The GDPR: what does it involve and what has changed?
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 in the Netherlands and the rest of the EU. This means there is now uniform European legislation governing privacy. Interhouse takes the privacy of its customers very seriously. This can be seen from the fact that Interhouse has implemented projects to review all its processes relating to privacy, and where necessary tightened them, since the autumn of 2017. Interhouse does not just comply with the GDPR itself, it goes a step further by explaining to you how you can make your company GDPR compliant.
The GDPR looks like a whole new playing field, but the reality is that 80 to 90 percent of it was already contained in the Dutch Personal Data Protection Act (Wbp). The GDPR is mainly a hot topic at the moment due to the stronger position and sanction options awarded to the Dutch Data Protection Authority (DPA) and the realisation at many companies that they were not properly complying with this law. In short, the Netherlands is being forced to play catch-up. The question now is: how do you become GDPR compliant? The Dutch DPA’s 10-step plan contains the tips listed below (source: Dutch DPA).
Step 1: Awareness
Make sure that the relevant employees in your company (such as policymakers) are aware of the new privacy rules. They need to estimate the impact of the GDPR on your current processes, services and goods, as well as any adjustments required to comply with the GDPR.
Step 2: The rights of data subjects
Under the GDPR, data subjects, i.e. those individuals whose personal data you process, have been given wider and improved privacy rights. Make sure that they can exercise their privacy rights properly.
Data subjects may also submit complaints about how you treat their data. The Dutch DPA is obliged to deal with these complaints.
STEP 3: List of data processing tasks
Map out your data processing tasks. Document which personal data you process and for what purpose, where these data come from and who you share them with.
Step 4: Data protection impact assessment
Under the GDPR, you may be obliged to conduct a data protection impact assessment (DPIA). This is an instrument for mapping out the privacy risks involved in a data processing task upfront and subsequently introducing measures to reduce these risks. You need to conduct a DPIA if your intended data processing task is likely to result in a high risk to individuals.
Step 5: Privacy by design & privacy by default
Make sure that your company is familiar with the basic principles under the GDPR of privacy by design and privacy by default, and examine how to integrate these principles into your company.
Privacy by design means that you need to ensure that personal data are properly protected when designing products and services. This also means that you do not collect more data than required for the purpose of the processing task and that you do not retain the data for longer than necessary.
Privacy by default means that you need to implement technical and organisational measures to ensure that you, as standard, only process those personal data required for the specific purpose you aim to achieve.
Step 6: Data protection officer
Under the GDPR, companies can be obliged to appoint a data protection officer.
Step 7: Duty to report data breaches
The duty to report data breaches remains largely unchanged under the GDPR. However, it does impose stricter criteria on your internal recording of data breaches within your company.
Step 8: Processor’s agreements
Have you outsourced your data processing tasks to a processor? Check whether what has been agreed in existing contracts with your processors is still sufficient, and whether these comply with the criteria the GDPR demands of processor’s agreements. If not, make the necessary changes in good time.
Step 9: Lead supervisory authority
Does your company have offices in several EU member states? Or do your data processing tasks have an impact in several member states? Then under the GDPR you only have to deal with a single supervisory authority for privacy. This is called the lead supervisory authority.
Step 10: Consent
For some data processing tasks you require the consent of the data subjects. The GDPR lays down stricter criteria governing consent. You therefore need to evaluate how you ask for, obtain and record consent. Adjust these if necessary. One new aspect is that you need to be able to demonstrate that you have obtained valid consent from the data subjects to process their personal data, including making it just as easy for them to withdraw their consent as to grant it.
If you have any further questions, please do not hesitate to contact Hartelust Risk Management Consultancy.