifiable
natural person
18. 18
- Internal - Page
Data Protection Act - Personal data
An identifiable person is one who can be
identified, directly or indirectly, in particular by
reference to
• An identification number or
•To one or more factors specific to his physical,
physiological, mental, economic, cultural or
social identity.
Any information
relating to
an identified or identifiable
natural person
19. 19
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
20. 20
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
21. 21
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
22. 22
- Internal - Page
Data
Subject
Processing personal data
Data Protection Act – Data Subject
23. 23
- Internal - Page
Data Protection Act - Personal data
(perception of) “sensitivity”/”intimacy” is irrelevant
Any information
relating to
an identified or identifiable
natural person
33. 33
- Internal - Page
Data Protection Act / GDPR - Personal data
Any information
relating to
an identified or identifiable
natural person.
34. 34
- Internal - Page
Data Protection - Processing
digital AND paper
35. 35
- Internal - Page
Data Protection - Processing
Collection, recording, organization,
Storage,
Adaptation or alteration, rectification,
retrieval, consultation, use,
Disclosure by
transmission,
dissemination or otherwise
making available,
alignment or combination,
Blocking, erasure or
destruction
36. 36
- Internal - Page
Data
Subject
Processing personal data
Data
Controller
Data Protection Act / GDPR – Data Controller
37. 37
- Internal - Page
Processing personal data
Data Protection Act / GDPR – Data Controller
Data
Subject
Data
Controller
Bank ABC
Application form
38. 38
- Internal - Page
Control
Processing personal data
Data Protection Act / GDPR – Control in 4 Pillars
Data
Subject
Data
Controller
39. 39
- Internal - Page
Control
Processing personal data
Finality
Data Protection Act / GDPR – Control in 4 Pillars
Respect the
(original) purpose
Data
Subject
Data
Controller
Legitimacy
Have one of the
legal bases
40. 40
- Internal - Page
Control
Processing personal data
Finality Legitimacy
Transparency
Data Protection Act / GDPR – Control in 4 Pillars
Respect the
(original) purpose
Have one of the
legal bases
Inform data subject
and sometimes
authorities
Data
Subject
Data
Controller
41. 41
- Internal - Page
Control
Processing personal data
Finality Legitimacy
Transparency Organisation
Data Protection Act / GDPR – Control in 4 Pillars
Respect the
(original) purpose
Have one of the
legal bases
Inform data subject
and sometimes
authorities
Accountability and
technical and
organisational measures
Data
Subject
Data
Controller
Editor's Notes
Welcome to the third part of the baseline training IS/DPP.
Herein we look at data and the different classifications we give it in order to be able to better handle it.
In IS/DPP we basically set up a number of measures to protect our data, or as we call it in the jargon “information assets”.
Around those we build a number of layers of security. And those layers interconnect and overlap.
But data is always in the center. So that is where we start.
Not having data is the easiest way to protect it.
Obviously as a company and especially one where data is at the core of our activity, not having data is not an option.
But… it is always good to keep in mind that
when we don’t need the data, it is best not to collect it.
when we no longer need the data, to delete it.
as much as possible, avoid duplication.
An example is a journalist protecting his source by not revealing its identity to anybody.
Of course even respecting data minimization, we are still left with quite a large collection of all different types of data.
And when we have data, we need the classify it.
Why? Because data is such a broad concept, that in our digital world can boil down to zeros and ones, looking at it at that level would make no sense.
That is why we create order out of the chaos data is, by putting it together in data sets that make sense. In theory we call that “information”.
So a number would be data. A number and the currency “euro” would already make some sense. That amount of money connected to a sender (the cardholder) and a receiver (the shap) makes a fine transaction. All transactions in a month for one cardholder makes for a monthly statement, but also the basis – perhaps – for the calculation of loyalty rewards. And so forth.
You understand that even in the theoretical distinction data/information there are a number of levels. That is why generally data and information are used as synonyms.
Looking at the data we want to protect, we are focussing on data that can give the ABC Group an advantage on the competition.
Running ahead of things that kind of data has a confidential nature. Examples of data that is “out-of-scope” is any data that is on the website,
like general terms and conditions for customers, general terms and conditions for suppliers (procurement), investor information,...
What is in scope?
Creative ideas, like marketing campaigns, unique features to bolt on products or services, etc.
Strategy, like what customers we target, how we want to service the customer in 3 years, etc.
Who our customers are. If we gave them special conditions. If we gave them a compensation after a complaint.
Cardholder data, transaction data, …
and basically all information related to an identified or identiable natural person.
Some data we legally have to protect,
and for the other data we want to keep to ourselves because it is good for business.
One important framework is the general data protection act (or in the future the general data protection regulation also known as GDPR). That legislation is all about “processing personal data”. We’ll go deeper into those two concepts, and build up from there to the other general concepts of that legislation.
Personal data is defined as “any information relating to an identified or identifiable natural person”.
Let us drill down on those components.
Legal persons are not in scope of the Belgian Data Protection Act or the GDPR.
As a little sidenote: some companies like hospitals, governments, banks insurances,…, even if the data protection legislation does not apply (or next to it), have to respect a (in principle contractual) duty of discretion.
Also, the individuals related to corporate customers (the contacts, the legal representatives, the ultimate beneficial owners, the cardholders, the administrators,…) are very well in scope of the data protection legislation.
The individual needs to be identified (that is quite easy) or identifiable.
The identifiability is tricky, because in this day and age where computers can very quickly make a lot of calculations and combinations, an identity can sometimes be put on a data set where you would not have expected it.
Fingerprints don’t have a person’s name on them, but the police can match them against a database.
Your badge may not be personalised on the outside, but when it is used, the system registers “you” as badging scanner x, near door y at time z.
Your picture may not be recognized by 6 billion + people on the planet, but facebook makes your friends tag you on it or google compares your facial features to determine with 99% certainty that it is you.
In the data protection legislation the person identified is referred to as the data subject.
The information that can be related to a person is only limited by the imagination.
It can be as straightforward as your name, your eID number,
your card number,
or the way you use your card,
your search results in google,
your phone number,
the geolocation from your cell phone,
your heatbeat,
the rythm with which you type texts on your keyboard,
- sometimes just your shoe size can give away who you are.
It is clear: personal data is very broad.
The second component of the scope definition of the data protection legislation is “processing”;
it is basically anything you do with data in an ordened way
- on paper e.g. in a filing cabinet
or automated by a computer (where the actual neat order is of less importance as the computer can overcome that with computing power).
From collection…
To deletion…
And everything in between.
Here the second player of the data protection act enters the stage: the data controller.
He is the “entity” (in general a company) that processes the data and more importantly: determines what happens with the data and how?
An example: the information in the application form,
is it used only to assess the credit risk and determine the credit limit
or is it also used for to send the new customer information about our services, marketing (upselling and cross-selling), partner mailings, …?
The data protection legislation sets out quite a number of rather (legal) technical requirements.
But it basically requires the data controller to be… in control of the data.
The data controller must have a firm basis to collect and further process the personal data for certain purposes, for example
- a legal requirment like performing anti-money laundering checks for banks, insurance companies, notaries public, etc. or sharing information on employment an make payments to the social security governmental bodies
implicit consent to execute the contract, or even just to assess whether we want to enter into the employment, credit or insurance contract
explicit consent to send email marketing, newsletters, etc.
Being transparent about how the data controller processes personal data in a privacy statement is one way that makes that visible for the data subject and the outside world.
The data controller must organise itself, which includes setting up technical measures and procedures to guard some important characteristics of the data.