is/dpp for staff #3b - data classification

- Internal -

IS/DPP Baseline Training

E-learning – Part 3 – Data & Classification

2- Internal - Page

Confidentiality

3- Internal - Page

Confidentiality

4- Internal - Page

Confidentiality

Website content, approved media releases, marketing materials, … Public

Inte

nded

for

publ

ic di

strib

utio

n

Website content, approved media releases, marketing materials, …

5- Internal - Page

Confidentiality

Public

Inte

nded

for

publ

ic di

strib

utio

n

Acce

ss b

ased

on

“nee

d-to

-kno

w”

“CONFI

DENTI

AL”

6- Internal - Page

Confidentiality

Internal

Public

Inte

nded

for

publ

ic di

strib

utio

n

Acce

ss b

ased

on

“nee

d-to

-kno

w”

“CONFI

DENTI

AL”

Departmental memos, information on bulletin boards, training materials, policies, procedures, instructions, phone/email directories,…

7- Internal - Page

Confidentiality

Website content, approved media releases, marketing materials, …

Restricted

Internal

Public

Inte

nded

for

publ

ic di

strib

utio

n

Acce

ss b

ased

on

“nee

d-to

-kno

w”

“CONFI

DENTI

AL”

Personal data, customer correspondence, staff data, internal audit reports, …

8- Internal - Page

Confidentiality

Website content, approved media releases, marketing materials, …

Restricted

Internal

Public

Inte

nded

for

publ

ic di

strib

utio

n

Acce

ss b

ased

on

“nee

d-to

-kno

w”

“CONFI

DENTI

AL”

Secret Passwords and other authentication credentials, new products, mergers,…

9- Internal - Page

10- Internal - Page

ConfidentialityIntegrity

11- Internal - Page

ConfidentialityIntegrityAvailability

12- Internal - Page

ConfidentialityAvailabilityPrivacyIntegrity

13- Internal - Page

Control

Data Subject

Processing personal data

Data Controller

Finality Legitimacy

Transparency Organisation

Proportional

end-to-end

Data Protection Act / GDPR

Expectations

14- Internal - Page

Data Subject

Processing personal data

Data Controller

Data Protection Act / GDPR

1. What would your reaction be if we did it to your personal data?

Expectations

15- Internal - Page

Data Subject

Processing personal data

Data Controller

Data Protection Act / GDPR

1. What would your reaction be if we did it to your personal data?2. What would the reaction be of somebody who likes his privacy,if we did it to his/her personal data?

Expectations

16- Internal - Page

Data Subject

Processing personal data

Data Controller

Data Protection Act / GDPR

1. What would your reaction be if we did it to your personal data?2. What would the reaction be of somebody who likes his privacy,if we did it to his/her personal data?

3. What would the reaction of the public be if what we do to personal data is in detail explained on the front page of tomorrow’s newspaper?

Expectations

17- Internal - Page

Data Subject

Processing personal data

Data Controller

Data Protection Act / GDPR

1. What would your reaction be if we did it to your personal data?2. What would the reaction be of somebody who likes his privacy,if we did it to his/her personal data?

3. What would the reaction of the public be if what we do to personal data is in detail explained on the front page of tomorrow’s newspaper?

Expectations

18- Internal - Page

Full Set of Data Classifications: PATRIC

Category Classifications

Privacy

Use the (personal) data in line with the original purpose (original) purpose

Availability

Ensure that information is available to authorized persons Non-Essential, Essential, Critical and Highly Critical

Traceability

Modifications can be traced back Non-Traceable, Sensitive and Critical

Retention

Retained & disposed in line with law & business objectives No Retention, Short-Term, Mid-Term and Long-Term

Integrity

Prevent accidental, unauthorized and deliberate alteration or deletion Accurate, Vital and Absolute

Confidentiality

Prevent unauthorized disclosure Public, Internal, Restricted and Secret

Company specific

19- Internal - Page

Full Set of Data Classifications: PATRIC

Category Classifications

Privacy

Use the (personal) data in line with the original purpose (original) purpose

Availability

Ensure that information is available to authorized persons Non-Essential, Essential, Critical and Highly Critical

Traceability

Modifications can be traced back Non-Traceable, Sensitive and Critical

Retention

Retained & disposed in line with law & business objectives No Retention, Short-Term, Mid-Term and Long-Term

Integrity

Prevent accidental, unauthorized and deliberate alteration or deletion Accurate, Vital and Absolute

Confidentiality

Prevent unauthorized disclosure Public, Internal, Restricted and Secret

Company specific

20- Internal - Page

Key Takeaways

ABC Group classifies on different levels : personal data and PATRIC.

All information has a classification, even if it is not explicit.

You should classify.

Confidentiality distinguishes different circles: public, internal, restricted and secret, wherein personal data is always at least “restricted”.

30 sec IS/DPP survival kit

Wra

p U

p