Make your organisation GDPR-proof: start with a thorough inventory
On Friday 25 May 2018 it will be definite. On that day the European General Data Protection Regulation (GDPR) will come into force and replace the current Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, Wbp). This means that you have slightly less than one year to get your organization “GDPR-proof”.
In the blog of 31 May 2017 we already gave you a very broad picture of the changes which will be brought about with the coming into force of the GDPR by providing ten tips to get your organization GDPR-proof.
Below tips 1 and 2 are explained in more detail:
- Make an inventory of the personal data which are processed by your organization and of the manner this processing takes place in the organization.
- Check on which basis your organization processes personal data and whether that basis at a further stage still meets the requirements.
Requirements for the processing of personal data
Personal data may only be processed if all requirements of the law are met. The key requirements are that there must be:
- a permissible purpose of which the data subject has also been informed about clearly and in due time;
- a basis for the processing, for example a statutory duty, an agreement, permission of the data subject or a justified interest that outweighs the privacy interest of the data subject;
- data-minimisation: collect and process no more than necessary for that purpose;
- subsidiarity: other means that may be applicable to achieve the purpose must be opted for if they are of a lesser risk for the data subject;
- an adequate level of organizational and technical security of the personal data you are processing.
You will be able to judge whether you are complying with these requirements if you have a clear and most complete picture of what you actually collect and in what manner you make use of it. For that reason it is wise to carry out a ‘baseline assessment:
A. Check per department/function what kind of personal data are collected or processed:
Your sales department collects, processes and has access to:
- name and address details of private customers or contact persons
- telephone numbers
- purchase history
- searching behaviour on the website
- other information supplied by customers
- databases that are obtained from third parties
The ICT department collects, processes, has access to:
- traffic data
- visit data
- telephone data
- log data with regard to the system usage
- log data with regard to the access control
Human resources et cetera
B. Consider then which processes take place in respect of these personal data.
- The sales department processes all information it collects about the customers or potential customers in a Client Management System which is offered by a third party as a SaaS-solution.
C. Consider per process:
- For which purpose the personal data are or have been collected? For example delivery of requested goods or services or the issue of a quotation.
- Have the data subjects been informed about that purpose or is it obvious and self-evident that the data subject can expect processing for that purpose?
- For which other purposes the personal data are actually being processed.
For example the sending of unasked for offers.
- What is the basis for the processing and is this basis still current?
- To which categories of data subjects do the personal data relate?
- From whom do you receive the concerning personal data, for which purpose and on which basis?
For example from the customer or potential customer himself, because he filled out a web form.
- Who within your organisation has access to which personal data and why?
- To whom do you issue personal data, for which purpose and on which basis?
- For how long do you keep the personal data?
- Do you pass on personal data to receivers in third countries (outside of the EU)? If so, to which countries/organizations and on which basis?
Lay down all data which follow from the baseline assessment as clearly as possible in a processing register, also if you are not obliged to do so (in a later blog we will consider the obligation to register).
After having gone through the baseline assessment you will have a set of basic data from which you can continue to work on getting your organization GDPR-proof.
To be continued …
In our next blog in the series blogs on personal data breaches will be dealt with particularly.