Privacy legislation and regulations are often viewed as a complex mass of rules that inhibit a company’s progress. However, businesses that are able to effectively navigate through this environment regard privacy as a way of setting themselves apart towards their customers. Working with you, we will take concrete steps to make privacy an integral part of your current and future business processes and handle personal data in a responsible manner. This will allow you to identify trends, get to know customers better, develop new services and at the same time comply with the privacy regulations.

How privacy mature is my business?

Within your company, you are aware of privacy as an issue. But is that enough for your customers? Society has become extremely critical about the way in which personal data is handled. A good privacy policy is now a licence to operate. Your customers expect you to behave in a privacy mature way. But what does that mean? How do you measure it and how do you grow in maturity? We provide answers to those questions.

Our perspective on privacy maturity ranks businesses according to five levels. The ideal is for yours to grow to the fifth level. This is where the biggest opportunities for enhancing your reputation lie. You can decide whether that is actually what you want based on the required investment, estimated risks and expected returns. Privacy maturity is not a natural process but a conscious choice that requires taking various steps. It needs to suit your business and environment.

Which level matches your aims?

Is your current maturity level appropriate, or are you aiming higher? In the latter case, it is time to decide which steps are needed to grow further. We can support you in this. For instance, we have best practices in many sectors that will give you a concrete idea of the options.

KPMG can also advise you on the tools that will help you get a grip on privacy. For example, by improving your understanding of the personal data you are processing. And by automating the management of privacy measures and supporting the workflow of employees in the area of privacy. This tooling is particularly valuable for helping businesses with relatively little capacity to take great strides towards a higher maturity level.

How to increase privacy awareness among employees

If you want to gain maximum returns on your investment in privacy policy, devote a lot of attention to privacy awareness among employees. They are the ones who have to apply your privacy policy in practice. Privacy awareness is the crucial link between theory and practice. If privacy awareness exists, you can avoid major privacy risks. But how do you increase privacy awareness? We will help you with a five-step approach. 

In many cases, responsibility for privacy policy is entrusted to a single employee or a small department. Whereas all employees have an impact on privacy to a greater or lesser extent, with their own roles and responsibilities. For this reason, what is required is a corporate culture in which everyone is aware of the importance of privacy and knows how to apply the privacy rules properly in practice. This reduces the scope for human error.

Step 1: Measure
Establish feasibility in line with your privacy vision. Are your employees willing and able to achieve your vision and ambition?

Step 2: Motivate
Make sure employees support the vision and ambition and that there is a sense of connection. Model behaviour from management is crucial.

Step 3: Inform
You have laid the foundations, now you tell your employees what you expect from them. Clarity is important above all.

Step 4: Reflect
A new way of working and new behaviour have been established. You challenge everyone to reflect: is the policy being adopted properly and is it feasible?

Step 5: Assure
There needs to be an ongoing focus on privacy, for instance embedded in performance management. Behaviour and effects need to be visible (transparency). 


How do I integrate privacy into my processes and services?

Right across your organisation, deep within your operational processes, you will find personal data. If you want to avoid unpleasant surprises, such as data breaches or compliance risks, a properly anchored and integrated privacy policy is essential – as is being compliant with the principles of privacy by design and privacy by default laid down by the General Data Protection Regulation (GDPR).

Privacy by design means already making sure personal data is properly protected at the design stage of products and services.

Privacy by default means taking technical and organisational measures to make sure that, by default, you only process personal data that are required for the specific goal you want to achieve.

Right from the start, you make sure your business is familiar with these principles and that your employees make privacy-conscious choices. That way, you avoid having to apply sticking plasters later on.

Data privacy as a logical part of the design phase

The principle of privacy by design is not new. But it often goes little further than a list of basic principles for the project manager – such as asking permission for the use of personal data and deleting that data in timely fashion. This makes it abstract to many employees, preventing privacy policy from truly becoming ingrained. With a few steps, you can make sure privacy by design becomes a logical part of every design or development phase.

The seven basic principles of privacy by design

1. Data minimisation. At the outset, be critical about which data you are going to process in your new product or service. The less data the safer.

2. Pseudonymising and/or anonymising. Where possible, unlink data that could be traced to a person from other data, either temporarily (‘pseudonymising’) or permanently (‘anonymising’).

3. Encrypting. Make sure data is properly protected at the source and choose the encryption method that best suits your product or type of project.

4. Access monitoring. From the start, limit who can access which data and invest in good authorisation and access tooling.

5. Privacy by default. Make sure application and system settings are set to the highest privacy level by default. You can always change the settings in specific cases.

6. Retention and deletion. Know which data you are allowed to keep for how long, put those rules in writing and provide for smart automated deletion.

7. Rights of data subjects. Under the GDPR, individuals whose personal data you process (data subjects) have increased and enhanced privacy rights. For example, the right to request inspection, correction, deletion or transfer of their personal data. Make sure in advance that you can easily comply with such requests.

Experienced specialists for your data privacy issues

KPMG offers you a multidisciplinary team consisting of certified Data Privacy, Data Management and Cyber Security professionals. We will help you implement privacy in legal, organisational and technical terms. In line with your wishes and needs, we offer both practical services to help you right away and strategic solutions for your business.

Contact our specialists

Koos Wolters

Lead Partner Cyber Security
KPMG Netherlands

Kim van Assendelft

Senior Consultant Data Privacy
KPMG Netherlands

Stephan Idema

Senior Manager Data Privacy
KPMG Netherlands