General Awareness on Data Protection

Questions and Answers

What is the primary responsibility of the business unit data protection executive (BU DPE)?

• Implement marketing strategies related to data usage
• Oversee daily operations of the business unit
• Ensure compliance with GPDP policy and BCR within the unit (correct)
• Monitor employee training on data protection policies

Who is the first point of contact for concerns related to personal data?

• Data protection executive office (DPE) (correct)
• Business unit data protection officer (BU DPO)
• Chief Operating Officer (COO) of the bank
• Data protection contact list

Which role is responsible for monitoring compliance with local data protection requirements?

• Chief Operating Officer (COO)
• Global data protection officer (DPO)
• Business unit data protection officer (BU DPO) (correct)
• Data protection executive (DPE)

What does the DPE office do in relation to data breaches?

Coordinates actions around data breaches (C)

Which individual fulfills the role of BU DPE?

Chief Operating Officer (COO) of the business unit (D)

What is the role of the global data protection officer (DPO)?

Advising on cross-border data issues and compliance (C)

Which statement best reflects the philosophy behind personal data protection at ING?

It is a commitment to protect individuals' data as a fundamental right. (A)

What is a key activity performed by the data protection executive office (DPE)?

Supporting business with data protection impact assessments (A)

Which principle should be prioritized when handling personal data?

Transparency about data usage (C)

What is the definition of personal data?

Information that identifies or indirectly links to an individual (D)

Which of the following would NOT be considered personal data?

Publicly available corporate statistics (D)

What is a key responsibility of employees regarding personal data?

Being vigilant about data protection (A)

Which piece of information is most likely to be classified as sensitive personal data?

Biometric data (B)

Why is it important for banks to maintain trust regarding personal data?

To ensure compliance with financial regulations (D)

Which of the following statements is true regarding sensitive personal data?

There are stricter guidelines for its processing (D)

What should customers do if they are unsure whether a piece of information is personal data?

Contact their DPE office for clarification (D)

What is the main goal of ING's digital environment in relation to employees with disabilities?

To meet digital accessibility standards for all employees (B)

What should an employee do if they cannot complete the eLearning due to limited accessibility?

Complete the training using the accessible PDF (D)

Which of the following is a reason why personal data needs to be protected?

It is a valuable asset that can lead to identity theft (A)

What is implied as a key responsibility of ING employees regarding personal data?

They must ensure privacy and data protection (A)

Why is privacy described as a human right in the context of personal data protection?

Individuals have the right to control how their information is used (D)

Who should complete a tailored module of the data protection training?

Individuals who are data or service owners or have similar responsibilities (B)

What is one of the potential risks of failing to protect personal data?

Victims of identity theft (B)

What does ING expect from its employees regarding the handling of personal data?

To handle personal data in a safe and compliant manner (D)

Can Cassy legally reach out to her colleagues to ask for customer contact details collected for a different service?

No, she cannot use data collected for a different purpose. (A)

What is a key principle of collecting personal data mentioned in the content?

Data must have a clearly defined business purpose. (D)

What would constitute a lawful basis for processing personal data according to the content?

The individual has provided their consent. (D)

What must Cassy do if she believes there are exceptions that allow her to use the existing list of contact details?

Contact the DPE office for more information. (C)

In the context of GDPR, which of the following is NOT a lawful basis for processing personal data?

Using data for personal gain. (C)

What is a limitation on using personal data collected for a specific purpose?

It must only be used for the purpose it was collected. (C)

Why is it important to keep personal data accurate and up to date?

To ensure the data reflects the current situation of individuals (D)

What does the BCR describe lawful basis as?

Legitimate business purpose. (A)

Which scenario could be considered a lawful basis for processing personal data?

A customer voluntarily provides their information for service improvement. (A)

What should be done with personal information once it is no longer needed for its intended purpose?

It should be anonymised or permanently deleted (B)

What determines the level of security measures that must be implemented for personal data?

The amount and type of personal data being held (D)

What is the purpose of a Business Impact Assessment (BIA) in data management?

To assess the relevance of security measures for IT assets (D)

What must ING maintain regarding personal data processing activities?

A record of processing activities (RoPA) (C)

Who is responsible for the record of processing activity (RoPA) within a team?

It varies by department and is usually designated (C)

What indicates that personal data has been permanently deleted?

It is irreversibly deleted and cannot be retrieved (A)

What should an employee do if they are unsure who is responsible for the RoPA in their department?

Seek clarification from their colleagues or management (D)

What is the primary purpose of conducting a pre-DPIA?

To assess if planned processing poses a high risk to individuals (C)

Which principle is NOT one of the key principles to consider when processing personal data?

Efficiency (C)

What should be done if a pre-DPIA indicates a high risk for individuals?

Conduct a full DPIA (A)

Which of the following rights allows an individual to request deletion of their personal data?

The right to be forgotten (D)

What right do customers have regarding the information ING holds about them?

They can request an overview of their personal data. (C)

Which of the following statements about individual rights is incorrect?

Individuals cannot request access to personal data. (B)

In which case would a DPIA be essential?

When pre-DPIA indicates potential high risks (D)

What is a key function of a full DPIA?

To identify potential high risks from data processing (D)

Flashcards

Data Protection

Protecting personal information in a safe and compliant manner, aligning with ING's policies.

Personal Data

Information about individuals, such as names, addresses, etc.

Data Protection Policy

Rules and guidelines for handling personal data at ING.

General Awareness Training

Basic training on data protection principles for all ING employees.

Tailored Module

Specialized training for roles involving more complex data handling responsibilities.

Privacy as a Human Right

The inherent right people have to control their personal information.

Identity Theft

Using someone else's personal information for malicious purposes.

Accessibility Statement

ING's commitment to providing accessible digital resources, including eLearning materials.

Who is the first point of contact for data protection questions?

The Data Protection Executive Office (DPE) is the first point of contact for any questions, concerns or issues related to personal data. They work directly with the business unit data protection executives (BU DPEs).

What does the DPE Office do?

The DPE Office is responsible for ensuring compliance with ING's data protection policies and regulations, including the Global Personal Data Protection Process Control Standard (GPDP) and the Binding Corporate Rules (BCR). This includes tasks like coordinating data breaches, managing the register of processing activities, and providing guidance on data protection impact assessments.

Who is the BU DPE?

The Business Unit Data Protection Executive (BU DPE) is accountable for implementing and complying with data protection policies within a specific business unit. They report to the Chief Operating Officer (COO) of the business unit.

What does the BU DPE do?

The BU DPE ensures data protection policies, like the GPDP and BCR, are applied within their business unit. They work with the BU DPO, and report to the COO on data protection matters.

What is the role of the BU DPO?

The Business Unit Data Protection Officer (BU DPO) provides advice and challenges business practices related to personal data processing. They ensure compliance with data protection policies - GPDP, BCR and local requirements.

What is the DPO's responsibility at the bank level?

The bank DPO oversees data protection compliance across the entire organization, providing guidance on cross-border issues and ensuring adherence to all relevant regulations.

What is the main focus of data protection at ING?

Data protection is about safeguarding individuals' personal data, not just because it's mandated by law, but because it's the right thing to do. This includes customers, business partners, suppliers, colleagues, and anyone whose data ING processes.

What are the key data protection documents at ING?

The two key documents for data protection at ING are the Global Personal Data Protection Process Control Standard (GPDP) and the Binding Corporate Rules (BCR) - internal rules outlining how personal data is processed globally.

What is personal data?

Any information that identifies or could indirectly link to an individual. This includes pieces of information that, when combined, can identify a person. For example, their name, account number and address.

What is sensitive personal data?

Specific types of personal data that require extra security, like health information or religious beliefs. It's information you need to be extra protective of.

Why is it important to protect personal data?

Because maintaining trust is crucial. It's about being transparent about how we use data and complying with data protection laws.

Who can I contact if I have a question about personal data?

The DPE Office is the first point of contact for any questions about personal data.

What is ING's role with customer personal data?

ING collects personal information from its customers to provide banking services. It's important to handle this information responsibly and securely.

What is the Global Personal Data Protection Process Control Standard (GPDP)?

A set of rules and regulations that ING follows to protect personal information globally.

What is the Binding Corporate Rules (BCR)?

Internal rules that outline how ING processes personal data globally.

What is the role of the Business Unit Data Protection Executive (BU DPE)?

The BU DPE oversees data protection within a specific business unit, ensuring that data is handled according to ING's policies.

Purpose Limitation

Personal data collected for a specific purpose can't be used for another purpose without consent or legal exceptions.

Lawful Basis

A legal reason for processing personal data, like consent, a contract, or legal obligation.

Consent

A voluntary, informed agreement to use someone's personal data.

Contract

When a lawful basis exists because a person has agreed to a contract that involves the processing of their personal data.

Legal Obligation

A legal requirement to collect or process someone's data.

Legitimate Interest

A good business reason for collecting and using personal data.

Data Protection Principles

Rules that guide how personal data should be handled, including purpose limitation and having a lawful basis.

DPE Office

The Data Protection Executive Office provides information and guidance on data protection principles and rules.

DPIA

A Data Protection Impact Assessment is used to evaluate the potential risks to individuals from data processing, especially those that could be considered 'high risk'.

Pre-DPIA

A preliminary assessment to determine whether a full DPIA is needed. It helps identify if the planned data processing poses a significant risk to individuals.

High Risk Data Processing

Any data processing that could have a significant negative impact on individuals' rights or freedoms.

Transparency

Individuals should be informed about how their data is being processed and for what purpose.

Right to Access

Individuals have the right to request information about the personal data held by ING.

Right to Rectification

Individuals can request that their data be corrected if it is inaccurate or incomplete.

Data Accuracy

Personal data must be kept up-to-date, complete, and accurate. This means ensuring information is current, has all necessary details, and is free from errors.

Data Storage Limitations

Personal information should only be stored for as long as needed for its intended purpose. When no longer required, data should be deleted or anonymized.

Data Integrity and Confidentiality

Security measures are essential to protect personal data from unauthorized access, alteration, disclosure, or loss.

Data Protection Assessment

A Business Impact Assessment (BIA) is used to evaluate the possible risks to personal data in a process or IT asset.

Record of Processing Activity (RoPA)

ING maintains a record of all personal data processing activities, including the involved parties.

RoPA Updates

The RoPA must be kept current when new processes are introduced, or existing processes using personal data are reviewed or modified.

Who is responsible for the RoPA?

Usually someone in your team or department is responsible for managing the RoPA. If uncertain, find out who they are.

What is the purpose of the RoPA?

The RoPA is a mandatory inventory that provides a comprehensive view of all personal data processing activities within ING.

Study Notes

General Awareness

• ING is committed to supporting all employees, including those with disabilities.
• Digital accessibility is a goal for all ING employees and supported by colleagues.
• International Web Content Accessibility Guidelines (WCAG 2.1) were used.
• An accessible PDF is provided if the eLearning module does not meet screen reader requirements.
• Employees can confirm completion to [email protected] (optional cc to manager).
• Completing this training module is for general data protection overview.
• Tailored modules exist for employees in specific roles. (e.g., Process/Product owner, Contract owner, Asset owner, Data owner)

Protecting Personal Data

• ING's training emphasizes data protection principles.
• This training is a general overview of data protection.
• Personal data must be handled safely and compliantly.
• ING emphasizes retaining trust and protecting privacy.
• Sharing personal data without consent can have serious consequences (e.g., identity theft, discrimination, malicious activity).

Why Personal Data Matters

• Privacy is a human right.
• Customers, suppliers, business partners, and employees trust ING to handle their personal information responsibly.
• Personal data is a valuable asset that needs protection.
• Protecting customer privacy is the responsibility of all involved.

How ING Takes Responsibility

• ING is committed to handling personal data according to expectations.
• ING complies with EU General Data Protection Regulation (GDPR) and local data protection requirements.
• ING applies GDPR principles globally unless local laws provide more protection.
• ING has a Global Personal Data Protection Policy (GPDP) and corporate rules (BCR) for employee, client, supplier and business partner data.
• Global Data Protection Policies are also shared externally and approved by the Dutch Data Protection Authority.

Internal Policies and Standards

• ING has a Global Personal Data Protection Internal Policy (GPDP).
• ING uses a Global Personal Data Protection Process Control Standard (PCS).

People to Support You

• ING has personal data experts in every business unit.
• Data protection contact information is available on ING Today.
• The Data Protection Executive Office (DPE) is the first point of contact for data concerns.
• The DPE office manages compliance with the GPDP and BCR.

Data Protection Executive Office (DPE)

• The DPE office handles data breaches, processing register supervision and impact assessments.
• The DPE office supports the business unit data protection executive (BU DPE).

Business Unit Data Protection Executive (BU DPE)

• The BU DPE is responsible for compliance within the business unit.
• The Chief Operating Officer (COO) fulfills this role at a business unit level.

Business Unit Data Protection Officer (BU DPO)

• The BU DPO provides data processing advice.
• The BU DPO monitors compliance with the GPDP, BCR, and local requirements.
• The BU DPO assists with cross-border issues and compliance supervision.
• The BU DPO is part of the data protection compliance risk function.
• The BU DPO is the single point of contact for the Data Protection Authority

Personal Data Fundamentals

• Personal data is any information about or identifiable to an individual. -Examples of personal data include name, address, account number, date of birth, marital status, phone number .
• Sensitive personal data requires extra protection.
  • Examples: health information, religious or philosophical beliefs, political opinions, sexual orientation, ethnic origin etc.
• Sensitive personal data must be handled with care and only processed in exceptional circumstances.

Consequences for ING

• Negative publicity, loss of reputation, investigation, and potential fines are potential consequences.
• Personal data breaches require prompt reporting to relevant authorities.

Data Breaches

• Data breaches can result from criminal activity or human error.
• Reporting of breaches must follow established protocols.

Storage and Access

• Protect folders and systems where documents are stored.
• Update access rights promptly when changes occur.
• Ensure access is only granted to those who need it.

How to Respond to a Breach

• Immediately mitigate the breach (e.g., recall emails).
• Inform the DPE office.
• Follow up with any necessary actions.
• Report breaches promptly to the DPE office .

The Principles of Processing Personal Data - Overview

• Processing personal data includes collecting, recording, organizing, and adapting data.
• Data processing must be aligned with GDPR, local laws and ING's corporate rules.
• Be confident about the procedures for handling personal data.
• Examples of actions include collecting, recording, organizing, structuring, storing, adapting, consulting, disclosing, combining, deleting, and destroying data.

What's Processing?

• Processing includes actions to personal data.
• Examples include collecting, recording, and organizing customer data

Purpose and Purpose Limitation

• Processing personal data needs a clearly defined purpose.
• The purpose must be relevant to the specific business activity.

Lawful Basis

• A lawful basis for processing personal data needs to apply, for example, consent, contract, legal obligation, and legitimate interest.

Transparency

• Informing individuals about how their data is used is critical for transparency.

Minimization

• Only collect the minimum amount of data needed.
• Information should be accurate, complete, and up to date.

Storage Limitation

• Store personal data appropriately; access should be limited to those who need it.

Integrity and Confidentiality

• Employ security measures to protect personal data from loss, alteration, and disclosure.
• Higher risk to sensitive personal data needs more rigorous security measures.
• Business Impact Assessments (BIAs) are mandatory for data held in assets or processes

Record of Processing Activity (RoPA)

• ING maintains a record of all personal data processing activities and parties involved.

DPIA(Data Protection Impact Assessment):

• ING performs DPIA before any data processing activities.
• Helps identify potential high risks from personal data processing.

Individual Rights

• Individuals have rights to access, rectify, and delete their personal data.
• Organisations have responsibilities regarding individuals’ rights .

Right to Object to Personal Offers

• Customers can object to unsolicited marketing communications.
• 'Opt-out' options for marketing communications should be provided.

Automated Decision-Making

• Automated processes for processing personal data need safeguards and customer consent.

Protecting Personal Data

• There are clear procedures to manage personal data for customers, employees, and business partners.
• ING has a data protection team to provide support and expertise