Presentatie IDnext Meetup 13122017 Johan Van Duijn

GDPR & Data
Management
KPMG
Johan van Duijn Msc CIPP/E
Nick Martijn
12 december 2017
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
1
Thema’s
vanuit
privacy
framework
Right to be
Data inventaris Data retentie
forgotten
Agenda
1. Waarom een uitdaging?
2. Data Inventaris
3. Data Retentie
4. Right to be forgotten
5. Onze visie en boodschap
4
1
Waarom 1 Begrip: Persoonsgegevens
“Iedere informatie betreffende een geïdentificeerde of direct of indirect
identificeerbare natuurlijk persoon”
een Betrokkene
Financiën
Religie
Werk
Bezittingen
Strafblad
Adressen
uitdaging?
Reizen Etnische afkomst Online activiteiten
Profilering Activiteiten Eigendom IP- Adres
Hobby’s Familie Gezondheid
Seksuele voorkeur Foto’s Smartphone activiteiten
Genetisch/Biometrisch Politieke oriëntatie Opinie Afbeeldingen
Locaties Communicatie Vakbond
Opnames Naam Uitgaven
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
5
1
Waarom 2 Begrip: Verwerking
Elke handeling of elk geheel van handelingen met betrekking tot persoonsgegevens,
een
waaronder in ieder geval het:
• verzamelen, • verstrekken d.m.v.
• vastleggen, doorzending,
• ordenen, • verspreiding,
uitdaging? •
•
•
•
bewaren,
bijwerken,
wijzigen,
opvragen,
• terbeschikkingstelling,
• samenbrengen,
• in verband brengen,
• afschermen,
• raadplegen, • uitwissen,
• gebruiken, • vernietigen
van gegevens.
6
1 3 Complex IT landschap en controle over data
Waarom
een
uitdaging?
VS
Data Inventaris
8
Data inventory
article 30 requirements
(refer to appendix B for detailed overview)
Artikel 30, Name, contact details, controller
AVG Purpose of processing
Categories of personal data

and data subjects
Categories of recipients
Data flows to other countries or

International organizations
9
1
2
Identificatie met afdelingen &
processpecialisten
Systeem overzicht
Data
Categorieën van
persoonsgegevens
Inventaris Risico analyse
Valideren midden
risico gevallen
Manueel Uitwerken en mappen

hoge risico gevallen
Validatie met IT & IT

landschap 2
9
10
2
Data
Inventaris
Met inzet
van Tooling
11
Data
Inventaris
Met inzet
van Tooling
Index and insight in all privacy data in your IT landscape, data discovery and GDPR compliance
Indica GDPR privacy data

GDPR Insight Dashboard & Workflow
indexing solution
Overview of Overview of
Risk & issue Distinguish and E-discovery and Flag and address Full indexing of all Connect to
Privacy data in
workflow & prioritize different access rights to enterprise search GDPR Risks company data structured and
your IT privacy data
overview
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of PII data tokens
independent member firms affiliated with KPMG capability
International Cooperative (‘KPMG International’), a Swiss unstructured data
infrastructure
12
Andere
tools &
templates
Storage
locations
Content &
document types
Statistics &
Insights
Create a Data inventory
START LIST ALL TYPES OF PERSONAL DATA (incl. sensitive data)

Objective: The Data Inventory process will be executed where a optimum balance
will be applied between manual and automated data discovery with the help of the
INDICA GDPR tool. Systems and applications will be scanned (structured and
unstructured).
DESIGN A PROCESS TO CREATE A Deliverables:
DATA INVENTORY 02 Output of identified personal data fields, with classifications of personal data and
source locations.
Objective: Draft a process to have an up-to-date
Data Inventory
01
Deliverables: Install Set up the Index Validate Continuou
INDICA GDPR classifier data findings s
- A process for the creation and maintenance of an monitoring
overview of processing activities.
- A clear overview of business processes and/or
systems where personal data is being processed
DETERMINE THE LEGAL BASE AND
05 RETENTION PERIODS
DESIGN AND IMPLEMENT DATA Objective: Determine per activity what the legal base is
CLASSIFICATION for processing personal data. When special types of
personal data are processed, determine the legitimate
Objective: Amend existing Classification of Information Policy: to
include a distinction between 'regular' personal data and 'sensitive'
03 base separately.
Deliverables:
personal data - Insight in the legal basis for processing per activity
Deliverable: A clear overview of classification levels for types of
personal data, guidance for training of personnel on how to handle 06
certain types of (sensitive) data
04 DESIGN A MAINTANCE
PROCESS
Objective: Design a process to maintain a
MAP THE PERSONAL DATA INVENTORY ON THE PROCESSES complete and accurate overview of all
personal data which is being processed within
the organization
Objective: Map the personal data inventory on the processes to create a personal data flow
Deliverable:
mapping
- Design a process for maintenance of an
Deliverables:
overview of processing activities, including
Overview of sources where personal data sources.
roles and responsibilities
Data Retentie
15
Art. 5 GDPR Principles relating to processing of personal
Data
data
1) Personal data shall be:

a:…..
retentie …..
e: kept in a form which permits identification of data
en de AVG subjects for no longer than is necessary for the purposes

for which the personal data are processed; personal
data may be stored for longer periods insofar as the
personal data will be processed solely for archiving
purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance
with Article 89(1) subject to implementation of the
appropriate technical and organisational measures
required by this Regulation in order to safeguard the
rights and freedoms of the data subject (‘storage
limitation’);
…
16
Aanpak
4. Toepassing
2. Retentie 3. Impact
1. Classificatie retentie
periode analyse
Data
mechanisme
Technieken Backups
retentie • Manuele retentie (hard deletion)

• Retentie van documenten door
archivering. Beperkte toegang tot
1. Back-ups zijn onveranderlijk en aanwezig
om situaties uit het verleden te
reconstrueren. Als gevolg hiervan kunnen
back-up- en back-upgegevens niet worden
en de AVG
archief. gewijzigd.
• Scripts 2. Back-ups worden meestal uitgevoerd in
een back-upbehoudschema en gegevens
verdwijnen automatisch (indien
Inzetbare tools overschreven). Sleutel is daarom het
• TRIM (Record Management) opstellen van zo'n schema in lijn met de
wettelijke bewaartermijnen.
• SharePoint
3. Toegang tot back-ups kan een issue zijn
• Collibra – Meta data manager
dat niet mag worden gemist.
• Informatica meta data manager
4. Back up restores: Er dient een geplande
taak te zijn die de herstelde gegevens
controleert of persoonsgegevens nog
aanwezig mogen zijn.
17
3 Wat is het beleid

voor informatie-
management?
Wie is
verantwoordelijk?
Data Is er duidelijk
Retentie:
Hoe beheren we beleid en
metadata? processen?
Integrale
aanpak
informatie- Hebben we de
juiste IT
Is de werkwijze
uniform?
faciliteiten?
management
Hebben de Zijn de juiste
medewerkers de medewerkers
juiste mindset? betrokken?
18
3
Data
Retentie
Data
Governance
tooling
4 Het recht om vergeten
te worden
20
4
Art. 17 GDPR Right to erasure (‘right to be forgotten’)
1.The data subject shall have the right to obtain from the controller the erasure of
personal data concerning him or her without undue delay and the controller shall
have the obligation to erase personal data without undue delay where one of the
following grounds applies:
RtbF en de 1. the personal data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based
according to point (a) of Article 6(1), or point (a) of Article 9(2), and
AVG
where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to Article 21(1) and
there are no overriding legitimate grounds for the processing, or the
data subject objects to the processing pursuant to Article 21(2);
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal
obligation in Union or Member State law to which the controller is
subject;
6. the personal data have been collected in relation to the offer of
information society services referred to in Article 8(1).
2.Where the controller has made the personal data public and is obliged
pursuant to paragraph 1 to erase the personal data, the controller, taking account
of available technology and the cost of implementation, shall take reasonable
steps, including technical measures, to inform controllers which are processing
the personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data.
21
4
1. Receive 2. Authen- 3. 6.
4. Analyse 5. Erase
request ticate Discover Feedback
Aanpak
• Perceptie RtbF
Aanpak
• Authenticatie verzoek
• Welke gegevens moeten worden verwijderd
• Opt-out in geval van marketing(opt-out-register).
Techniek
• Intern / extern systeem
• Backups
• Alternatieve optie is om één enkele klantweergave (single customer
view) te creëren.
Inzetbare tools
• BigID – Data discovery tool
• Indica GDPR – Data discovery tool
• Prifinder GDPR – Data discovery tool
• Evidon – Universal consent platform
5 Onze visie
en boodschap
5 1. GDPR = Data management
CONCEPT
2. GDPR heeft sterke
componenten
risk based
Onze visie
3. Haal meer uit de AVG
investering dan alleen
compliance
en
boodschap
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG 23
Vragen ? CONCEPT
Johan van Duijn Msc CIPP/E

Manager Cyber
KPMG Nederland
Tel: +31 6539 24 707
vanduijn.johan@kpmg.nl
Nick Martijn
Senior Consulant Data Management
KPMG Nederland
Tel: +31 6101 53 957
martijn.nick@kpmg.nl
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG 24

Presentatie IDnext Meetup 13122017 Johan Van Duijn

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Presentatie IDnext Meetup 13122017 Johan Van Duijn

Uploaded by

Copyright:

Available Formats

GDPR & Data

Profilering Activiteiten Eigendom IP- Adres

Hobby’s Familie Gezondheid

Seksuele voorkeur Foto’s Smartphone activiteiten

Genetisch/Biometrisch Politieke oriëntatie Opinie Afbeeldingen

Locaties Communicatie Vakbond

Opnames Naam Uitgaven

1 3 Complex IT landschap en controle over data

Artikel 30, Name, contact details, controller

AVG Purpose of processing

Categories of personal data

Data flows to other countries or

Inventaris Risico analyse

Manueel Uitwerken en mappen

Validatie met IT & IT

Indica GDPR privacy data

START LIST ALL TYPES OF PERSONAL DATA (incl. sensitive data)

Art. 5 GDPR Principles relating to processing of personal

1) Personal data shall be:

en de AVG subjects for no longer than is necessary for the purposes

retentie • Manuele retentie (hard deletion)

3 Wat is het beleid

Johan van Duijn Msc CIPP/E

You might also like