The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

Contact usFor more information on our privacy advisory services, please contact one of our professionals from KPMG Cyber & Privacy or visit us at www.kpmg.com/nl/cybersecurity

Koos WoltersPartner+316 53 33 74 86wolters.koos@kpmg.nl

Johan van DuijnManager+316 53 92 47 07vanduijn.johan@kpmg.nl

Maurice KoetsierManager+316 53 74 49 25 koetsier.maurice@kpmg.nl

Why KPMG?Why KPMG? KPMG is a leading firm in advising organizations on data privacy, providing privacy consulting services within a variety of domains and industries. Our experts are part of a network of over 189,000 professionals, providing a broad professional service portfolio. KPMG’s international network operates in over 155 countries and includes more than 200 privacy professionals that are certified CIPP/E, CIPM or CIPT professionals. Our consultants are trained and qualified in data privacy, and have in-depth knowledge and experience in this field – not only on the legal side, concerning laws and regulations, but also on the technical side, such as managing access to personal data. We have hands-on experience in helping clients implement pragmatic, effective and tailored programs.

Partnering with KPMG ensures that you will get the outstanding quality we are so proud of. With pragmatic approaches, practical project execution, understandable presentations and effective assistance, we help your organization to not only become compliant to regulations, but also to be trusted by your clients, customers and employees.

Data privacy journeyManaging personal data and building trust

Reference projects

PROJECT 1Privacy strategy and governance

PROJECT 2Privacy maturity assessment and roadmap

PROJECT 3Privacy program

A multinational retail firm performed a privacy gap analysis and identified a number of privacy controls and practices that were not mature. As they were missing a clear privacy governance structure, the firm requested that we advise them on their privacy strategy and privacy governance.

We helped the organization identify their privacy risk appetite and developed a privacy strategy for achieving their desired privacy maturity targets. We collaborated with the organization to design and implement a governance structure that was tailored to the needs of the organization.

The project resulted in a clear privacy governance structure and clear strategic direction to effectively manage risks in the future. By reviewing on good practices and leading examples, the organization was able to make a deliberate choice regarding their governance.

A multinational firm with a decentralized structure wanted to prepare for the General Data Protection Regulation and bring privacy to the next level within the organization.

We performed a privacy maturity assessment based on our privacy management framework to identify relevant privacy risks. Recommendations were then formulated based on the risks and a privacy roadmap and program were developed to comply with the requirements of the GDPR.

The privacy maturity assessment unveiled important privacy risks and provided a solid basis for developing a privacy roadmap and program.

A multinational firm based in the Netherlands asked us to support them in executing their privacy program to manage privacy risks and to become compliant with the GDPR.

The organization required support in (amongst others) designing a governance structure, creating an overview of processing activities, and drafting a privacy policy. Additionally, they required support in implementing processes for legal and regulatory management, security for privacy, data breach management, third party management, privacy impact assessments, and monitoring.

The project resulted in a close collaboration of resources of both the multinational firm and KPMG. Our privacy team helped the organization design a privacy management system and get the right processes, procedures and controls in place to effectively demonstrate accountability.

Data privacy journey

When the privacy basics are in place, you may shift your focus to implementing privacy in the day-to-day operations of your organization. Your attention is required in designing and implementing privacy processes and procedures to provide guidance to your employees in their daily routine. The typical privacy processes you need to implement focus on the information lifecycle, including data collection, data minimization and data erasure, but also subject rights, security for privacy, and breach and incident management. Additionally, having these processes in place will help you to demonstrate compliance with the privacy principles, as required by the GDPR.

We offer the following services to help your organization become GDPR compliant:

— Designing and implementing information lifecycle management processes, such as data collection and minimization, data retention, data disclosure and erasure;

— Drafting policies for data subject rights, including right to access and erasure;

— Advising on the selection of the prudent security measures to implement the privacy policies and mitigate privacy risks.

Getting the basics right is a prerequisite for every organization desiring to manage privacy in line with the business objectives, goals and ambitions. Setting a solid foundation for your privacy organization is an essential step for your organization’s privacy journey and will be noticeable during the entire privacy journey.

We can help you to achieve this solid foundation by supporting your organization in the following activities:

— Developing the governance and structure of privacy management within your organization, which will greatly determine the impact and power of your privacy endeavors;

— Creating a data inventory that helps you to understand what kind of data your organization processes and where all those processed data resides;

— Setting up training and awareness programs that address the weakest link in the security and privacy chain: the human factor.

Once the basics are right, the strategy is set, the organization knows which data to protect and the processes and procedures for data privacy have been implemented, your organization is sailing into calmer waters. However, sailing into calmer waters has never produced excellent captains. So to integrate privacy into your business as usual, there are still a couple of aspects that require your attention. While the previous phase aimed at implementing everything that’s needed, the ‘privacy as usual’ phase takes care of ensuring all these implemented changes are executed in the right way and updated when needed. It is a matter of crossing the t’s and dotting the i’s.

We have the experience and the knowledge to support you in achieving privacy as usual through:

— Defining and implementing controls in accordance with the privacy strategy set by your organization;

— Designing and implementing processes to monitor compliance with the implemented controls;

— Performing yearly assessments to identify gaps and improvements.

Up until this point, you have focused on compliancy and especially the GDPR but it is now time to take matters into your own hand and move beyond compliance so that you can leverage privacy as a unique selling point. To do this, you need to build a trustworthy relationship with your data subjects and integrate privacy into your core processes, improving continuously. This privacy-focused culture will radiate to your customers. In a world where data subjects are becoming more and more aware of their privacy, privacy will become the unique selling point you need to differentiate yourself from your competitors.

We will help you leverage privacy as a unique selling point by:

— Designing and implementing a privacy program focusing on continuous improvement;

— Adopting a customer centric approach to leverage privacy as a competitive differentiator towards customers;

— Training and motivating your employees in order to create a privacy focused culture.

2. Make it happen 3. Privacy as usual 4. Beyond compliance1. Get the basics right

Building trust and a trustworthy brand Maintaining your trusted reputation with customers and employees is critical to the long-term success of your organization. To accomplish this, your organization can distinguish itself from competitors and build a highly trustworthy brand through data privacy. Data privacy is increasingly at the center of attention in the digital world due to the way the Big 4 on the Internet (Apple, Google, Microsoft and Facebook) are allegedly using customer data to their own benefit. This is even more the case due to the increasing number of data leaks involving personal data. With developments like the increased focus on customer experience, data centric business strategies, big data and the Internet of Things, the topic of data privacy is at the heart of the discussion for all organizations. As a result, privacy awareness grows among individuals and authorities, a development that applies to your organization as well.

To what extend can your organization use personal data for legitimate business processes? When are legal or ethical boundaries crossed? Do you want your company to stay on the right side of the line or do you want to push boundaries? Winning the hearts and minds of customers by understanding them better than anyone else and by giving them what they want is a very sound strategy for any customer-oriented organization, but to what extent are you allowed to use the data for those means? In order to process data legitimately and earn the trust of customers and employees, organizations must have a clear data privacy strategy that goes beyond just meeting data privacy laws and standards (a very important requirement, needless to say).

A clear data privacy strategy is just the start. We can help your organization make the right strategic decisions with regard to the data privacy and everything that derives from it. In this brochure we provide you with an overview of the data privacy decisions you need to consider and the services we offer to support you.

The clock is ticking – are your prepared for the GDPR?The General Data Protection Regulation (GDPR) is the most important change in European data privacy regulation in the last 20 years – it is the European Union’s view on what the baseline expectations are for the processing of personal data of EU citizens as we continue through the digital revolution. The regulation introduces a single set of privacy rules across the EU member states and this harmonization goes even further as the GDPR has cross-territorial implications. The GDPR was passed in May 2016 with a two year implementation period, and thus will come into force in all EU member states from 25 May 2018. So, the clock is ticking: are you prepared?

The GDPR imposes requirements for your organization, of which the most important are:

— the need to maintain a personal data inventory;

— the need to perform a privacy impact assessments if the processing activity is considered ‘high-risk’;

— the ability to erase and port data on data subject request;

— the need to appoint a DPO if your organization meets the conditions of the GDPR (e.g. large scale processing);

— the need to acquire unambiguous consent (explicit instead of implicit) for data processing;

— the ability to notify regulators (and potentially to your customer) of privacy breaches within 72 hours;

— the ability to conduct due diligence into processor suitability;

Insights in your main privacy risks and the maturity of your privacy processes are the start of your data privacy journey to be compliant with the GDPR in time. Your privacy program needs to address the gaps with the GDPR and to manage non-compliances as they can result in high fines depending on the infringement, with a maximum of 4% of global turnover or €20m.

Behavior

Unique Selling Point

Continuous Improvement

Customer Centric

Governance and Operating Model

Inventory & Data Mapping

Training & Awareness

Policies

Information Lifecycle Management

Processes, Procedures and Technologies

Security for Privacy

Third Party Oversight

Incident Management

Risk & Control

Regulatory Management

Monitoring

KPMG Privacy Methodology

Unique Selling Point

Inventory & Data Mapping

Training & Awareness

Third Party Oversight

Behavior

Processes, Procedures and

Technology

Continuous Improvement

Risk &Control

Regulatory Management

Information Lifecycle

Management

Monitoring

Governance and Operating Model

Security for Privacy

Policies Customer Centric

Incident Management

© 2017 KPMG Advisory N.V.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2017 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks of KPMG International.

Contact usFor more information on our privacy advisory services, please contact one of our professionals from KPMG Cyber & Privacy or visit us at www.kpmg.com/nl/cybersecurity

Koos WoltersPartner+316 53 33 74 86wolters.koos@kpmg.nl

Johan van DuijnManager+316 53 92 47 07vanduijn.johan@kpmg.nl

Maurice KoetsierManager+316 53 74 49 25 koetsier.maurice@kpmg.nl

Why KPMG?Why KPMG? KPMG is a leading firm in advising organizations on data privacy, providing privacy consulting services within a variety of domains and industries. Our experts are part of a network of over 189,000 professionals, providing a broad professional service portfolio. KPMG’s international network operates in over 155 countries and includes more than 200 privacy professionals that are certified CIPP/E, CIPM or CIPT professionals. Our consultants are trained and qualified in data privacy, and have in-depth knowledge and experience in this field – not only on the legal side, concerning laws and regulations, but also on the technical side, such as managing access to personal data. We have hands-on experience in helping clients implement pragmatic, effective and tailored programs.

Partnering with KPMG ensures that you will get the outstanding quality we are so proud of. With pragmatic approaches, practical project execution, understandable presentations and effective assistance, we help your organization to not only become compliant to regulations, but also to be trusted by your clients, customers and employees.

Data privacy journeyManaging personal data and building trust

Reference projects

PROJECT 1Privacy strategy and governance

PROJECT 2Privacy maturity assessment and roadmap

PROJECT 3Privacy program

A multinational retail firm performed a privacy gap analysis and identified a number of privacy controls and practices that were not mature. As they were missing a clear privacy governance structure, the firm requested that we advise them on their privacy strategy and privacy governance.

We helped the organization identify their privacy risk appetite and developed a privacy strategy for achieving their desired privacy maturity targets. We collaborated with the organization to design and implement a governance structure that was tailored to the needs of the organization.

The project resulted in a clear privacy governance structure and clear strategic direction to effectively manage risks in the future. By reviewing on good practices and leading examples, the organization was able to make a deliberate choice regarding their governance.

A multinational firm with a decentralized structure wanted to prepare for the General Data Protection Regulation and bring privacy to the next level within the organization.

We performed a privacy maturity assessment based on our privacy management framework to identify relevant privacy risks. Recommendations were then formulated based on the risks and a privacy roadmap and program were developed to comply with the requirements of the GDPR.

The privacy maturity assessment unveiled important privacy risks and provided a solid basis for developing a privacy roadmap and program.

A multinational firm based in the Netherlands asked us to support them in executing their privacy program to manage privacy risks and to become compliant with the GDPR.

The organization required support in (amongst others) designing a governance structure, creating an overview of processing activities, and drafting a privacy policy. Additionally, they required support in implementing processes for legal and regulatory management, security for privacy, data breach management, third party management, privacy impact assessments, and monitoring.

The project resulted in a close collaboration of resources of both the multinational firm and KPMG. Our privacy team helped the organization design a privacy management system and get the right processes, procedures and controls in place to effectively demonstrate accountability.

© 2017 KPMG Advisory N.V.