Professional Documents
Culture Documents
Presentatie IDnext Meetup 13122017 Johan Van Duijn
Presentatie IDnext Meetup 13122017 Johan Van Duijn
Management
KPMG
Johan van Duijn Msc CIPP/E
Nick Martijn
12 december 2017
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
1
Thema’s
vanuit
privacy
framework
Right to be
Data inventaris Data retentie
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
forgotten
Agenda
1. Waarom een uitdaging?
2. Data Inventaris
3. Data Retentie
4. Right to be forgotten
5. Onze visie en boodschap
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
4
1
Waarom 1 Begrip: Persoonsgegevens
“Iedere informatie betreffende een geïdentificeerde of direct of indirect
identificeerbare natuurlijk persoon”
een Betrokkene
Financiën
Religie
Werk
Bezittingen
Strafblad
Adressen
uitdaging?
Reizen Etnische afkomst Online activiteiten
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
5
1
Waarom 2 Begrip: Verwerking
Elke handeling of elk geheel van handelingen met betrekking tot persoonsgegevens,
een
waaronder in ieder geval het:
• verzamelen, • verstrekken d.m.v.
• vastleggen, doorzending,
• ordenen, • verspreiding,
uitdaging? •
•
•
•
bewaren,
bijwerken,
wijzigen,
opvragen,
• terbeschikkingstelling,
• samenbrengen,
• in verband brengen,
• afschermen,
• raadplegen, • uitwissen,
• gebruiken, • vernietigen
van gegevens.
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
6
Waarom
een
uitdaging?
VS
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
Data Inventaris
8
Data inventory
article 30 requirements
(refer to appendix B for detailed overview)
Categories of recipients
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
9
1
2
Identificatie met afdelingen &
processpecialisten
Systeem overzicht
Data
Categorieën van
persoonsgegevens
Valideren midden
risico gevallen
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
9
10
2
Data
Inventaris
Met inzet
van Tooling
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
11
Data
Inventaris
Met inzet
van Tooling
Index and insight in all privacy data in your IT landscape, data discovery and GDPR compliance
Overview of Overview of
Risk & issue Distinguish and E-discovery and Flag and address Full indexing of all Connect to
Privacy data in
workflow & prioritize different access rights to enterprise search GDPR Risks company data structured and
your IT privacy data
overview
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of PII data tokens
independent member firms affiliated with KPMG capability
International Cooperative (‘KPMG International’), a Swiss unstructured data
infrastructure
entity. All rights reserved.
12
Andere
tools &
templates
Storage
locations
Content &
document types
Statistics &
Insights
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
Create a Data inventory
DESIGN AND IMPLEMENT DATA Objective: Determine per activity what the legal base is
CLASSIFICATION for processing personal data. When special types of
personal data are processed, determine the legitimate
Objective: Amend existing Classification of Information Policy: to
include a distinction between 'regular' personal data and 'sensitive'
03 base separately.
Deliverables:
personal data - Insight in the legal basis for processing per activity
Deliverable: A clear overview of classification levels for types of
personal data, guidance for training of personnel on how to handle 06
certain types of (sensitive) data
04 DESIGN A MAINTANCE
PROCESS
Objective: Design a process to maintain a
MAP THE PERSONAL DATA INVENTORY ON THE PROCESSES complete and accurate overview of all
personal data which is being processed within
the organization
Objective: Map the personal data inventory on the processes to create a personal data flow
Deliverable:
mapping
- Design a process for maintenance of an
Deliverables:
overview of processing activities, including
Overview of sources where personal data sources.
roles and responsibilities
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
Data Retentie
15
Data
data
retentie …..
e: kept in a form which permits identification of data
Aanpak
4. Toepassing
2. Retentie 3. Impact
1. Classificatie retentie
periode analyse
Data
mechanisme
Technieken Backups
en de AVG
archief. gewijzigd.
• Scripts 2. Back-ups worden meestal uitgevoerd in
een back-upbehoudschema en gegevens
verdwijnen automatisch (indien
Inzetbare tools overschreven). Sleutel is daarom het
• TRIM (Record Management) opstellen van zo'n schema in lijn met de
wettelijke bewaartermijnen.
• SharePoint
3. Toegang tot back-ups kan een issue zijn
• Collibra – Meta data manager
dat niet mag worden gemist.
• Informatica meta data manager
4. Back up restores: Er dient een geplande
taak te zijn die de herstelde gegevens
controleert of persoonsgegevens nog
aanwezig mogen zijn.
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
17
Data Is er duidelijk
Retentie:
Hoe beheren we beleid en
metadata? processen?
Integrale
aanpak
informatie- Hebben we de
juiste IT
Is de werkwijze
uniform?
faciliteiten?
management
Hebben de Zijn de juiste
medewerkers de medewerkers
juiste mindset? betrokken?
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
18
3
Data
Retentie
Data
Governance
tooling
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
4 Het recht om vergeten
te worden
20
4
Art. 17 GDPR Right to erasure (‘right to be forgotten’)
1.The data subject shall have the right to obtain from the controller the erasure of
personal data concerning him or her without undue delay and the controller shall
have the obligation to erase personal data without undue delay where one of the
following grounds applies:
RtbF en de 1. the personal data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based
according to point (a) of Article 6(1), or point (a) of Article 9(2), and
AVG
where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to Article 21(1) and
there are no overriding legitimate grounds for the processing, or the
data subject objects to the processing pursuant to Article 21(2);
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal
obligation in Union or Member State law to which the controller is
subject;
6. the personal data have been collected in relation to the offer of
information society services referred to in Article 8(1).
2.Where the controller has made the personal data public and is obliged
pursuant to paragraph 1 to erase the personal data, the controller, taking account
of available technology and the cost of implementation, shall take reasonable
steps, including technical measures, to inform controllers which are processing
the personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data.
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
21
4
1. Receive 2. Authen- 3. 6.
4. Analyse 5. Erase
request ticate Discover Feedback
Aanpak
• Perceptie RtbF
Aanpak
• Authenticatie verzoek
• Welke gegevens moeten worden verwijderd
• Opt-out in geval van marketing(opt-out-register).
Techniek
• Intern / extern systeem
• Backups
• Alternatieve optie is om één enkele klantweergave (single customer
view) te creëren.
Inzetbare tools
• BigID – Data discovery tool
• Indica GDPR – Data discovery tool
• Prifinder GDPR – Data discovery tool
• Evidon – Universal consent platform
© 2016 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss
entity. All rights reserved.
5 Onze visie
en boodschap
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
5 1. GDPR = Data management
CONCEPT
2. GDPR heeft sterke
componenten
risk based
Onze visie
3. Haal meer uit de AVG
investering dan alleen
compliance
en
boodschap
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG 23
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.
Vragen ? CONCEPT
KPMG Nederland
Tel: +31 6539 24 707
vanduijn.johan@kpmg.nl
Nick Martijn
Senior Consulant Data Management
KPMG Nederland
Tel: +31 6101 53 957
martijn.nick@kpmg.nl
© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG 24
International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.