Post on 14-Apr-2017
- Internal -
IS/DPP Baseline Training
E-learning – Part 3 – Data & Classification
Data in the Center
Environment
Physical
HumanDevice
Application
Repository
Carrier
Net
wor
k
Data
3rd Parties
3- Internal - Page
No Data, No Worries: Data Minimization
4- Internal - Page
Don’t Spread the Word
Information Classification
6- Internal - Page
Why?
7- Internal - Page
Data is everywhere, we organise it, to be able to manage it
8- Internal - Page
Levels of Organising data
1,267.04 EURCardholder C
Shop N249.99 EUR
319.00 EUR
1,415.00 EUR
14/8
20/8
26/8
2/8
x 0.5 loyalty points
3,251.03 EUR
1,625
Shop M
Shop O
Shop P
Total for August
Loyalty points
9- Internal - Page
Data / Information
10- Internal - Page
Data that gives ABC a Competitive Advantage
Indicator: “confidential” nature
11- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:– Creative Ideas– Strategy
Indicator: “confidential” nature
12- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:– Creative Ideas– Strategy
– Contracts with customers– Policies on rebates, complaint
compensation,…
Indicator: “confidential” nature
13- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:– Creative Ideas– Strategy
– Contracts with customers– Policies on rebates, complaint
compensation,…
– Personal Data (PDP Act / GDPR) Information related to identified or
identifiable natural person
– Cardholder data (PCI-DSS) Transaction data
Indicator: “confidential” nature
14- Internal - Page
Data that gives ABC a Competitive Advantage
Examples “in scope”:– Creative Ideas– Strategy
– Contracts with customers– Policies on rebates, complaint
compensation,…
– Personal Data (PDP Act) Information related to identified or
identifiable natural person
– Cardholder data (PCI-DSS) Transaction data
Indicator: “confidential” nature
15- Internal - Page
Processing personal data
HAVE TO: Data Protection Act / GDPR
16- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person.
17- Internal - Page
Data Protection Act - Personal data
In general not legal persons (e.g. limited companies)BUT- In some countries similar regime for legal persons- Next to personal data protection there may be a (professional) duty of confidentiality.
e.g. consumer customers, staff members, individuals related to corporations (legal representatives, UBOs, …),
Any information
relating to
an identified or identifiable
natural person
18- Internal - Page
Data Protection Act - Personal data
An identifiable person is one who can be identified, directly or indirectly, in particular by reference to • An identification number or •To one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Any information
relating to
an identified or identifiable
natural person
19- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
20- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
21- Internal - Page
Data Protection Act - Personal data
Any information
relating to
an identified or identifiable
natural person
22- Internal - Page
Data Subject
Processing personal data
Data Protection Act – Data Subject
23- Internal - Page
Data Protection Act - Personal data
(perception of) “sensitivity”/”intimacy” is irrelevant
Any information
relating to
an identified or identifiable
natural person
24- Internal - Page
Your CardYour Card and how you use it
25- Internal - Page
Your CardYour Card and how you use it
26- Internal - Page
Your CardYour Card and how you use it
27- Internal - Page
Your Search Results
28- Internal - Page
Your Phone Number
29- Internal - Page
Your Location
30- Internal - Page
Your Heartbeat
31- Internal - Page
Your Keystroke Speed
32- Internal - Page
Your Shoe Size
33- Internal - Page
Data Protection Act / GDPR - Personal data
Any information
relating to
an identified or identifiable
natural person.
VERY BROAD
34- Internal - Page
Data Protection - Processing
digital AND paper
35- Internal - Page
Data Protection - Processing
Collection, recording, organization,
Storage,
Adaptation or alteration, rectification, retrieval, consultation, use,
Disclosure by transmission, dissemination or otherwise making available,
alignment or combination,
Blocking, erasure or destruction
36- Internal - Page
Data Subject
Processing personal data
Data Controller
Data Protection Act / GDPR – Data Controller
37- Internal - Page
Processing personal data
Data Protection Act / GDPR – Data Controller
Data Subject
Data Controller
Bank ABC
Application form
38- Internal - Page
Control
Processing personal data
Data Protection Act / GDPR – Control in 4 Pillars
Data Subject
Data Controller
39- Internal - Page
Control
Processing personal data
Finality
Data Protection Act / GDPR – Control in 4 Pillars
Respect the(original) purpose
Data Subject
Data Controller
Legitimacy
Have one of the legal bases
40- Internal - Page
Control
Processing personal data
Finality Legitimacy
Transparency
Data Protection Act / GDPR – Control in 4 Pillars
Respect the(original) purpose
Have one of the legal bases
Inform data subjectand sometimes
authorities
Data Subject
Data Controller
41- Internal - Page
Control
Processing personal data
Finality Legitimacy
Transparency Organisation
Data Protection Act / GDPR – Control in 4 Pillars
Respect the(original) purpose
Have one of the legal bases
Inform data subjectand sometimes
authorities
Accountability andtechnical and
organisational measures
Data Subject
Data Controller