Watch this video for an example of how to apply the GDPR. The video takes an e-commerce example, but gives a sense of how all entrepreneurs can think of their customer's data and privacy.
What is the GDPR?
The GDPR is a European privacy regulation. It ensures the careful processing of personal data by businesses and organisations. For instance, you must have a good reason to process personal data. And you are not allowed to gather and use more data than is absolutely necessary. These rules apply across the EU/EEA. GDPR stands for General Data Protection Regulation, but in the Netherlands, the GDPR is referred to as the AVG or Algemene Verordening Gegevensbescherming. The GDPR came into force on 25 May 2018.
Protecting personal data
The GDPR is a set of rules that helps to better protect everybody’s right to privacy. The GDPR forces entrepreneurs to handle personal data carefully, whether they be the data of clients, personnel or others. Businesses must be able to prove they abide by the GDPR.
Examples of personal data
Names and addresses, telephone numbers and postal codes and house numbers all constitute personal data. Sensitive data, f.i. someone’s race, sexual orientation, religion, or health, are called special personal data. It is not allowed to process special or criminal personal data, unless an exception has been made for you in the law.
The GDPR applies to all companies that do business in, or with, the EU
If your business is located in one of the EU member states or in the EEA, even if only with a subsidiary or branch, or if (even one of) your customers, suppliers or any other stakeholders are residents of an EU member state, you need to comply with the GDPR.
The GDPR applies to all independent entrepreneurs who process personal data. It applies to you if you are a freelancer or a small business owner, even if you have no personnel or only have a few customers. You need to take into account the regulation’s conditions every step of the business process: even when sending a quotation, invoice or newsletter. It doesn’t matter if you process the data by hand or by an automated process; nor does it make any difference if you process the data on your own behalf or someone else’s. ‘Processing data’ includes: collecting, storing, using, forwarding, sharing, distributing and merging. The Dutch Data Protection Authority (DPA) checks that you comply with the GDPR. If they find you don’t adhere to the GDPR principles, they may issue a hefty fine.
File a complaint with the DPA Anyone who believes his or her personal data have been processed in a way that is not in accordance with the GDPR, can file a privacy complaint with the DPA (in Dutch).
The DPA has prepared a so-called 'Regelhulp AVG', a set of questions to quickly assess if your organisation complies with the GDPR. It is only available in Dutch.
10 steps for being GDPR compliant - what are the rules?
You want to comply with the GDPR, but you are not certain how to go about it. Here are 10 steps to help you on your way.
1. Get informed about the GDPR and check if you are allowed to process personal data
Read about the GDPR, or attend an information session. Do you have personnel? Involve the relevant employees. They can assess the impact of the GDPR on your current processes, services and products. They can also determine what you need to do to comply with the GDPR.
To be allowed to process personal data, you must meet at least 1 of these 6 requirements:
- You must have permission from the person involved.
- You need the data in order to execute an agreement. For instance, you need address details to deliver your product to your customer.
- You need the data in order to meet a legal obligation.
- You need the data in order to protect someone’s life or health, and you cannot ask that person for permission.
- You need the data to execute a task in the general interest.
- You have a justified cause for processing the data. For instance, you must process personal data in your personnel records to be able to pay wages.
2. Inform your customers of their rights under the GDPR
Your customers have extensive privacy rights. You must enable them to execute these rights. For instance, your customers can:
- View, edit and delete their data
- Curb or withdraw any permissions previously given by them
- Request their data to facilitate their move to a different company / services provider, this is called data portability (follow the link to download the EU guidelines on this page)
Your customers can lodge a complaint with the DPA. The DPA is obliged to deal with every complaint.
Draw up a clear privacy statement
Draw up a privacy statement in plain language. Tell the reader how and for what purpose you are using personal data. State why this is important (useful) for your customers, and for how long you will store the data. Make sure this privacy statement is easy to find.
3. Keep a record of your processing activities
You have to prove you are accountable for the way in which you process data. To do so, you are obliged to keep a record of how and why you process personal data. This is called a processing register. N.B.: If your company has fewer than 250 employees, you may not have to keep such a record (check the DPA position paper on this (PDF, in Dutch)). The record has to contain information on where the data come from, and who you share it with, so as to be able to notify the organisations you share data with of any changes or deletions of customer data.
Ask the customer’s permission if you outsource services
When you outsource services, and you share your customers’ personal data with another company, you will require your customers’ permission. For instance: when you hire an external call center or administrative office. Document in your customer agreement that you share their data, because it is relevant to the way in which you operate on their behalf.
4. Find out if you need to perform a Data Protection Impact Assessment (DPIA)
Do you process data with a high privacy risk? You will need to perform a Data Protection Impact Assessment (DPIA). A DPIA is an extensive survey to chart the risks of data processing. Based on the DPIA, you can take measures to reduce the privacy risks. Are you unable to take risk reducing measures? Then confer with the DPA before you start processing the personal data. The DPA will determine whether the data processing is allowed according to the GDPR, or not. You will receive a written advice. You run a high privacy risk if you:
- Evaluate personal aspects in a systematic and extensive manner, based on automatic processing, including profiling, and if on these evaluations you base decisions that have consequences for people
- Process special personal data on a large scale, or process criminal data
- Systematically follow people on a large scale in a public access area, for instance by using CCTV
View a list of processing methods that require a DPIA (in Dutch).
5. Take privacy into account when designing new products or services
When you devise new products or services, ensure that personal data are already well-protected in the design phase. This is referred to as ‘privacy by design’. You shouldn’t process more personal data than absolutely necessary. This is referred to as ‘privacy by default’. Examples include:
- An app shouldn’t record the user’s location without good cause
- Don’t pre-check the ‘yes, I want to receive offers’ radio button on your website
- Don’t ask for more information than necessary to record a subscription to a newsletter
6. Find out if you need a data protection officer
Does your company process data on a large scale? Then you may be obliged to employ a Data Protection Officer or DPO, a Functionaris Gegevensbescherming or FG in Dutch. A DPO is responsible for checking if your organisation acts in accordance with the GDPR. Your organisation can also appoint a DPO voluntarily. On the DPA website, you can find Guidelines on Data Protection Officers (follow the link under the header Praktische hulpmiddelen) plus the FG registration form (in Dutch).
7. Document and report data leaks
A data leak means personal data are released that shouldn’t be. Examples are:
- You lose a laptop, tablet, usb carrier or papers that contain non-encrypted personal data
- You email personal data to the wrong person
- The personal data you process are stolen in a cyber attack
- Your system has been infected with ransomware, rendering the personal data inaccessible
You have to report every serious data leak to the DPA. Also, you must record and document every data leak in your organisation, even the internal ones that you do not have to report. View the guidelines (PDF) to find out which data leaks to report. These guidelines have not been made final. You only have to notify the persons whose data are involved in the data leak, if it has serious consequences for their rights and freedoms. Do you process privacy-sensitive data on behalf of your clients? Then you will have the legal obligation to report any data leaks occurring during those processes to them, so they can notify the DPA.
8. Draw up a data processor agreement
Do you work with companies that process personal data on your behalf and following your instructions? Make sure you draw up a data processor agreement in accordance with GDPR Articles 28 and 29 (see the information on the DPA website). Even if the processing company is affiliated with your company, or based abroad. A help desk viewing the data constitutes a form of processing. Did you have a data processor agreement under the Protection of personal data Act (Wbp)? Be aware that the GDPR is stricter; most likely you’ll have to draw up a new agreement.
9. Determine the supervisor for your company
Is your organisation active in several European countries? Or do your data processing activities affect several EU member states? The GDPR requires you to deal with only one privacy supervisor, for instance the Dutch DPA. This is called the one-stop-shop mechanism.
10. Ask permission to process data
Some data processing activities require permission of the persons involved. Also, you have to be able to prove that the permission was given. It pays off to analyse the ways in which you request, acquire, and register people’s permission to process data.