On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. It replaces the current Personal Data Protection Act. The GDPR consists of a number of rules for the (automatic) processing of personal data. This new EU regulation forces you as an entrepreneur to act more carefully and responsibly when dealing with personal data of customers, personnel or others. The GDPR applies to all independent entrepreneurs, whether they employ staff or not, even if you have only a few customers. You need to take into account the regulation’s conditions every step of the business process: even when sending a quotation, invoice or newsletter. So, in order to prevent a hefty fine from the Dutch Data Protection Authority (DPA), make sure you comply with the GDPR. In the Netherlands, the GDPR is referred to as the AVG or Algemene Verordening Gegevensbescherming.
Does the GDPR apply to your company?If your business is located in one of the EU member states or in the EEA, even if only with a subsidiary or branch, or if your customers, suppliers or any other stakeholders are residents of an EU member state, you need to comply with the GDPR. The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Raise awareness in yourself and your organisationMake sure you are aware of the terms and rules set out in the GDPR. Read about them or attend (or organise) an information session. Does your organization employ staff? Then start by informing relevant employees of the new privacy rules. They can assess the impact of the GDPR on your current processes, services and products. They can also help you determine what you need to do to comply with the GDPR. The DPA has developed tools to help you comply with the GDPR. Guidelines, for instance, that have been drawn up in collaboration with the other European privacy watchdogs.
Inform your customers of their rightsExplain exhaustively how you process personal data in a privacy statement, that is written in plain language. For instance:
- what do you use the data for;
- why does that matter to your customer;
- for how long you store the data.
- the right to access, adjust and delete data;
- the right to limit or revoke permission;
- the right to data portability (follow the link to download EU guidelines on this page). This enables those involved to easily access and transfer their data to another organisation;
- the right to file a complaint with the DPA. The DPA is legally obliged to deal with every complaint lodged.
Keep track of how you handle dataThe GDPR requires that you are able to show what you do with personal data. Therefore, you must keep clear records of your data processing operations. Tell your suppliers and customers clearly which personal data you use, to what end, where you store them and with whom you share them. You’ll need a record of your data processing operations when people involved want to exercise their privacy rights.
Make a Data Privacy Impact Assessment (DPIA)The GDPR may require that you perform a ‘Data Protection Impact Assessment (DPIA)' (follow the link for the pdf download to EU guidelines). This is an extensive survey, used to chart the risks of data processing. A DPIA can help you take preventive measures, to eliminate the risks. You will only be required to perform a DPIA if the way in which you process personal data causes a possible high privacy risk. For instance, if you:
- Analyse personal details systematically and extensively;
- Process sensitive personal data on a large scale;
- Follow the activities of persons in a public access area on a large scale and systematically.
Make your products and services privacy-safeIf you develop new products or services, make sure that personal data are taken into account and their protection taken care of in the development process. This is called ‘privacy by design’. Only process those personal data that are absolutely vital for your specific purpose. This is called ‘privacy by default’. Some examples:
- an app should only register a user’s location if this serves a purpose;
- don’t pre-check the box ‘yes, I want to receive offers’ on your website;
- don’t ask for any more details than necessary in your newsletter subscription form.
Find out if you need to employ a data protection officerThe DPA can force you to appoint a data protection officer (DPO) (follow the link for the pdf download to EU guidelines). Does your company process data on a large scale? Then you might require a DPO. A DPO is responsible for:
- data processing surveys;
- recording data processing reports;
- handling questions and complaints from persons within and outside the organisation;
- developing internal regulations / procedures;
- advising on technology and protection (privacy by design);
- providing input for a new or amended code of conduct.
Document data leaksThe GDPR obliges you to record and document every data leak in your organisation, even the ones you do not need to report. Do you process privacy-sensitive data on behalf of your clients? Then you will have the legal obligation to report any data leaks occurring during those processes to them, so they can notify the DPA.
Draw up a data processor agreementDraw up a data processor agreement with every organisation that you employ to process personal data on your behalf. Even an external helpdesk viewing the data constitutes processing. And a subsidiary or foreign branch of the company counts as an external data processor. A data processor agreement establishes, for example:
- that processing must be performed in accordance with the data controller’s instructions;
- security measures;
- bringing in third parties and subcontractors;
- data location;
- audits or surveys;