Getting a good understanding of the requirements but also the opportunities and business value is not easy. We designed a GDPR business value roadmap to help you with this and also make you understand what capabilities you need to get the job done.  


  • How will you understand what in-scope data is used for, for what purpose and by whom?
  • How will you demonstrate how you’re aligning to the principles?
  • Is your approach mostly manual, using interviews, questionnaires & static documentation?
  • Is your approach inaccurate, time consuming, resource consuming, out-of-date –or all of the these?


  • Do you understand where in-scope data is across your organisation and how it is shared?
  • How will you demonstrate you understand the size & shape of the data problem across domains and data subjects?
  • Is your approach mostly manual, using interviews, questionnaires & static documentation?
  • Is this approach inaccurate, time consuming, resource consuming, out-of-date –or all of the these?


  • How will you capture, manage and distribute consents across channels and business units?
  • How will you demonstrate you have captured the lawfulness of processing across all in-scope data sources?
  • Do you have anything in place already? Or are you planning on extending existing preferences capabilities?


  • How will you put protections and controls around identified in-scope data?
  • Can you demonstrate you have relevant control over the relevant in-scope data?
  • Are you planning to manually apply controls? Or apply masking, deletion & archiving solutions as required?
  • Will this approach give you a holistic view around the protections & controls you have in place?

Complete the form and download this Datalumen infogram (A3 PDF).

The Datalumen privacy policy can be consulted here.

More info on our Advisory Services?

Would you like to know what Datalumen can also mean to your GDPR or other data governance initiatives?

Have a look at our GDPR or Data Governance
contact us and start our Data Conversation.

In 2013 cyber insurance was still a brand new product on the insurance market. At the time, only a negligible minority considered this policy to be useful. In the meantime, the number of online processes in the business world has steadily increased and the risks are no longer under discussion. Furthermore, Europe is placing cyber security high on the agenda with its new privacy legislation (GDPR).

Most companies already know that the GDPR requires a multi-facet initiative. Approaching data privacy risk from a legal, process and data point of view is fundamental. Cyber insurance can be an extra component in this approach and can be the missing link that gives companies the extra guarantee to cover its end to end privacy risk.

We interviewed Tom Van Britsom, cyber insurance expert at Vanbreda Risk & Benefits, to give you insight in the Cyber Insurance state of business. Vanbreda Risk & Benifits is a well known independent insurance broker and risk consultant.

Tom Van Britsom, Vanbreda Risk & Benefits

The business world and cyber criminals have both changed. Can you explain?

The increased importance of cyber insurance is a direct consequence of a metamorphosis that has unfolded in two areas over the past few years. First of all, the business world has become largely digitized. Major steps have been taken not only in production processes, but in terms of invoicing and finance. The B2C market has become highly digitized too, with virtually everything now being able to be ordered online.

Second, cyber criminals themselves have become much more professional. In the past, individuals represented the greatest threat in this area. They explored the boundaries of what was possible and tried to corner companies. This initial form of cyber crime has now given way to a more professional form which defies belief. For example, today there are gangs that employ an entire army of hackers and an accompanying call center to hold companies to ransom with maximum speed and efficiency.

How is a cyber policy tailored to this new reality?

Cyber insurance covers damage incurred by a company following a cyber incident. This can be caused by exposure to malware, viruses or hackers, as well as human error by an employee. The consequences are often severe: from loss of income due to interrupted operations, overtime logged by IT staff and the deployment of other professionals to sizeable claims from customers or suppliers affected by the data leak.

Today, cyber insurance is a comprehensive policy which – spurred on by the insurance industry – has adapted to the new context. Initially, there were two separate policies: one covered the insured party’s liability – from fines and notification fees to claims from companies that incurred damage as a result of a data breach or a virus via the insured party’s servers. A second policy was designed to cover personal damage incurred by the insured party, e.g. after operations were interrupted.

Now, however, both elements are combined into a single cyber insurance policy.

In recent years, the policy has been further expanded with new coverage, including cover against cyber theft and telephone hacking. The triggers of this policy have also become broader. Cyber insurance as it stands now can cover the financial consequences resulting from a security breach, human error or natural causes such as lightning.

Furthermore, many extra services have been added to this policy. Insured parties can now turn to helplines for legal assistance, crisis management and IT and PR support. Free scans are also offered that provide insight into a company’s vulnerability to cyber attacks and hackers.

The number of policies is obviously increasing exponentially – But what about the damage incurred?

In 2016, cyber insurance made its definitive breakthrough. Our experts at Vanbreda i.e. noticed that in 2017, the number of cyber policies taken out doubled in comparison to the year before.

The new European privacy regulation (GDPR) clearly creates an incentive for this, as there are substantial fines for those companies that do not comply. Today, administrative fines – along with all costs associated with the obligation of notification – can be insured in a cyber policy.

Unfortunately, many companies have recently been confronted by (attempted) cyber crime. This has also served as a wake-up call.

Vanbreda’s damage figures, and those of a few major cyber insurers, do not lie: one in thirteen of those insured have submitted a claim in the past five years. Our own figures (see graph below) show that 43% of the cases involved CryptoLockers. A data breach was the cause of just 5% of the claims, although that number will undoubtedly increase in 2018. From May 2018 onwards, an obligation of notification will apply for data leaks under the GDPR legislation.

There are two damage categories. One involves CryptoLockers. Although they are now quite common, the damage is fortunately limited to up to EUR 10,000. The other form of damage is increasing all the time, with instances of cyber theft where one million euros disappears or operations are interrupted for a period of days or weeks. The financial impact of this is huge. In Europe, there have been several well-known examples of cyber damage leading to millions of euros being lost.

What does the cyber insurance future hold?

The previous graph, with data from 2017, will almost certainly look completely different within a few years.

Due to the obligation of notification for data leaks, this type of damage will join the top three. In addition, Europe will impose fines amounting to up to 4% of global turnover in the event of data leaks following non-compliance with the GDPR regulation. This will also become evident in the amount of damages paid out.

It is clear that legislation is tightening and ignorance will no longer be accepted. Neither the government nor the business world is in any doubt of the current risks. In short, the usefulness of cyber policies is no longer under discussion.


More info on our Advisory Services?

Would you like to know what Datalumen can also mean to your GDPR or other data governance initiatives?

Have a look at our GDPR or Data Governance
contact us and start our Data Conversation.

Despite the growing popularity and actual implementations of cloud applications, the majority of organizations today are not adjusting their governance to secure their cloud data. This is illustrated by The 2016 Global Data Security Report conducted by the Ponemon Institute.


  • Half of all cloud services and corporate data stored in the cloud are not controlled by IT departments
    On average, 47% of all data in the cloud is not managed by the IT department. You can argue about who should actually be in the driver’s seat when talking flexibility, time to market, etc. However involvement from your security staff is something else and should be a no-brainer. The risk of shadow IT initiatives that go under the radar basically makes that your cloud data is typically the weakest link and generates the highest risk.
  • Only a third of sensitive data stored in cloud-based applications is encrypted
    72% of the respondents believes that protecting sensitive information through data encryption and data tokenization is important. In contradiction with this, only 34% says their Software-as-a-Service (SaaS) data is indeed encrypted or tokenized. Relying on the security function-features from a Cloud platform provider is one thing, it still doesn’t guarantee that your sensitive data is really secure. The only way to get there is using the proper encryption techniques and best practice is that you use the same policies and technology across your complete data landscape (on-premise and cloud).
  • More than half of companies do not have a proactive approach for compliance with privacy and security regulations for data in cloud environments
    73% of about 3500 participants indicated that cloud services and platforms are important. 81% even confirmed that the importance of cloud in the next two years will grow. Despite this trend, 54% says that their organization has no proactive data protection approach. With compliance regulations like the General Data Protection Regulation (GDPR) in mind, this seems a rather scary and risky thought.


The fact that companies are wrestling with protecting cloud data is somehow caused by the idea that these platforms and data are managed by an external party. Companies should realize that when they approach their data governance agenda, it is linked to both their traditional on-premise and remote cloud data. The data reality is hybrid and the idea of your cloud platforms being disconnected islands is long gone. A uniform and consistent data protection approach covering all your data, regardless of the location, is in essence what companies should target.