10 tips to be ready for the General Data Protection Regulation
On Friday 25 May 2018 it will be definite. On that day the European General Data Protection Regulation (GDPR) will come into force. This means that you have slightly less than one year to get your organization “GDPR-proof”.
From the Dutch Personal Data Protection Act to the GDPR
In the Netherlands at this moment the Personal Data Protection Act (Wet bescherming persoonsgegevens, Wbp) applies. This Act is applicable to all automated data processing of natural persons, for example name, address, gender, income et cetera. But also to the processing of, for example, medical data or data on racial origin, belief, political or sexual orientation.
On 25 May 2016 the European Union adopted the General Data Protection Regulation (GDPR) and this Regulation took effect on 25 May 2016. The GDPR will come into force though on 25 May 2018 and then it will replace the Personal Data Protection Act. From that moment onwards across Europe the same privacy legislation will apply. The GDPR ensures, inter alia, strengthening and expansion of privacy rights, (ii) more responsibilities for organizations and (iii) more severe penalties.
There is a period of two years between the moment the GDPR took effect and the moment that it will actually come into force. This means that organizations have been given a period of two years (of which one year has passed) to prepare for the entry of the GDPR. At an earlier stage the Dutch Data Protection Authority (DPA) announced that from 25 May 2018 onwards it will actually monitor compliance with the GDPR.
The GDPR brings about a number of changes, amongst which the following:
- The amount of the penalty imposed by the DPA is considerably increased, from € 820,000.- under the Data Protection Act up to € 20 million or 4% of the worldwide annual turnover, whatever is the highest. Moreover penalties can be imposed not only to a ‘controller’ but also to a ‘processor’.
- Because the notification duty ceases to exist and will be replaced by an obligation to register there will be less administrative burdens for organizations. Yet on the other hand the GDPR, more than the Personal Data Protection Act, contains a considerable number of formalities organizations will have to comply with, which means that administrative burdens for that reason will actually increase.
- Internationally operating companies are going to face one European privacy act instead of various national privacy acts. The regulations throughout Europe are therefore the same, albeit that local governments still have the possibility to create additional regulations in certain fields.
- The GDPR applies to all organizations offering products or services within the EU or which monitor individuals’ behaviour within the EU, irrespective whether or not an organization is established in the EU. This means therefore that competitors outside the EU will have to comply with the same privacy rules.
- What is new is the right to data portability. This means that the data subject has the right to demand that an organization to which he has submitted his personal data shall provide him with those data, enabling him to provide these data to another organization, or that the organization submits those data directly to another organization designated by the data subject.
- The GDPR stipulates that an organization must erase the personal data it processes on demand of the data subject if certain conditions are met: the right to erasure.
10 tips on having your organization to be GDPR-proof
If your organization processes personal data an important thing is to check whether you are complying with the GDPR. For that reason the following is necessary:
- Make an inventory of the personal data which are processed by your organization and of the manner this processing takes place in the organization.
- Check on which basis your organization processes personal data and whether that basis at a further stage meets the requirements. Should personal data be processed on the basis of prior permission, the question may be whether that permission is still valid later on. Is your organization still allowed to send mails and such?
- Establish a procedure for personal data breaches, so that it is clear which steps your organization must take in the event of a data leak or a suspicion thereof.
- Decide whether your organization is obligated to appoint a Data Protection Officer.
- Check whether your organization must establish and maintain a register for processing. This should in any case be done by government organizations and in the event that your organization has over 250 employees.
- Check your agreements with (amongst others) hosting and cloud providers. These parties qualify as processor and the GDPR stipulates that a data processing agreement must obligatory contain a great deal more, for example in respect of security measures and the engagement of third parties.
- Is the privacy notice of your organization up to par? The GDPR imposes more requirements in this respect.
- Carry out a Data Protection Impact Assessment (DPIA). Also if there is no obligation to do so. Such an assessment in fact helps you to gain insight into the manner in which your organization deals with the processing of personal data.
- Is the security of the ICT in your organization up to par? This is amongst other things of importance because pursuant to the GDPR the controller as well as the processor is responsible for a sound technical and organizational security of systems with which personal data are processed.
- Make your organization familiar with the principles ‘privacy by design’ and ‘privacy by default’ which will become mandatory under the GDPR and consider how you can implement these principles within your organization.
In the coming weeks the team Privacy Privacy and personal data of PlasBossinade will deal with the entry of GDPR in more detail and with the manner in which you can prepare your organisation and we will follow with a more in-depth treatment of the issues mentioned above.