Privacy Governance survey Maturity of privacy control in ... · Introductie What are the new legal requirements? From January 1st 2016, the data breach notification obligation has

Privacy Governance surveyMaturity of privacy control in Dutch organisations

PwC The Netherlands

January 2017

www.pwc.nl/privacy

PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 2

Introduction Management Summary Results Appendix Contacts

Content

Content

Introduction PwC Privacy Governance survey 3

Management Summary 7

Results 10Overview of the results by chapter Privacy in your organisation 11Privacy strategy and policy 13Privacy incidents and notifications 19Privacy and your suppliers (third parties) 22Your organisation and privacy risks 24Statements 26About you and your organisation 32

Appendix 36Appendix A: PwC Privacy Portfolio 37

Contacts 38


Management Summary Results Appendix ContactsIntroductie

Introduction PwC Privacy Governance survey


For the third consecutive year, PwC conducted the Privacy Governance Survey. The topic privacy has certainly been in the spotlights in 2016! Some of the main occurrences:• The obligation to report data breaches was implemented on January

1st 2016;• The General Data Protection Regulation (GDPR) was adopted, which

organisations have until May 25th 2018 to implement;• In media and politics, privacy is highlighted multiple times with

a focus on data breaches (e.g. at municipalities and hospitals) and various legal proceedings with regard to personal data;

• A new mechanism for cross border personal data flows between the EU and the US, the ‘Privacy Shield’ was adopted.

PwC’s annual Privacy Governance Survey provides an overall insight into how Dutch organisations deal with privacy, why they believe it is important, and how they deal with current and new data privacy regulations. This survey provides the possibility to compare your own organisation with others, without giving an opinion on privacy performance and compliance within your organisation. The information obtained through this survey has solely been used for the preparation of this report.

What is the goal of the Privacy Governance Survey and how can it help your organisation?The Privacy Governance Survey provides a unique insight into your organisation’s readiness for the GDPR and your level of maturity for dealing with the protection of personal data. It also allows you to compare the results with other relevant organisations. Overall the report gives insights into how Dutch organisations are dealing with privacy.

www.pwc.nl/privacy

Added value for you and your organisation:• better understanding of the nature and impact of new privacy

legislation;• assess relevant privacy risks for your organisation;• raising awareness with regard to privacy;• increased attention for privacy governance and resilience within

your organisation.


Management Summary Results Appendix Contacts


Introductie

What are the new legal requirements?From January 1st 2016, the data breach notification obligation has been added to the Dutch Data Protection Act. In last year’s survey we focused on the preparations made by organisations with regard to this new obligation. At that point in time, the majority of organisations were not yet prepared. In the survey of this year we investigated to what extent organisations meet these new obligations. We noted that a majority of organisations have designed policies and procedures with regard to data breach notification. The main challenge seems to be the operating effectiveness of these policies and procedures.

A second important change is the adoption of the GDPR from May 2016. Organisations have a grace period of two years to become compliant with the new regulations. As of May 25th 2018 the GDPR is applicable for all EU member states. The GDPR will have major impact on organisations’ data protection policies and how they will be processing personal data. One important change from the GDPR, amongst others, is that organisations shall be aware and understand how personal data is processed in their organisation. Furthermore, the GDPR introduces the implementation of the privacy by design and privacy by default principles. This is done, for example, by performing Privacy Impact Assessments in cases of new products and systems. Finally the GDPR also introduces substantially higher penalties of up to 4% of an organisation’s global annual turnover or EUR 20.000.000.

We noted that the preparations for the GDPR are starting to get underway. A number of organisations are engaged in active preparation for the GDPR and determining the impact the GDPR will have. The emphasis in 2016 was on identifying the upcoming changes and assessing their impact. We expect that many organisations will start implementing the identified changes this year. Although May 25th 2018 seems far away, organisations will require all the time that is left to implement the relevant requirements.

Finally, a new mechanism to exchange personal data between the EU and US was adopted, the ‘Privacy Shield’. It is expected that the validity of the Privacy Shield will be tested in legal proceedings as was its predecessor ‘Safe Harbour’. We advise organisations to use the so called ‘EU Model Contracts’ in cases of personal data transfers between the EU and the US, and to assess whether relevant US suppliers are certified under the new Privacy Shield.

Analysis of resultsOver the past three years, 210 organisations from different sectors participated in the PwC Privacy Governance survey. This year’s results are shown graphically in the following chapters:• Privacy in your organisation• Privacy strategy and policy• Privacy incidents and notifications• Privacy and your suppliers• Your organisation and the privacy risk• Statements• About you and your organisation




Introductie

Trends and developments in 2016The introduction of new laws and regulations contributes to an ever increasing insight into the importance of privacy and personal data protection within organisations. To the question on whether the data breach notification obligation has resulted in an increase of awareness with regard to the processing of personal data, a vast majority (87%) of participants answered affirmative.

Compared to last year, the proportion of organisations that are fully prepared for the data breach notification obligations rose from 16% to 58%. This is reflected by the fact that within 70% of the organisations (last year just 50%) intensive cooperation between Legal, IT (security) and Business is taking place with regard to privacy and data protection. In 74% of the organisations (against 50% last year), an increased investment in privacy compliance took place. The upcoming enforcement of the GDPR has also contributed to increased attention to privacy and processing of personal data. This is supported by the fact that almost 90% of the participants stated that they have a good insight into the personal data processing within their own organisation. Last year this was only 68%. Furthermore, the use of data processor agreements has increased from 60% to 70% in 2016. Also organisations check the compliance with their data processor agreements more often: from 18% last year to 50% in 2016. It seems clear that the role of data processors with regard to the data breach notification obligation plays a major role in that respect.

The PwC Privacy Governance Survey shows that various organisations have started their preparations for the GDPR. The percentage of organisations that have not started preparations has decreased from 35% to 25% in 2016. An increasing number of organisations are in the process of identifying the changes and the impact on their organisation. The expectation is that most organisations will start implementing the necessary changes this year.

How to use the results for your own purposesBased on the overall picture as presented in this report, we recommend:1. To discuss the report and its recommendations with the persons

responsible for privacy in the organisation. This will allow them to use its insights to further prepare the organisation for the GDPR;

2. To translate the outstanding issues into an action plan that will lead to organisational, procedural, and technical measures and controls;

3. To measure effectiveness periodically.

We believe that this survey can strengthen the Dutch privacy competencies and improve our international competitiveness and position of trust. Moreover, this report provides an overview of the approach to privacy management within a large number of Dutch organisations which can be compared to that of your own organisation. The report gives insight into the state of personal data processing within your organisation compared to similar organisations and competitors. The information obtained through the survey has solely been used for the preparation of this report.



At your request, we are more than willing to further discuss the impact of the report to your organisation or to facilitate the development of an action plan that suits the focus of your organisation.

Sincerely,

Bram van TielDirector Technology and Security

Yvette van GemerdenPartner Legal Services

Adri de BruijnPartner Consulting Technology

http://www.pwc.nl/privacy


Introductie


Introduction Results Appendix Contacts

Management Summary

Management Summary

Management Summary



The usefulness of an European Data Protection Seal becomes more clear

Maturity in privacy increases though still remains immature

Organisations not ready for obligation to notify data breaches

Collaboration increases More investments in privacy compliance

At 67% of the organisations, privacy is an interplay between Business, Legal and IT (security). Compared to 2015, cooperation has further strengthened.

With incidents

Periodically

Ad hoc

Only 29% of the participants indicates that the processing of personal data in their organisation is on a (very) mature level. 41% indicates that they have performed a Privacy Assessment.

52% of respondents think that such a seal could be useful for their organisation. This has almost doubled compared to last year (27%).

More than 74% of the participants indicate that investments in privacy compliance have increased over the past year. The most important reason for these investments is that organisations feel responsible for the protection of personal data (75%).

For 87% of the organisations, the data breach notification obligation resulted in an increasing awareness with regard to processing of personal data.

58% of the organisations say they are prepared for the new obligation to report data breaches.

Over three quarters (76%) of organisations are compliant with the statutory obligation to keep central record of data breaches. As much as 72% does have a communication plan in place in relation to data breaches. Consequently it seems that that the real challenge now is the operating effectiveness of the policies and procedures designed.

Management Summary

Management Summary

11%

70%

19%



Limited insight into data flows and data processing

Organisations prepare for general data protection regulation

Privacy by design seems well embedded

Data protection officer is on the rise

Understanding of risks and impact

Processor agreements are used, though mostly not checked for compliance

11% of the participants are ready for the new privacy regulations.

64% of the organisations are engaged in active preparation for the GDPR.

Privacy by Design is well embedded within organisations. 69% consider the use of personal data while introducing new systems.

The Privacy officer is working its way up as now 28% of the organisations has appointed a person to this position.

In 17% of the cases no specific position is accountable for the topic privacy, or no privacy policy is implemented.

In preparation

Not in preparation

45% of the participating organisations do not carry out risk analyses (e.g. Privacy Impact Assessments) in the context of personal data processing.

Almost 90% of organisations indicate that they have a clear insight into data flows to external parties. However, only 35% document the data processing. A small minority (9%) of organisations document all of their personal data processing.

70% indicate that data processor agreements are used whilst dealing with external suppliers.

31% check compliance with the terms of data processing agreements.

Management Summary

Management Summary

64%

25%


Introduction Management Summary Appendix ContactsResults

Results

Results


Introduction Management Summary Appendix ContactsResults Privacy in your organisation

Privacy in your organisation


For 67% of the organisations privacy is an integrated topic between Business, Legal and IT (Security).

In an ever-increasing number of organisations (64%) intensive collaboration between Business, Legal and IT (Security) takes place through at least quarterly meetings.

For 30% of the organisations such meetings solely take place in case of incidents or on an ad hoc basis.

0% 20% 40% 60% 80%

Where in your organisation lies the primary responsibility for privacy?

How often do Business, Legal and IT (Security) meet to discuss

privacy matters?

Privacy is primarily a Business topic

Privacy is primarily a Legal topic

Privacy is primarily an IT (security) topic

Privacy is an integrated topic between Business,

Legal and IT (security)

Not specified

0% 20%15%10%5% 30%25%

Only in case of incidents

Ad Hoc (without immediate cause)

Periodically (at least annually)

Periodically (at least quarterly)

Periodically (at least monthly)

Business, Legal and IT (Security) work together on

a daily basis


Introduction Management Summary Appendix Contacts



The position accountable for privacy within organisations show great variety. On the other hand the results show that the Privacy Officer is becoming more common, with 28% of organisations appointing a person to this position.

In 17% of the cases no specific position is accountable for the topic privacy or no privacy policy is implemented.

Who is currently responsible for the implementation of your organisation’s privacy policy?

Chief Information Officer

Chief Privacy Officer

IT Manager

Data protection Officer

Security Officer

Compliance Officer

Risk Manager

Director Internal Audit

Legal Counsel

Controller

HR Manager

No one

We have no privacy policy

Other, please specify

0% 5% 20% 25% 30% 35%10% 15%

Privacy in your organisationResults



Privacy strategy and policy


29% of the participants indicate that the processing of personal data in their organisation is on a (very) mature level, in contrast to just 9% of the organisations that considers the processing of personal data as immature.

A minority of 41% of the organisations have performed a privacy assessment with regard to compliance with the General Data Protection Regulation.

0% 20%10% 30% 50%40% 70%60%

In your opinion, how mature is the processing of personal data

in your organisation?

Does your organisation have a clear view in the level of compliance to the GDPR?

Immature

Reasonably mature

Mature

Very mature

I don’t know

0% 20%10% 30% 40% 50%

Yes, we have performed a GDPR compliance

assessment

No, but we have planned a GDPR compliance

assessment

No

Privacy strategy and policyResults






0% 20%10% 30% 40% 50%

Did your organisation implement a privacy program and/or strategy?

Did your organisation make an extra investment in privacy compliance

and governance last year?

Yes, a privacy program and/ or strategy has

been implemented

Yes, privacy is an integrated part of

the information security strategy

No

I don’t know

0% 20% 40% 60% 80%

Yes, extra resources have been invested in privacy

compliance and governance

No extra resources have been invested in

privacy compliance and governance

I don’t know

At 67% of the organisations a privacy program and/or strategy is implemented. This is roughly similar to the results of last year.

28% of the participating organisations have not implemented a privacy program and/or strategy.

At 74% of the organisations extra resources have been invested in privacy compliance and governance last year.

Results





The new General Data Protection Regulation obliges organisations to maintain detailed records on the processing of personal data and keep it up to date.


0% 20%10% 30% 50%40% 60%

Does your organisation have a clear view which personal data are processed and is

this documented?

Does your organisation include the evaluation of the adequacy of security controls

in place when evaluating the various forms of processing personal data?

All personal data processing is known

and documented

Most personal data processing is known

and documented

Most personal data processing is known, but not documented

Personal data processing is not/ hardly known

and not documented

I don’t know

0% 20%10% 30% 50%40%

Yes, we have performed such evaluation and concluded that the implemented controls are

adequate

Yes, we have performed such evaluation and concluded that the implemented controls are

inadequate

No, we did not perform an assessment

I don’t know

Only 9% of the organisations complies with the obligation to document all personal data processing as mentioned in the GDPR. A large majority of the organisations have not documented or has hardly documented the processing of personal data.

Over 40% of the organisations indicate that no review took place for existing security controls for the protection of personal data.

Results





Only 53% of the organisations ensure transparent communication about processing of personal data towards data subjects by using a privacy statement.

Almost 24% of the participants indicate that their organisation does not provide a privacy statement on their website.

More than a quarter of the organisations have implemented procedures regarding transparency and the right for correction of the data subjects.

22% of the organisations are in the process of defining and/or implementing those procedures.

0% 0%20% 20%10% 10%30% 30%40% 50% 50%40%

How does your organisation ensure transparent communication towards data subjects

on the processing of their personal data?

Does your organisation have procedures regarding transparency and right for correction of the data subjects?

A privacy statement is provided to data subjects

with each data processing

A general privacy statement is available on our website

There is no privacy statement available to inform data

subject on the processing of their personal data


Yes these procedures are implemented

No, but we are in the process of defining

such procedures

No, we did not define such procedures

I don’t know






Policies with regard to retention and disposal of personal data are defined by 69% of the participating organisations.

Does your organisation have policies on retention and disposal of personal data?

0% 10%5% 20% 25% 35%15% 30% 40% 45%

Yes, we have specific retention policies on personal data

Yes, retention policies are part of our general privacy policy

No

I don’t know






The General Data Protection Regulation makes it possible for organisations to obtain a European Data Privacy Protection Seal.

52% of the respondents think that such a seal could be useful for their organisation. This has almost doubled compared to last year (27%).

In your opinion, is it useful for your organisation to obtain a European Data Privacy Protection Seal?

0% 10%5% 20%15% 35%30%25% 40%

Yes, very useful

Yes, reasonably useful

No, not useful

I don’t know




Privacy incidents and notifications


20% of the respondents indicate that no privacy incidents occurred last year.

Only 17% of the organisations indicated that the number of privacy incidents increased last year.

More than half (58%) of the participants considers the response to privacy incidents by their organisation to be (very) good.

0%0% 10%20%10% 30% 20%40% 50%40%50% 30%

In your opinion, how did your organisation respond

to the privacy incidents?

To your knowledge, has the number of privacy incidents in your organisation increased

or decreased last year?

Bad/ poorly

Not properly

Reasonably

Good

Very good

I don’t know

Increased

Stable

Decreased

Not applicable, no privacy incidents

occurred last year

I don’t know

Privacy incidents and notificationsResults





As of January 1st 2016 all organisations residing in the Netherlands are obliged to notify data breaches without delay (incl. impact, measures, etc.) to the Dutch Data Protection Authority and under certain conditions to the data subjects involved.

52% of the organisations indicate that they are (very) well prepared for this obligation.

A large majority (78%) of organisations indicate that they comply with the obligation to keep a record of data breaches.

Does your organisation maintain records of data breaches?

In your opinion, is your organisation well prepared to meet these obligations?

0% 20% 40% 60% 80%

Yes

No

I don’t know

0% 20%10% 50%40%30%

I am not aware of this obligation

Bad/ poorly

Not properly

Reasonably

Good

Very good

I don’t know

Privacy incidents and notificationsResults






Does your organisation have a communication plan in case of data breaches?

0% 20% 40% 60% 80%

Yes

No

I don’t know

0% 20%10% 30% 50%40%

Does your organisation report data breaches to the Data Protection Authority?

Yes

No

I don’t want to comment on this

I don’t know

72% of the organisations have implemented a communication plan in case of a data breach.

44% of the organisations reported one or more data breaches to the Data Protection Authority.

Results



Privacy and your suppliers (third parties)


Only 22% of the participants indicated that their organisation has insight in personal data flows with third parties.

Over two thirds of the participants indicated that they have a reasonable insight in personal data flows between their organisation and third parties.

Approximately 9% of the participants indicated that, despite their responsibility, the organisation hardly has insight in personal data flows between their organisation and third parties.

0% 20%10% 30% 40% 50% 60% 70%

Does your organisation, from a privacy perspective, have insight in personal data flows between your organisation

and third parties (suppliers, customers, data processors)?

Yes, good

Ja, reasonably

No

I don’t know

Privacy and your suppliers (third parties)Results




Based on the Dutch Data Protection Act it is mandatory to impose contractual obligations on external parties processing personal data on your behalf (e.g. suppliers). As an organisation, you can choose to incorporate these obligations in existing contracts or to include a separate data processor agreement.

Approximately 70% of the organisations imposes contractual obligations on external parties by using a separate data processor agreement.

Only 6% of the organisations do not impose contractual obligations on external parties in case personal data is processed on their behalf.

Half of the organisations (50%) does not periodically assess the data processor agreements.

0% 0%20% 20%10% 30%40% 40% 50%80%60% 60%

Yes, in a separate data processor agreement

Yes, as part of an existing agreement

No

Not applicable, personal data is not processed by

third parties

I don’t know

Yes

No

I don’t know

Do you (or others) review data processor agreements periodically on compliance

Do you use data processor agreements to allow external parties to process

personal data on your behalf?


Privacy and your suppliers (third parties)Results



Your organisation and the privacy risk

Only 22% of the organisations conducts a risk analysis (e.g. Privacy Impact Assessment) regularly, though 33% performs these kind of risk analyses only on ad hoc basis. While 45% of the organisations indicated no risk analyses are performed with regard to processing of personal data or does not know this.

0% 5% 20% 25%10% 15% 30% 35% 40% 45%

Does your organisation conduct risk analyses (e.g. Privacy Impact Assessments) concerning personal data processing?

Yes, privacy is part of the standard Business Risk Assessment

Yes, Privacy Impact Assessments are standard procedure for implementing

new systems, programs and processes.

Yes, we perform ad hoc Privacy Impact Assessments

No, we do not perform Privacy Impact Assessment

I don’t know


Your organisation and the privacy riskResults





More than half of the organisations assess compliance to the Dutch Data Protection Act periodically, either as part of the regular audit cycle or not.

At 49% of the organisations employees did not receive any training or education in the past 12 months regarding privacy.

0%0% 20%10% 10% 30% 40%20% 50%30% 60%40%

How are employees in your organisation trained in the field of privacy?

Is privacy and compliance to the Dutch Data Protection Act periodically assessed?

All employees are trained periodically

Only privacy employees are trained periodically

All employees are trained once

Only privacy employees are trained once

All employees are trained once, but privacy

employees are trained periodically

No privacy training is provided

Yes, as part of the regular audit cycle

Yes, assessments are periodically performed

(no audit)

No, only ad hoc

No assessments take place on privacy and

compliance to the Dutch Data Protection Act

I don’t know

Your organisation and the privacy riskResults



Statements

Statements

For a large majority (75%) of the organisations, the protection of personal data is the most important reason to put privacy on the agenda as they feel responsible for the customers data.

For only a small number of respondents (6%) the risk for a high fine is the most important reason.

0% 40%30%20%10% 60% 70%50% 80%

The most important reason for our organisation to put privacy on the agenda is:

StatementsResults

The risk of a fine of 4% worldwide annual turnover (of previous year), or a fine with a maximum of EUR 20,000,000 dependent

which fine is higher.

We feel responsible for the protection of personal data of our customers,

employees and other relations

We fear reputational damage in case of privacy incidents

Privacy is not on the agenda



Statements

Statements

A quarter of the participants indicate that the organisation has not yet started to identify the upcoming changes in privacy legislation.

Only 11% states that the organisation is ready for the new privacy legislation.

0% 25%20%15%10%5% 35%30% 50%45%40%

We are ready for the upcoming changes in privacy legislation (General Data Protection Regulation):

We are ready

We have identified the changes and are working on implementation

We have identified the changes, but have not started implementation

We have not identified the changes yet

StatementsResults



Statements

Statements

Based on the General Data Protection Regulation (GDPR) it is mandatory to take the privacy of data subjects and the protection of personal data into account while implementing new systems

Despite this new obligation 31% of the participants state that their organisation does not always take privacy aspects and protection of personal data into account at an early stage.

0% 40%30%20%10% 50% 70%60%

Upon implementing new systems we always take into account privacy aspects and protection of personal data (Privacy by

Design & Privacy by Default principles) in an early stage:

Agree

Disagree

StatementsResults



Statements

Statements

71% of the respondents view privacy legislation as not restrictive to the innovation capabilities of their organisation.

0% 40%30%20%10% 60%50% 70% 80%

Privacy legislation limits our innovation capabilities:

Agree

Disagree

StatementsResults



Statements

Statements

58% of the participants indicated that they have fully implemented the new obligation to report data breaches.

0% 40%30%20%10% 60%50% 70%

We have fully implemented the Data Breach Act within our organisation:

Agree

Disagree

StatementsResults



Statements

Statements

A vast majority of 87% of the participants agree with the proposition that the data breach notification obligation has contributed to an increasing awareness with regard to the processing of personal data.

0% 40%30%20%10% 70%60%50% 90%80%

The Data Breach Notification Act contributed to the privacy awareness within our organisation

regarding the processing of personal data:

Agree

Disagree

StatementsResults



The individual respondents of the survey are employed in a broad range of functions.

The participating organisations are active in a wide range of sectors and markets.

About you and your organisation


Which Sector classification is most applicable to the main activities of your organisation?

Which one of these job titles describes your role in the best possible way?

Management Board

Chief Information Officer

Chief Privacy Officer

IT Manager

Data Protection Officer

Security Officer

Compliance Officer

Risk Manager

Director Internal Audit

Legal Counsel

Controller

HR Manager


Industrial sector

Retail sector

Finance sector

Energy & Utilities sector

Pharmaceutical Industry

Education

Healthcare

Public sector - Local

Public sector - National

Technology, Media &Telecommunications

Tourism

Transport


0%0% 10%20% 15%30% 5%10% 20%40%

About you and your organisationResults



33% of the organisations have less than 500 employees. 30% of the organisations have between 1,000 and 5,000 employees and 8% have more than 20,000 employees.



0% 25% 30%15% 20%10%5% 35%

How many employees does your organisation employ worldwide?

>50,000

5,000-20,000

20,000-50,000

500-1,000

1,000-5,000

0-500




At 69% of the organisations the activities are mainly focused on the Netherlands.



0% 50% 60%30% 40%20%10% 80%70%

Are your organisational activities mainly focusing on The Netherlands, the EU or International?

International (outside the EU)

The Netherlands

International (within the EU)




In case of cross border personal data flows outside the EU, 40% of the organisation do not (yet) make use of one of the necessary instruments the EU developed for those scenarios.



0% 40%30%20%10% 50%

Which of the following instruments has your organisation implemented for the processing

of personal data outside the EU?

Binding Corporate Rules

EU Model contracts

Privacy Shield

Combination of above instruments

Our organization does not process personal

data outside the EU

None



Introduction Management Summary Results ContactsAppendix

Appendix

Appendix


Introduction Management Summary Results Contacts

Appendix A

Appendix A: PwC Privacy Portfolio

StrategyExploration

Tra

nsfo

rma

tion

ma

na

gemen

t

Assu

ran

ce

PwCPrivacy

Portfolio

AftercareImplementation

Strategy• Support development privacy related policies• Design privacy strategy• Creating a privacy roadmap• Increase privacy awareness

Exploration• Risk analysis of (sensitive) personal data

• Providing insight to possible use of personal data • Classification of (sensitive) personal data

• Analyse contractual structures of personal data processing • Perform privacy baseline assessments

Transformation management• GDPR Transformation support• Design privacy programs • Providing insight to required changes of

IT-systems• Perform GAP-analyses • Privacy Impact Assessments • Assessment of contractual arrangements

Assurance• Issue Assurance

reports based on ISAE3000/ SOC2

• Privacy certification

Aftercare• Organise workshops to

increase privacy awareness• Privacy policies and intranet

publication of privacy controls implemented• Governance assessments

Implementation• Embedding of privacy measures in current control frameworks

• Updating IT-systems to enforce controls via systems technology • Appoint personal data responsibilities central in the organization

• Notifications and registrations at the Data Protection Authority and design of privacy policies

Appendix

PwC Privacy Governance survey Maturity of privacy control in Dutch organisations Inleiding 38

© 2017 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.

Would you like to have more information about the Privacy Governance survey and about how PwC could help your organisation? Please contact:

Bram van Tiel Director Technology and Security+31 (0)88 792 53 [email protected]

Yvette van GemerdenPartner Legal Services+31 (0) 88 792 54 [email protected]

Adri de BruijnPartner Consulting Technology+31 (0) 88 792 65 [email protected]

PwC Privacy Governance survey Maturity of privacy control in Dutch organisations Contacts 38

Contacts

www.pwc.nl/privacy

Appendix ContactsIntroduction Management Summary Results Appendix

https://www.linkedin.com/in/bramvantiel

https://nl.linkedin.com/in/yvette-van-gemerden-04b839

https://www.linkedin.com/in/bramvantiel

https://nl.linkedin.com/in/yvette-van-gemerden-04b839

Documents

Privacy Governance survey Maturity of privacy control in ... · Introductie What are the new legal requirements? From January 1st 2016, the data breach notification obligation has