General Awareness on Data Protection

Questions and Answers

What is the primary responsibility of the business unit data protection executive (BU DPE)?

Implement marketing strategies related to data usage

Oversee daily operations of the business unit

Ensure compliance with GPDP policy and BCR within the unit (correct)

Monitor employee training on data protection policies

Who is the first point of contact for concerns related to personal data?

Data protection executive office (DPE) (correct)

Business unit data protection officer (BU DPO)

Chief Operating Officer (COO) of the bank

Data protection contact list

Which role is responsible for monitoring compliance with local data protection requirements?

Chief Operating Officer (COO)

Global data protection officer (DPO)

Business unit data protection officer (BU DPO) (correct)

Data protection executive (DPE)

What does the DPE office do in relation to data breaches?

Coordinates actions around data breaches

Which individual fulfills the role of BU DPE?

Chief Operating Officer (COO) of the business unit

What is the role of the global data protection officer (DPO)?

Advising on cross-border data issues and compliance

Which statement best reflects the philosophy behind personal data protection at ING?

It is a commitment to protect individuals' data as a fundamental right.

What is a key activity performed by the data protection executive office (DPE)?

Supporting business with data protection impact assessments

Which principle should be prioritized when handling personal data?

Transparency about data usage

What is the definition of personal data?

Information that identifies or indirectly links to an individual

Which of the following would NOT be considered personal data?

Publicly available corporate statistics

What is a key responsibility of employees regarding personal data?

Being vigilant about data protection

Which piece of information is most likely to be classified as sensitive personal data?

Biometric data

Why is it important for banks to maintain trust regarding personal data?

To ensure compliance with financial regulations

Which of the following statements is true regarding sensitive personal data?

There are stricter guidelines for its processing

What should customers do if they are unsure whether a piece of information is personal data?

Contact their DPE office for clarification

What is the main goal of ING's digital environment in relation to employees with disabilities?

To meet digital accessibility standards for all employees

What should an employee do if they cannot complete the eLearning due to limited accessibility?

Complete the training using the accessible PDF

Which of the following is a reason why personal data needs to be protected?

It is a valuable asset that can lead to identity theft

What is implied as a key responsibility of ING employees regarding personal data?

They must ensure privacy and data protection

Why is privacy described as a human right in the context of personal data protection?

Individuals have the right to control how their information is used

Who should complete a tailored module of the data protection training?

Individuals who are data or service owners or have similar responsibilities

What is one of the potential risks of failing to protect personal data?

Victims of identity theft

What does ING expect from its employees regarding the handling of personal data?

To handle personal data in a safe and compliant manner

Can Cassy legally reach out to her colleagues to ask for customer contact details collected for a different service?

No, she cannot use data collected for a different purpose.

What is a key principle of collecting personal data mentioned in the content?

Data must have a clearly defined business purpose.

What would constitute a lawful basis for processing personal data according to the content?

The individual has provided their consent.

What must Cassy do if she believes there are exceptions that allow her to use the existing list of contact details?

Contact the DPE office for more information.

In the context of GDPR, which of the following is NOT a lawful basis for processing personal data?

Using data for personal gain.

What is a limitation on using personal data collected for a specific purpose?

It must only be used for the purpose it was collected.

Why is it important to keep personal data accurate and up to date?

To ensure the data reflects the current situation of individuals

What does the BCR describe lawful basis as?

Legitimate business purpose.

Which scenario could be considered a lawful basis for processing personal data?

A customer voluntarily provides their information for service improvement.

What should be done with personal information once it is no longer needed for its intended purpose?

It should be anonymised or permanently deleted

What determines the level of security measures that must be implemented for personal data?

The amount and type of personal data being held

What is the purpose of a Business Impact Assessment (BIA) in data management?

To assess the relevance of security measures for IT assets

What must ING maintain regarding personal data processing activities?

A record of processing activities (RoPA)

Who is responsible for the record of processing activity (RoPA) within a team?

It varies by department and is usually designated

What indicates that personal data has been permanently deleted?

It is irreversibly deleted and cannot be retrieved

What should an employee do if they are unsure who is responsible for the RoPA in their department?

Seek clarification from their colleagues or management

What is the primary purpose of conducting a pre-DPIA?

To assess if planned processing poses a high risk to individuals

Which principle is NOT one of the key principles to consider when processing personal data?

Efficiency

What should be done if a pre-DPIA indicates a high risk for individuals?

Conduct a full DPIA

Which of the following rights allows an individual to request deletion of their personal data?

The right to be forgotten

What right do customers have regarding the information ING holds about them?

They can request an overview of their personal data.

Which of the following statements about individual rights is incorrect?

Individuals cannot request access to personal data.

In which case would a DPIA be essential?

When pre-DPIA indicates potential high risks

What is a key function of a full DPIA?

To identify potential high risks from data processing

Study Notes

General Awareness

• ING is committed to supporting all employees, including those with disabilities.
• Digital accessibility is a goal for all ING employees and supported by colleagues.
• International Web Content Accessibility Guidelines (WCAG 2.1) were used.
• An accessible PDF is provided if the eLearning module does not meet screen reader requirements.
• Employees can confirm completion to [email protected] (optional cc to manager).
• Completing this training module is for general data protection overview.
• Tailored modules exist for employees in specific roles. (e.g., Process/Product owner, Contract owner, Asset owner, Data owner)

Protecting Personal Data

• ING's training emphasizes data protection principles.
• This training is a general overview of data protection.
• Personal data must be handled safely and compliantly.
• ING emphasizes retaining trust and protecting privacy.
• Sharing personal data without consent can have serious consequences (e.g., identity theft, discrimination, malicious activity).

Why Personal Data Matters

• Privacy is a human right.
• Customers, suppliers, business partners, and employees trust ING to handle their personal information responsibly.
• Personal data is a valuable asset that needs protection.
• Protecting customer privacy is the responsibility of all involved.

How ING Takes Responsibility

• ING is committed to handling personal data according to expectations.
• ING complies with EU General Data Protection Regulation (GDPR) and local data protection requirements.
• ING applies GDPR principles globally unless local laws provide more protection.
• ING has a Global Personal Data Protection Policy (GPDP) and corporate rules (BCR) for employee, client, supplier and business partner data.
• Global Data Protection Policies are also shared externally and approved by the Dutch Data Protection Authority.

Internal Policies and Standards

• ING has a Global Personal Data Protection Internal Policy (GPDP).
• ING uses a Global Personal Data Protection Process Control Standard (PCS).

People to Support You

• ING has personal data experts in every business unit.
• Data protection contact information is available on ING Today.
• The Data Protection Executive Office (DPE) is the first point of contact for data concerns.
• The DPE office manages compliance with the GPDP and BCR.

Data Protection Executive Office (DPE)

• The DPE office handles data breaches, processing register supervision and impact assessments.
• The DPE office supports the business unit data protection executive (BU DPE).

Business Unit Data Protection Executive (BU DPE)

• The BU DPE is responsible for compliance within the business unit.
• The Chief Operating Officer (COO) fulfills this role at a business unit level.

Business Unit Data Protection Officer (BU DPO)

• The BU DPO provides data processing advice.
• The BU DPO monitors compliance with the GPDP, BCR, and local requirements.
• The BU DPO assists with cross-border issues and compliance supervision.
• The BU DPO is part of the data protection compliance risk function.
• The BU DPO is the single point of contact for the Data Protection Authority

Personal Data Fundamentals

• Personal data is any information about or identifiable to an individual. -Examples of personal data include name, address, account number, date of birth, marital status, phone number .
• Sensitive personal data requires extra protection.
  • Examples: health information, religious or philosophical beliefs, political opinions, sexual orientation, ethnic origin etc.
• Sensitive personal data must be handled with care and only processed in exceptional circumstances.

Consequences for ING

• Negative publicity, loss of reputation, investigation, and potential fines are potential consequences.
• Personal data breaches require prompt reporting to relevant authorities.

Data Breaches

• Data breaches can result from criminal activity or human error.
• Reporting of breaches must follow established protocols.

Storage and Access

• Protect folders and systems where documents are stored.
• Update access rights promptly when changes occur.
• Ensure access is only granted to those who need it.

How to Respond to a Breach

• Immediately mitigate the breach (e.g., recall emails).
• Inform the DPE office.
• Follow up with any necessary actions.
• Report breaches promptly to the DPE office .

The Principles of Processing Personal Data - Overview

• Processing personal data includes collecting, recording, organizing, and adapting data.
• Data processing must be aligned with GDPR, local laws and ING's corporate rules.
• Be confident about the procedures for handling personal data.
• Examples of actions include collecting, recording, organizing, structuring, storing, adapting, consulting, disclosing, combining, deleting, and destroying data.

What's Processing?

• Processing includes actions to personal data.
• Examples include collecting, recording, and organizing customer data

Purpose and Purpose Limitation

• Processing personal data needs a clearly defined purpose.
• The purpose must be relevant to the specific business activity.

Lawful Basis

• A lawful basis for processing personal data needs to apply, for example, consent, contract, legal obligation, and legitimate interest.

Transparency

• Informing individuals about how their data is used is critical for transparency.

Minimization

• Only collect the minimum amount of data needed.
• Information should be accurate, complete, and up to date.

Storage Limitation

• Store personal data appropriately; access should be limited to those who need it.

Integrity and Confidentiality

• Employ security measures to protect personal data from loss, alteration, and disclosure.
• Higher risk to sensitive personal data needs more rigorous security measures.
• Business Impact Assessments (BIAs) are mandatory for data held in assets or processes

Record of Processing Activity (RoPA)

• ING maintains a record of all personal data processing activities and parties involved.

DPIA(Data Protection Impact Assessment):

• ING performs DPIA before any data processing activities.
• Helps identify potential high risks from personal data processing.

Individual Rights

• Individuals have rights to access, rectify, and delete their personal data.
• Organisations have responsibilities regarding individuals’ rights .

Right to Object to Personal Offers

• Customers can object to unsolicited marketing communications.
• 'Opt-out' options for marketing communications should be provided.

Automated Decision-Making

• Automated processes for processing personal data need safeguards and customer consent.

Protecting Personal Data

• There are clear procedures to manage personal data for customers, employees, and business partners.
• ING has a data protection team to provide support and expertise

Description

This quiz covers the essential principles of data protection and emphasizes the commitment of ING to support employees, including those with disabilities. It highlights the importance of digital accessibility and the guidelines followed for compliance. Understanding how to handle personal data safely and the consequences of mishandling personal information is crucial for all employees.