Post on 15-Apr-2017
STRONGBRANDS,DEDICATEDPEOPLE
Privacy implementatie in de
praktijk
Rence Damming
Chief Information Security & Privacy Officer
Inergy Talking Dinner
Agenda
Slides by: rence.damming@pon.comPublic
• Introductie
• Hoe pakt u het implementatietraject aan, waar beginnen?
• Welke strategische overwegingen spelen er?
• Welke weerstand kunt u verwachten in uw organisatie?
• Stappenplan en ervaringen/best practices.
Me
Occupation: Chief Information Security & Privacy Officer of Pon Holdings
worldwide. Worked in IT, Strategy & Telecommunications for almost 18
years.
Studied Economics, started career as music professional
Experienced on: Data protection, Legislation, Contract management, Legal
Interception and Security
Past jobs include: Chief Privacy Officer of KPN, Head of Security Telfort,
Manager Legal Intercept, IT Project Manager and various positions in
Customer Operations
Slides by: rence.damming@pon.comPublic
Waar beginnen?
Slides by: rence.damming@pon.comPublic
Governance
Privacy Governance
Model
Policies
Compliance code
for Privacy
Awareness
Training and
Communications
Business
Processes
Business processes
With Privacy focus
Best Practice: ISF ontwikkelde hiervoor
een Data Privacy Framework:
• Start met Awareness (2 kanten op:
operatie vs beleid);
• Inventariseer je risico’s;
• Bepaal je ‘Risk appetite’ op basis
van de gestelde risico’s;
• Bedenk mitigerende maatregelen
• Borging van de maatregelen in
processen
• Vorm je beleid gebaseerd op de
afspraken met je klant (Privacy
Statement!)
• Governance…
Waar beginnen? Juiste communicatie! Elkaar begrijpen
Slides by: rence.damming@pon.comPublic
Privacy Officer:
“Are you processing data?”
Technical Officer:
“No, I only store data”
In legal terms:
Processing = being able to readIn technology terms:
Processing = changing
Strategische overwegingen: bouwblokken
Slides by: rence.damming@pon.comPublic
• Privacy
policy
• DPO and
Privacy
Officers
• Related
policies
• Data
Controllershi
p
• Training
• Awareness
• Guidelines
• Communicatio
n
• Data
Breach
procedure
• Third party
privacy
clauses
• Privacy
rights
handling
• Privacy by
design
• Privacy
Impact
Assessment
• Data register
/ Risk
mapping
• Website legal
requirements
• Privacy
controls
• Compliance
dash board
Governance People (DNA) Processes Systems Monitoring
Privacy & perceptie
Slides by: rence.damming@pon.comPublic
Building Rome ≠ 1 day
Slides by: rence.damming@pon.comPublic
Uit de praktijk
Slides by: rence.damming@pon.comPublic
3 Key learnings vanuit de praktijk:
• “Never waste a good crisis”. Incidenten zijn de
ultieme les om maturity te vergroten;
• Niet iedereen in je organisatie snapt het belang
van Privacy en wat dit betekent in zijn/haar
werk en hoe de wereld om ons heen beweegt
• Je kunt Privacy niet borgen, zonder adequate
Security en vice versa
Voorkom onnodige complexiteit
Slides by: rence.damming@pon.comPublic
Verwarring en hoeveelheid informatie
Slides by: rence.damming@pon.comPublic
Zorg voor overzicht!
Slides by: rence.damming@pon.comPublic
Voer bij verwerking van persoonsgegevens een Privacy Impact Assessment (PIA) uit:
A couple of rules that are easy to remember
Slides by: rence.damming@pon.comPublic
1) Everything you do with personal data, could affect privacy
2) Anonimized data is not personal data, therefor not regulated and can be freely used (be aware of
customer expectaction)
3) Don’t store personal data longer than strictly required
4) When asking explicit permission, it is only valid when it’s given in advance and
clearly describes the goal(s) of the processing
Slides by: rence.damming@pon.comPublic
Rence Damming
Chief Information Security & Privacy Officer
Pon Holdings
Rence.Damming@pon.com
© ChiefPrivacyOfficer.nl / Classificatie: Publiek - Openbaar