INFORMATION

SECURITY &

DATA PROTETION

DATA PROTECTION

@To

mm

yV

andepitte

BUSINESS

Price

Profit

Cost

External

Cost

Internal

Cost

(perceived)

value for

customer

Value proposition

Value creation

Value delivery

Value capture

experience

convenience

meeting the customers’ needs

product design

meeting the qualifiers

imageadditional functionalities

future proofquality

peoplemeeting the users’ needs

culture

VALUE CAPTURE

IS HARD

Value captured = Value of the business

THE SAUCE IS

ALWAYS AT RISK

• Financial risk

• Solvability

• Liquidity

• Cash flow

• Operational risk

• Counterparty risk

• Customers

• Credit risk

• Suppliers

• Market risk

• Reputational risk

• Legal risk

• ...

THE WORLD IS “VUCA”

4 KEY CHALLENGES

“Change comes from outside. And that is what you should

use to challenge how your team has got to the end product.”

- Prof. Stijn Viaene -

Use 4 key challenges:

• Experience IS value, not just functionality. The reference

experience is NOT the sector, it is Google, Facebook, Uber, …

• Customers are moving targets.

• You can’t (and shouldn’t) have it all in-house: data, skills, …

What is core and should be owned? What can we outsource?

• You need well architected information systems.

APPLY

What w

e c

om

pre

hend

What there is to know

What we

don’t know

we know

What we

know we

know

What we

don’t know

we don’t

know

What we

know we

don’t know

Unknow

n

Unknown

Know

n

Known

MODELS &

FRAMEWORKS

• Business threats

a.o. disruption / creative destruction

RISK

MANAGEMENT

RISK

APPROACH

Impact

Likelihood

Share

Accept

Avoid

Mitigate

Hig

h

High

Low

Low

Impact

Likelihood

Mitigate

Cont. monitoring

Share

Accept

Per. monitoring

Mitigate

Cont. review

Avoid

Mitigate

Per. Review

Hig

h

High

Low

Low

THE IDEAL

FOR REAL ?!

ISDPP IS

(JUST) ANOTHER RISK

• Customers

• Who are your customers?

• What do your customers value?

• Why do your customers choose you?

• Suppliers

• Who are your customers?

• What relationship do you have with

your suppliers? (“value partition”)

• Why do you have this relationship with

your suppliers?

• Competitive edge

• Culture

• Ideas

• Operational

excellence

• Cost control

• Trade secrets

• Protectable

intellectual property

• …

Part of the secret sauce

INFORMATION MANAGEMENT

ARCHITECTURE LIFECYCLE

• Databases

• Links

• Silos v transversal

Information asset ownership

ISDPP “INTELLIGENCE”

WHAT IS OUT THERE?

• (Information) Threat Intelligence

• network

• peers

• vendor information

• threat reports

• threat intelligence services

• futurists

• sci-fi

• …

Environment

Physical

Human

Device

Application

Repository

Carrier

LAYERS & DIMENSIONS

Risk Assessment

Risk Decision

Controls

Incident

Management

Changes• In the regulatory environment

• In processes

• In people (JLT)

• In technology

Netw

ork

Data

3rd Parties

• 1st line

• 2nd line

• 3rd line

• Impact

• Probability

• Avoid

• Mitigate

• Share

• Accept

LEGAL OVERVIEW

Control

Data Subject

Processing personal data

Data Controller

Data processor

Finality Legitimacy

Transparency Organisation

proportional

End-to-end

GDPR - NEW

• Processor now also an addressee

• Organisation

• ”Accountability” (reversal of the burden of proof), concrete• Processing register (and risk register)

• Privacy impact assessment (“PIA”)

• Privacy by Design and Privacy by Default

• Data Protection Officer

• Acknowledgement of “frame”-mechanisms: certifications, codes of conduct, binding corporate rules,…

• Incident management and data breach notification

• Rights of individual are increased and further elaborated

• Enforcement

• Administrative fines universal and uniform

• Collective actions of individuals universal and uniform

GDPR – CHANGE - VISUAL

Control

Data Subject

Processing personal data

Data Controller

Data processor

Finality Legitimacy

Transparency Organisation

proportional

End-to-end

CHANGE PROGRAM

PROJECT

• Change management

• HR review

• Roles and function review, a.o.o DPO needed?

o Information asset owners ?

• HR processes review

• Communication & Training

• Processes review

• Processing register• In iterations for legacy processes

• Consent of data subjects

• Incident management review

• Project management review• PIA, PbD,

• Documentation => register

• Complaints management (rights update)

• Outsourcing partner review

• Access management

• IT review

• Archicture view

• Security measures: comfortable?• Need to have

• Nice to have

BUSINESS AS USUAL

• Tone at the top !

• “Money where your mouth is”

• Decisions on data protection

• Sponsor

• HR

• Communication & Training

• Awareness (= top of mind)

• Processes

• Periodic review and update

• IT

• Security is moving target –upgrade, patch, decommission

• New development - PbD

• Monitoring & Reporting

• Test

• Firs tline controls (KPI, SL, etc.)

• Board reporting to ISO and DPO

• Consolidating dashboard to top management

In parts / iterations

CHANGE RISK

CONTROL

THE CHANGE

Change management

• Decisions

• Action plan

• Tone at the top

• Budget and skilled people

• Multinational coordination ?