Edition MONTH 12 | 2017 12
Home > Editie 12 > Are you GDPR-proof?
Read later

On 25 May 2018 the EU General Data Protection Regulation (GDPR, or ‘AVG’ in Dutch) will replace the current privacy law. It places greater emphasis on the responsibility of organisations to be able to demonstrate that they are complying with the law. Does your company meet the tighter data requirements yet?

When the General Data Protection Regulation (GDPR) comes into force, there will be one privacy law for the whole of the European Union (EU). From 25 May 2018 onwards, the GDPR will apply for all companies and organisations that record and store personal data about customers, employees or other people – things like salary administration details and customer data (including information about sole traders), for example. In addition to names and addresses, the law may also cover information linked to IP addresses, cookies and so on if they can be traced back to a natural person. People will gain extra privacy rights, such as the right to be forgotten.

Record of processing activities

One important new aspect of the GDPR is the principle of accountability. This means that each organisation must be able to demonstrate at any point in time that it complies with the data protection principles. For example, it will be mandatory for each organisation employing more 250 people or more to keep a record of its processing activities. Small businesses (with less than 250 employees) will only need to keep such a record if their data processing activities pose a risk to the rights and freedoms of those individuals whose personal data is being processed, if the processing is not occasional, or if the processing includes special categories of personal data (such as race, health or political beliefs).

So it’s high time to start preparing for the GDPR. Non-compliance with the GDPR requirements can result in hefty fines (max. EUR 20 million or 4% of your annual global turnover)!

Step-by-step plan

Setting up and keeping a record of data processing activities forms part of the duty to keep records. It is necessary to demonstrably comply with the GDPR; the record of data processing activities contributes to this, and is therefore mandatory in some cases. So what should the record of data processing activities contain? The following step-by-step plan will help you on your way:

Provide insight into which personal data is being used and divide the people concerned into categories, such as own staff, suppliers’ employees, consumers.

State in each case the purpose of the data processing, where the data is stored and who has access to it. Only process personal data for which you have a legal ground for doing so – e.g. ‘necessary for the performance of a contract (such as a natural person’s bank details in order to make payments)’, a legal obligation or a legitimate interest (balance between your own interest and the employee’s privacy interest).

Under the GDPR, organisations that process data on a large scale must appoint a data protection officer. Find out whether that applies to your organisation. Your record of data processing activities must include the contact details of your business and/or your representative (if applicable) or your data protection officer.

Find out to whom your company passes on the personal data, including if the data is forwarded to third countries or international organisations. The GDPR imposes very strict restrictions on the transfer of personal data to parties outside of the EU. Your record of data processing activities must indicate which safeguards you have provided in order to comply with these requirements.

Determine and record, for each category, for how long it is necessary to keep the personal data.

Check the security of your system. The record should describe all the technical and organisational security measures you have implemented. Conduct a data protection impact assessment (DPIA).

Once you have set up the record of data processing activities, it is important to periodically check whether it is still current. Are you now processing more (or less) personal data, or have any technological changes affected your security measures? The record must be up to date at all times. And do you already know who will be responsible for this within your company?

Stricter duties to inform

The GDPR imposes strict criteria relating to the duty to inform the natural persons (‘data subjects’). Companies must be able to demonstrate that they have informed the data subjects about the relevant data processing activities before processing their personal data. This can be covered by a privacy statement. The information about the processing of personal data must be easy to understand and written in clear and simple language. The personal data must be processed in a transparent manner.

In summary

If you’re not yet ‘GDPR-proof’, then it is essential that you free up time and budget over the coming months to make all the necessary changes! In this publication, we will regularly be covering the law and the necessary measures in the months ahead.


Source: ©Neirf/Shutterstock
Browse through content