An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on the concept of data, reasons for protecting data, personal data and data processing.
The slides come with notes that in short explain the visuals on the slides.
Her finder du præsentation fra Microsoft Danmarks advokat Anne Ermose: ’Databeskyttelse og sikker drift i skyen’ samt et dokument med oversigt over ’Nyttige links fra Microsoft vedr Cloud og Jura’
California Consumer Privacy Act and the Role of IAMWSO2
This deck explores the basics of the CCPA including what CCPA is, how enterprises can prepare for it, a comparison with GDPR, and how IAM can help with CCPA and other privacy regulations.
Watch the On-Demand Webinar here - https://wso2.com/library/webinars/2019/04/california-consumer-privacy-act-and-the-role-of-iam/
Ed Wright - Staying on the right side of the law in the digital worldHallam
UK legal and regulatory position on conducting business online
Setting up an online business
Electronic contracts and signatures
Cyber security, privacy and data protection
Hyperlinking and domain names
Jurisdiction and governing law
Advertising
Liability for online content and insurance
Her finder du præsentation fra Microsoft Danmarks advokat Anne Ermose: ’Databeskyttelse og sikker drift i skyen’ samt et dokument med oversigt over ’Nyttige links fra Microsoft vedr Cloud og Jura’
California Consumer Privacy Act and the Role of IAMWSO2
This deck explores the basics of the CCPA including what CCPA is, how enterprises can prepare for it, a comparison with GDPR, and how IAM can help with CCPA and other privacy regulations.
Watch the On-Demand Webinar here - https://wso2.com/library/webinars/2019/04/california-consumer-privacy-act-and-the-role-of-iam/
Ed Wright - Staying on the right side of the law in the digital worldHallam
UK legal and regulatory position on conducting business online
Setting up an online business
Electronic contracts and signatures
Cyber security, privacy and data protection
Hyperlinking and domain names
Jurisdiction and governing law
Advertising
Liability for online content and insurance
GDPR Explained in Simple Terms for Hospitality OwnersBoostly
GDPR can come off as being overly complicated. So I've created this to make everything simple and so you can understand everything you need to as an independent hospitality owner!
When Big Data is Personal Data - Data Analytics in The Age of Privacy LawsTara Aaron
As data sets and analytics sophistication grow, so do consumer's concerns about their privacy and what is being done with their personal information. Legislatures around the world are beginning to respond to these concerns. We present an overview of the General Data Protection Regulation and the California Consumer Protection Act to help companies comply with the law and engender trust with the consumers whose data they hold.
New York Marketo User Group Meetup: GDPR for Marketers - DECODED 6.15.18Inga Romanoff
This presentation covers the basics of the GDPR regulation as they relate to marketers and more specifically, what needs to be setup in Marketo.
For more information, recording and related resources, go to: romanoff.live/gdpr-decoded-ss
Download GDPR processing infographic: romanoff.live/gdpr-infographic
Or click through to our GDPR resources center: romanoff.live/gdpr-center-s
Presenters:
Inga Romanoff, Marketo User Group Leader | CEO Romanoff Consultants
Jessica Kao, Silicon Valley MUG Co-Leader | Director, Client Services at Digital Pi
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
GDPR Explained in Simple Terms for Hospitality OwnersBoostly
GDPR can come off as being overly complicated. So I've created this to make everything simple and so you can understand everything you need to as an independent hospitality owner!
When Big Data is Personal Data - Data Analytics in The Age of Privacy LawsTara Aaron
As data sets and analytics sophistication grow, so do consumer's concerns about their privacy and what is being done with their personal information. Legislatures around the world are beginning to respond to these concerns. We present an overview of the General Data Protection Regulation and the California Consumer Protection Act to help companies comply with the law and engender trust with the consumers whose data they hold.
New York Marketo User Group Meetup: GDPR for Marketers - DECODED 6.15.18Inga Romanoff
This presentation covers the basics of the GDPR regulation as they relate to marketers and more specifically, what needs to be setup in Marketo.
For more information, recording and related resources, go to: romanoff.live/gdpr-decoded-ss
Download GDPR processing infographic: romanoff.live/gdpr-infographic
Or click through to our GDPR resources center: romanoff.live/gdpr-center-s
Presenters:
Inga Romanoff, Marketo User Group Leader | CEO Romanoff Consultants
Jessica Kao, Silicon Valley MUG Co-Leader | Director, Client Services at Digital Pi
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
Infants and guns - data, digital analytics strategy and ethics - superweek 20...Steen Rasmussen
Since the dawn of analytics we have strived to improve both the quality and volume of our data, with no other ambition to ensure the largest possible dataset – not because we need it, but because we might need it. GDPR have temporarily put a wrench in our original approach, but it takes more that the law to keep a good analyst away from his data and with Machine Learning as an active part of the toolbox the value of data have grown exponentially. The sessions in a reflection on how we have done things so far and where we might end if you don’t stop doing business as usual and instead calibrate our efforts in a more strategic and ethical direction.
Maximizing & Exploiting Big Data in Digital Media....LegallyMediaPost
Data, the gold of the online world, can be both an asset and a liability. Online tracking mechanisms and data matching/segmentation techniques have become far more sophisticated and make programmatic media buying more effective. 1st party and 3rd party data can be acquired and used for a wide variety of purposes. Regulators and lawmakers are slowly catching up and raising privacy and consumer protection concerns. Avoiding potential pitfalls should be a key strategic business decision for every player in the programmatic space using services through which data is collected and/or exploited. This session will discuss best practices for exploiting big data in the programmatic and digital media worlds in a compliant manner.
• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies.
I.s.m. de adviesraden en Katrien Dossche.
How GDPR will change Personal Data Control and Affect EveryoneThomas Goubau
The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
The European Parliament approved the General Data Protection Regulation (the "GDPR") On Thursday, 14 April 2016. The GDPR will become effective for all companies processing personal data of EU citizens on May the 28th 2016.
Failure to comply with the GDPR may result in enforcement actions under the GDPR, including possible fines up to the greater of € 20 million or 4% of annual global turnover.
How is this related to SAP data?
Most SAP using organizations are storing privacy relevant SAP data in their SAP systems (think of personal data related to customers, vendors, business partners, employees, applicants, patients, etc. etc.)
Many data privacy officers are aware of the new EU GDPR and are looking for instruments and know how to translate and apply data privacy measures to SAP data.
The attached presentation gives you some basic insight on how to handle personal and sensitive data in SAP systems.
The European Parliament approved the General Data Protection Regulation (the "GDPR") On Thursday, 14 April 2016. The GDPR will become effective for all companies processing personal data of EU citizens on May the 28th 2016.
Failure to comply with the GDPR may result in enforcement actions under the GDPR, including possible fines up to the greater of € 20 million or 4% of annual global turnover.
France is e.g. already in the process of introducing legislation to implement fines at these levels immediately, rather than waiting for the GDPR to become enforceable.
How is this related to SAP data?
Most SAP using organizations are storing privacy relevant SAP data in their SAP systems (think of personal data related to customers, vendors, business partners, employees, applicants, patients, etc. etc.)
Many data privacy officers are aware of the new EU GDPR and are looking for instruments and know how to translate and apply data privacy measures to SAP data.
The attached presentation gives you some basic insight on how to handle personal and sensitive data in SAP systems.
Who needs a EU representative according to GDPR article 27?idc-representative
One of the requirements under the GDPR ( Article 27 ) is the appointment of a representative in the EU for international companies that are not on the ground within the Union. According to the recitals , the EU representative must be designated in writing, and the obligation applies to both the “controller” (the company collecting the data and in some kind of customer relationship with the data subject) and any (sub-contracted) “processor” of the data. We give examples for which companies this obligation applies.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on data classification, drilling a bit deeper into confidentiality, integrity, availability (=CIA), privacy (=CAPI), traceability, and retention (=PATRIC), to be amended to meet the specific organisation's setup.
The slides come with notes that in short explain the visuals on the slides.
The GDPR is all about how to govern and manage your privacy relevant data in SAP systems. Many companies are strugling to adapt and align their (SAP) information governance and practical information management activities with the GDPR legislation.
Read this GDPR presentation presented for the Dutch SAP user group to learn more about some of the practical governance and management activities you can prepare for SAP systems in order to comply with the GDPR
Gegevensbescherming-clausule in (overheids)opdrachtTommy Vandepitte
Voorbeeld van een Nederlandstalige clausule die in een overheidsopdracht of Request for Proposal (RFP) kan worden ingesloten om alle verschillende mogelijke samenwerkingsvormen (joint controller, controller-to-controller of controller-to-processor) af te dekken of dat althans te pogen.
20190131 - Presentation Q&A on legislation's influence (on travel management)Tommy Vandepitte
Presentation given at the event organised by ACTE and BATM on 31 January 2019 addressing a few questions on the payments legislation that are relevant for travel and expense manager.
A presentation given at the legal hackers meetup of 19 June 2018 on common issues with controller-to-processor agreements aka "data processor agreement" (DPA). We revisit the distinction controller v processor. We then look at the directly applicable duties for processors, which do not need to be inserted in a contract. Finally we look at the different mandatory and "forgotten" components of the agreement.
De slides van een presentatie voor makelaars in de verzekeringssector. Gepresenteerd op 12 juni 2018 voor de Kempische Verzekeringskring (https://www.kempischeverzekeringskring.be/activiteit/gdpr-wat-u-als-makelaar-nog-niet-wist/).
As the last speaker on the day after the Data Protection Day, I tried a different approach to the story of data protection and information security. I assembles a selection of movies, series, books (fiction and non-fiction) and games that any staff member should be able to go through themselves - as they please and at their own rhythm - and piece by piece learn about data protection and information security. In a way they can cultivate their own data protection awareness.
Presentation given on the experience of privacy design labs on the LSEC Belgium GDPR event of 30 November 2017.
Event page: https://www.leadersinsecurity.org/events-old/icalrepeat.detail/2017/11/30/186/-/gdpr-plan-to-be-ready-prepare-to-set-change-to-go-session-3-privacy-impact-assessment-scenario-planning-data-loss-management.html?filter_reset=1
Privacy Design lab page: https://sites.google.com/site/pbd20171106
Example of a privacy design jam by Facebook (Berlin 2017) : https://www.facebook.com/facebookbrussels/videos/1419793831400471/
Hoe breng je de nieuwigheden van de Algemene Gegevensbeschermingsverordening (AGV) of General Data Protection Regulation (GDPR) aan bij jouw stad of gemeente? Dit is een voorbeeld van slidedeck.
This is an example of a deck for the decision makers (generally the board of directors) to first explain that data protection is a (reputational, legal, operational) risk that - like any other business risk needs to be managed. Then it allows for some explanation of the status of data protection (law) and the main novelties under the GDPR. It then highlights the main changes required in project mode and (later on, after the handover) in business-as-usual mode.
Extra reference to the Vlerick reference (because published after the publication of this slide deck): http://www.vlerick.com/en/programmes/management-programmes/digital-transformation/digital-transformation-insights/insight-1)
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on an aspect that overarches all previous ones: monitoring. It touches on both perspectives of staff involvement:
- staff works with the data, processes it, etc. and thus is the agent of the company
- the company, to show accountability, should set up a balanced way of controlling the staff, which per se involves processing personal data of the staff members
The slides come with notes that in short explain the visuals on the slides.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on incident management. How should staff react? How can an incident be effectively escalated?
The slides come with notes that in short explain the visuals on the slides.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on the acceptable use of the companies (and sometimes also own) means. Each company should add what is appropriate for it.
The slides come with notes that in short explain the visuals on the slides.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
The part focusses on authentication, and more particularly on passwords.
The slides come with notes that in short explain the visuals on the slides.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on authorization and access rights, focussing on the staff's part in that.
The slides come with notes that in short explain the visuals on the slides.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on the reason why we should live up to the rules of IS/DPP, from a "negative" perspective (what do we want to avoid?) and from a "positive" perspective (what do we want to accomplish?).
The slides come with notes that in short explain the visuals on the slides.
An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This is an introduction explaining
- the difference between information security, data protection and privacy,
- the need and usefulness for staff engagement
The slides come with notes that in short explain the visuals on the slides.
This is an example training in the context of IS/DPP, information security, data protection and privacy.
It is a training directed to procurement officers and outsourcing managers.
The generic idea is that procurement officers and outsourcing managers support the inventory and overview of the company or group on third party relationships. By a well implemented governance through procurement officers and outsourcing managers it should be easier to upkeep the overview through the existing processes of managing (most) third party relationships, thus increasing ownership and awareness of information security and privacy.
This is an example training in the context of IS/DPP, information security, data protection and privacy.
It is a training directed to IAOs, information assets owners.
The generic idea is that IAOs support the inventory and overview of the company or group on information assets (which can, but don't per se have to include personal data). By a well implemented governance through IAOs it should be easier to upkeep the overview close to the actual users, thus increasing ownership and awareness of information security and privacy.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
7. 7
- Internal - Page
Data is everywhere, we organise it, to be able to manage it
8. 8
- Internal - Page
Levels of Organising data
1,267.04 EURCardholder C
Shop N249.99 EUR
319.00 EUR
1,415.00 EUR
14/8
20/8
26/8
2/8
x 0.5 loyalty points
3,251.03 EUR
1,625
Shop M
Shop O
Shop P
Total for August
Loyalty points
10. 10
- Internal - Page
Data that gives ABC a Competitive Advantage
Indicator: “confidential” nature
11. 11
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
Indicator: “confidential” nature
12. 12
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
– Contracts with customers
– Policies on rebates, complaint
compensation,…
Indicator: “confidential” nature
13. 13
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
– Contracts with customers
– Policies on rebates, complaint
compensation,…
– Personal Data (PDP Act / GDPR)
Information related to identified or
identifiable natural person
– Cardholder data (PCI-DSS)
Transaction data
Indicator: “confidential” nature
14. 14
- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:
– Creative Ideas
– Strategy
– Contracts with customers
– Policies on rebates, complaint
compensation,…
– Personal Data (PDP Act)
Information related to identified or
identifiable natural person
– Cardholder data (PCI-DSS)
Transaction data
Indicator: “confidential” nature
15. 15
- Internal - Page
Processing personal data
HAVE TO: Data Protection Act / GDPR
16. 16
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person.
17. 17
- Internal - Page
Data Protection Act - Personal data
In general not legal persons (e.g. limited companies)
BUT
- In some countries similar regime for legal persons
- Next to personal data protection there may be a
(professional) duty of confidentiality.
e.g. consumer customers, staff
members, individuals related to
corporations (legal
representatives, UBOs, …),
Any information
relating to
an identified or identifiable
natural person
18. 18
- Internal - Page
Data Protection Act - Personal data
An identifiable person is one who can be
identified, directly or indirectly, in particular by
reference to
• An identification number or
•To one or more factors specific to his physical,
physiological, mental, economic, cultural or
social identity.
Any information
relating to
an identified or identifiable
natural person
19. 19
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
20. 20
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
21. 21
- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
22. 22
- Internal - Page
Data
Subject
Processing personal data
Data Protection Act – Data Subject
23. 23
- Internal - Page
Data Protection Act - Personal data
(perception of) “sensitivity”/”intimacy” is irrelevant
Any information
relating to
an identified or identifiable
natural person
33. 33
- Internal - Page
Data Protection Act / GDPR - Personal data
Any information
relating to
an identified or identifiable
natural person.
34. 34
- Internal - Page
Data Protection - Processing
digital AND paper
35. 35
- Internal - Page
Data Protection - Processing
Collection, recording, organization,
Storage,
Adaptation or alteration, rectification,
retrieval, consultation, use,
Disclosure by
transmission,
dissemination or otherwise
making available,
alignment or combination,
Blocking, erasure or
destruction
36. 36
- Internal - Page
Data
Subject
Processing personal data
Data
Controller
Data Protection Act / GDPR – Data Controller
37. 37
- Internal - Page
Processing personal data
Data Protection Act / GDPR – Data Controller
Data
Subject
Data
Controller
Bank ABC
Application form
38. 38
- Internal - Page
Control
Processing personal data
Data Protection Act / GDPR – Control in 4 Pillars
Data
Subject
Data
Controller
39. 39
- Internal - Page
Control
Processing personal data
Finality
Data Protection Act / GDPR – Control in 4 Pillars
Respect the
(original) purpose
Data
Subject
Data
Controller
Legitimacy
Have one of the
legal bases
40. 40
- Internal - Page
Control
Processing personal data
Finality Legitimacy
Transparency
Data Protection Act / GDPR – Control in 4 Pillars
Respect the
(original) purpose
Have one of the
legal bases
Inform data subject
and sometimes
authorities
Data
Subject
Data
Controller
41. 41
- Internal - Page
Control
Processing personal data
Finality Legitimacy
Transparency Organisation
Data Protection Act / GDPR – Control in 4 Pillars
Respect the
(original) purpose
Have one of the
legal bases
Inform data subject
and sometimes
authorities
Accountability and
technical and
organisational measures
Data
Subject
Data
Controller
Editor's Notes
Welcome to the third part of the baseline training IS/DPP.
Herein we look at data and the different classifications we give it in order to be able to better handle it.
In IS/DPP we basically set up a number of measures to protect our data, or as we call it in the jargon “information assets”.
Around those we build a number of layers of security. And those layers interconnect and overlap.
But data is always in the center. So that is where we start.
Not having data is the easiest way to protect it.
Obviously as a company and especially one where data is at the core of our activity, not having data is not an option.
But… it is always good to keep in mind that
when we don’t need the data, it is best not to collect it.
when we no longer need the data, to delete it.
as much as possible, avoid duplication.
An example is a journalist protecting his source by not revealing its identity to anybody.
Of course even respecting data minimization, we are still left with quite a large collection of all different types of data.
And when we have data, we need the classify it.
Why? Because data is such a broad concept, that in our digital world can boil down to zeros and ones, looking at it at that level would make no sense.
That is why we create order out of the chaos data is, by putting it together in data sets that make sense. In theory we call that “information”.
So a number would be data. A number and the currency “euro” would already make some sense. That amount of money connected to a sender (the cardholder) and a receiver (the shap) makes a fine transaction. All transactions in a month for one cardholder makes for a monthly statement, but also the basis – perhaps – for the calculation of loyalty rewards. And so forth.
You understand that even in the theoretical distinction data/information there are a number of levels. That is why generally data and information are used as synonyms.
Looking at the data we want to protect, we are focussing on data that can give the ABC Group an advantage on the competition.
Running ahead of things that kind of data has a confidential nature. Examples of data that is “out-of-scope” is any data that is on the website,
like general terms and conditions for customers, general terms and conditions for suppliers (procurement), investor information,...
What is in scope?
Creative ideas, like marketing campaigns, unique features to bolt on products or services, etc.
Strategy, like what customers we target, how we want to service the customer in 3 years, etc.
Who our customers are. If we gave them special conditions. If we gave them a compensation after a complaint.
Cardholder data, transaction data, …
and basically all information related to an identified or identiable natural person.
Some data we legally have to protect,
and for the other data we want to keep to ourselves because it is good for business.
One important framework is the general data protection act (or in the future the general data protection regulation also known as GDPR). That legislation is all about “processing personal data”. We’ll go deeper into those two concepts, and build up from there to the other general concepts of that legislation.
Personal data is defined as “any information relating to an identified or identifiable natural person”.
Let us drill down on those components.
Legal persons are not in scope of the Belgian Data Protection Act or the GDPR.
As a little sidenote: some companies like hospitals, governments, banks insurances,…, even if the data protection legislation does not apply (or next to it), have to respect a (in principle contractual) duty of discretion.
Also, the individuals related to corporate customers (the contacts, the legal representatives, the ultimate beneficial owners, the cardholders, the administrators,…) are very well in scope of the data protection legislation.
The individual needs to be identified (that is quite easy) or identifiable.
The identifiability is tricky, because in this day and age where computers can very quickly make a lot of calculations and combinations, an identity can sometimes be put on a data set where you would not have expected it.
Fingerprints don’t have a person’s name on them, but the police can match them against a database.
Your badge may not be personalised on the outside, but when it is used, the system registers “you” as badging scanner x, near door y at time z.
Your picture may not be recognized by 6 billion + people on the planet, but facebook makes your friends tag you on it or google compares your facial features to determine with 99% certainty that it is you.
In the data protection legislation the person identified is referred to as the data subject.
The information that can be related to a person is only limited by the imagination.
It can be as straightforward as your name, your eID number,
your card number,
or the way you use your card,
your search results in google,
your phone number,
the geolocation from your cell phone,
your heatbeat,
the rythm with which you type texts on your keyboard,
- sometimes just your shoe size can give away who you are.
It is clear: personal data is very broad.
The second component of the scope definition of the data protection legislation is “processing”;
it is basically anything you do with data in an ordened way
- on paper e.g. in a filing cabinet
or automated by a computer (where the actual neat order is of less importance as the computer can overcome that with computing power).
From collection…
To deletion…
And everything in between.
Here the second player of the data protection act enters the stage: the data controller.
He is the “entity” (in general a company) that processes the data and more importantly: determines what happens with the data and how?
An example: the information in the application form,
is it used only to assess the credit risk and determine the credit limit
or is it also used for to send the new customer information about our services, marketing (upselling and cross-selling), partner mailings, …?
The data protection legislation sets out quite a number of rather (legal) technical requirements.
But it basically requires the data controller to be… in control of the data.
The data controller must have a firm basis to collect and further process the personal data for certain purposes, for example
- a legal requirment like performing anti-money laundering checks for banks, insurance companies, notaries public, etc. or sharing information on employment an make payments to the social security governmental bodies
implicit consent to execute the contract, or even just to assess whether we want to enter into the employment, credit or insurance contract
explicit consent to send email marketing, newsletters, etc.
Being transparent about how the data controller processes personal data in a privacy statement is one way that makes that visible for the data subject and the outside world.
The data controller must organise itself, which includes setting up technical measures and procedures to guard some important characteristics of the data.