The EU wants to better protect the privacy of European citizens and created the GDPR to do so. The GDPR is a European law and therefore also applies to the Netherlands. This new law is formally already in force since May 25th 2016 and replaces the current Personal Data Protection Act (PDPA).
Safeguarding privacy
The PDPA was drafted in the days when everyone was dialing in through 56/k6 modems to access the Internet. Today, almost everyone has access to very fast Internet anywhere and at any time. Both privately and professionally, we arrange almost everything online. In this way, we distribute our data in many different places. Because of digitization, companies, governments and healthcare organizations store a variety of personal information about customers, citizens and clients. How they protect that data and what they do with it is not always clear. This is why the EU wants to better safeguard citizens' privacy.
Personal data
Personal data used to include mostly in particular individual data such as names and addresses. With the new law, it also applies to data linked to IP addresses, MAC addresses, cookies, and such. Therefore, all data that companies do not obtain from the people themselves and collect through cookies are also privacy-sensitive. Even if there is no name associated with it, for example.
Transparent
It is now mandatory to not only store personal data with great care, but also to regularly review and demonstrate the measures for doing so. In addition, it becomes obligatory to inform people of their right to change, view and even destroy data that an organization collects and manages. If a retail organization or webshop registers a visitor's interests for marketing purposes, it must be possible to remove them, upon request. Thereby, organizations are obliged to explain in understandable language what exactly they do with all personal data. It is also mandatory to point out to people that in case of problems they can file a complaint with the regulator, the Authority for Personal Data.
Documentation
Previously, you only had to keep track of data breaches if you also had to report them to the regulator. That changes with the AVG. Now you are required to document all data breaches internally. So even if they do not have to be reported. And do you process privacy-sensitive data for your client? Then you are legally obliged to report data breaches to them as well. They in turn can report this to the regulator. All processing of personal data must also be documented. So, also data of your own staff or the address list for the newsletter. This documentation must clearly show which data is processed, for what purposes and how it is secured. More information can be found here.
Processor agreement
Within the new legislation, you must enter into a processor agreement with all your suppliers and customers. After all, you remain responsible for the data stored by your organization, even if it is located or managed elsewhere. The agreement describes how you handle personal data. When outsourcing services that involve a customer's personal data, this is an important consideration. After all, you not only have to make agreements with suppliers and customers, but also have to obtain permission for this from that particular customer.
Storing data abroad
When cooperating with foreign parties, it is very crucial that you are certain where your data is stored. This is because it is only allowed under very strict regulations. An example of this is the Privacy Shield. If your data is in the EU, it is protected by the strictest rules on personal data in the world. And that's where a party like Fundaments comes in. After all, we only work with data centers within the Netherlands.
Niet achteroverleunen
There is still a transition period until May 25th, 2018. However, this does not mean you can lean back. The new legislation is not optional. There is a rock solid deadline. Nevertheless, you definitely still have time to take the right measures. And that is highly recommended. Currently, the maximum fine is still €900,000. Under the new law, this will be increased to €20 million or 4% of the worldwide annual turnover. Time for action, indeed.
Besides the points mentioned above, there are other things that will change under the new law. Would you like to know more about the effects of the GDPR for your organization? Then join us October 26th at our Knowledge Event on GDPR.
GDPR in brief?
The GDPR replaces the Personal Data Protection Act (“PDPA”) as of May 2018. In addition to the mandatory data breach disclosure, it is mandatory to:
- Keep a register of data processing activities
- Periodically conduct a “privacy impact assessment‘’
- Broaden the information obligations to those involved
- Appoint a 'data protection officer'
Source: https://ictrecht.nl/factsheets/algemene-verordening-gegevensbescherming-verandert-er-echt/
