Skip to content

GDPR compliance and awareness at Achmea Investment Management

With assets under management of EUR 130 billion, Achmea Investment Management is one of the five largest asset managers in the Netherlands. Clients include pension funds and individuals. In addition, they manage the assets of the Achmea parent company. Achmea Investment Management focuses on the Dutch market and wants to be seen as a leading asset manager that listens carefully to its customers to the benefit of all parties. The basic requirements for this are to have business processes meet the standards of the new privacy legislation (GDPR) and to create awareness among employees regarding the new privacy legislation.

The starting point: A business process analysis from multiple angles

avg-compliant-bedrijfsprocessen-achmea-investment-management-devoteam-proces

Michel Dantuma (Project Transition Manager at Achmea IM) maps project steps.

During the inventory period Devoteam was asked by Achmea Investment Management for its support in analysing and creating GDPR compliance for all business processes. Devoteam has further elaborated the inventory by extracting all personal data from the processes, applications, contracts and the organisation. Using a top-down approach, with full commitment from the management, Devoteam conducted a thorough analysis. Preventive measures have also been taken in case new personal data were to be reported in the future.

After the inventory phase, Devoteam, together with the GDPR Team within Achmea Investment Management, carried out three Privacy Impact Assessments (PIA) to map the privacy risks of the project at an early stage in a structured and clear manner. Five matrices of personal data were produced, a processing register was drawn up and more than 20 notes were drawn up from which suggestions for improvement arose.

avg-compliant-bedrijfsprocessen-achmea-investment-management-devoteam

The end of a successful GDPR compliance process with on the left Michel Dantuma (Project Transition Manager at Achmea IM) and on the right Joris de Graauw (Senior Consultant at Devoteam).

Based on the analysis Devoteam and GDPR Team gave advice on the mitigating measures to be taken. The prepared notes provided management with clear options, based on the gap between the current situation and the desired situation from the GDPR legislation. As a result, the management of Achmea Investment Management has been able to make conscious choices, which Devoteam implemented in the departments involved.

“Because of the flat organizational structure and the scope for initiative, I was able to design the frameworks of my method almost entirely myself.”


Joris de Graauw
Devoteam Senior Consultant

Creating GDPR awareness within Achmea Investment Management

Making GDPR-compliant business processes in itself was not enough. Changing processes requires a change in human interaction with these processes. Extensive training sessions were given to Achmea IM staff, so that the staff could make conscious choices in the GDPR area. As part of the awareness creation, a kiosk has been set up for questions about GDPR.

This privacy kiosk includes:

  • Handling of all GDPR requests from customers and employees;
  • Tested and implemented processes (also as part of the group processes);
  • A care-supporting function for checking and correctly dealing with data leaks, internal awareness, privacy by design, etc;
  • External communication about the changes of Achmea IM in the field of GDPR;
  • Proactively informing institutional clients.

“A direct approach, good discussions and further thinking than initially asked are the characteristics of our collaboration with Devoteam.”


Michel Dantuma
Project Transition Manager at Achmea Investment Management

In short, Achmea Investment Management is ready in time for the new GDPR legislation, partly due to the successful cooperation with Devoteam. The results of the business analysis provide management with the basis to be able to make conscious choices regarding privacy governance.

White Paper: Road to GDPR compliance

A thorough business analysis for your organisation?

In addition to the goal of compliance with the GDPR legislation, a business analysis exercise can be used to improve many other processes. We at Devoteam strongly believe in guiding companies in their digital battles. Nowadays organisations have to go through a continuous evolution process. During this digital revolution, as we call it, the transformation of digital processes and changing business and IT processes is of crucial importance. Maintaining traditional business processes while the world has switched to a digital age is something that organisations simply cannot afford to do anymore.