Privacyrecht is code (R&P nr. ICT1) 2010/10.2:10.2 Protocol case studies

Privacyrecht is code (R&P nr. ICT1) 2010/10.2

10.2 Protocol case studies

Documentgegevens:

drs. J.J.F.M. Borking, datum 26-05-2010

Datum: 26-05-2010
Auteur: drs. J.J.F.M. Borking
JCDI: JCDI:ADS574104:1
Vakgebied(en): Civiel recht algemeen (V)

Date of interview:

A.

Company/Organization general data

1.: Name Company/Organization:
2.: Address Company/ Organization:
3.: Name(s) of person(s) interviewed:
4.: Function(s) of person(s) interviewed
5.: What is the primary operation of the organization?
6.: What different processing operations are occurring in the organization?
7.: Do you have a written security policy?
8.: Do you have a security risk analysis?
9.: Do you have a privacy risk/threats analysis?

B.

Strategy

10.

How does Privacy relate to the objectives/strategy of your firm?

a.: Is it considered as a legal must
b.: Is it considered as potentially important but not essential
c.: Is it considered as a potential strategic driver for market share, customer retention and acquisition?
d.: How would you describe the information intensity (information content used and generated) of your firm

11.

How would you describe your identity and privacy processes?

a.: There is no official policy/program established
b.: There is a beginning of staffing and organizing a program
c.: Some key initiatives are being launched
d.: There is an established program that can be evaluated
e.: The program is in maintenance mode focusing on refinement

12.

Do you have a privacy infrastructure? I.e. is there a function accountable for privacy protection? Yes/No

a.: Privacy office (officer)
b.: Privacy policy and procedures
c.: Personnel training and awareness
d.: Privacy enhancing tools (specify)
e.: Privacy audits
f.: Other...

13.

Is privacy protection part of the management cycle? Yes/No

14.

Is there a separate budget for privacy protection? Yes/No

15.

If yes, What is the amount of the privacy budget?

16.

How much do you spend on privacy?

a.: How much do you spend (or if no budget exist: how much would you like to spend) on the above components of your privacy infrastructure?
b.: What are the most important components in terms of total spend?
c.: What is the percentage of the turnover spent for privacy?

17.

Please plot your organization in the IAM maturity Model (handed over).

C.

Privacy attitudes

18.: Are employees privacy aware?
19.: Do you consider privacy legislation workable/complex?
20.: Does the compliance/pressure to privacy legislation play a role in your organization? Yes/No
21.: How do you estimate the chance of being caught for privacy violations by the data protection authority?
22.: Does this influence your attitude towards privacy protective measures? Yes/No
23.: Are privacy incidents (internally) reported? Yes/No

D.

Privacy Incidents/breaches

24.

Please, Consider/Imagine a serious privacy breach: what are/ would be the tangible financial consequences?

a.: Investigation and forensics
b.: Outbound contact costs
c.: Inbound contact costs
d.: PR & communication to restore reputation
e.: Legal defense
f.: Security consultants
g.: Lost business
h.: Customer acquisition costs
i.: System and process redesign costs
j.: Other...

25.

Please, Consider a serious privacy breach: what are the intangible consequences?

26.

Does assuring privacy give you a market (competitive) advantage?

27.

Can you give an estimate of costs in case of:

a.: Regular small privacy breaches
b.: A large privacy breach
c.: Can you give an ‘informed opinion’ about the likelihood that each of the two would happen

28.

How would you estimate the costs of:

a.: Ad hoc processes
b.: Well-established processes
c.: Fully optimized including

E.

Aspects about PETs-innovation

29.: How do you qualify your organization with regard to innovation?
30.: Is your (top) management open to accept changes that accompany innovation?

F.

Aspects of PETs-complexity

31.: Are PETs measures compatible (resembles the preceding measures) in your organization? Yes/No
32.: Do you consider PETs implementation and use as complex (need specialized knowledge/ expertise)?
33.: Are there key persons within your organization that can take the lead in the adoption process of PETs?

G.

Aspects of PETs -testability

34.: Is the testability of PET possible in small-scale experiments in your organization?

H.

Aspects of PETs - business case – costs

35.: Is there a PETs budget (amount please)? Yes/No
36.: Has any damage occurred die to privacy incidents? Yes/No
37.: Do you believe that PET implementation is expensive?

I.

Aspects of PETs – advisors/advisory institutions

38.: Are external advisors been consulted concerning PETs implementation? Yes/No
39.: Which organizations/advisors have been consulted/involved in the implementation of PET?

J.

Aspects of PETs – social recognition – visibility & marketing – integration into processes

40.: Is PETs visible for your customers/employees?
41.: Is PETs liked in your organization or by your customers?
42.: Can PET be woven into your business processes?