Watch this video for an example of how to apply the GDPR. The video takes an e-commerce example, but gives a sense of how all entrepreneurs can think of their customer's data and privacy.
What is the GDPR?
The GDPR is a European privacy regulation. It ensures the careful processing of personal data by businesses and organisations. For instance, you must have a good reason to process personal data. And you are not allowed to gather and use more data than is necessary. These rules apply across the EU/EEA. GDPR stands for General Data Protection Regulation. But in the Netherlands, the GDPR is often referred to as the AVG or Algemene Verordening Gegevensbescherming.
Why was the GDPR introduced?
The GDPR is a set of rules that helps to better protect everybody’s right to privacy. The GDPR means entrepreneurs have to handle personal data carefully. No matter if it is the data of clients, personnel, or others. Businesses must be able to prove they abide by the GDPR.
Who does the GDPR apply to?
If your business is located in the Netherlands, you need to comply with GDPR. Also if your business is in one of the EU member states or the EEA. Even if it is only a subsidiary or branch. And even if one of your customers, suppliers or any other stakeholders are residents of an EU member state, you need to comply with the GDPR.
The GDPR applies to all independent entrepreneurs who process personal data. It applies to you if you are a freelancer or a small business owner, even if you have no staff or only have a few customers. You need to take the regulation’s conditions into account at every step of the business process. Even when sending a quotation, invoice or newsletter. It does not matter if you process the data by hand or by an automated process. Nor does it make any difference if you process the data on your own behalf or someone else’s.
'Processing data’ includes:
The Dutch Data Protection Authority (DPA) checks that you comply with the GDPR. If they find you do not adhere to the GDPR principles, they may issue a large fine.
File a complaint with the DPA
Anyone who believes their personal data has been processed in a way that is not in accordance with the GDPR can file a privacy complaint with the DPA (in Dutch).
10 steps to become GDPR compliant - what are the requirements?
You want to comply with the GDPR, but you are not certain how to do it. Here are 10 steps to make your business in the Netherlands GDPR compliant.
1. Get informed about the GDPR and check if you are allowed to process personal data
Read about the GDPR, or attend an information session. Do you have staff? Involve the relevant employees. They can assess the impact of the GDPR on your current processes, services, and products. They can also determine what you need to do to comply with the GDPR.
To be allowed to process personal data, you must meet at least 1 of these 6 requirements:
- You must have permission from the person involved;
- You need the data to fulfil an agreement. For instance, you need address details to deliver your product to your customer;
- You need the data to meet a legal obligation;
- You need the data to protect someone’s life or health, and you cannot ask that person for permission;
- You need the data to execute a task in the general interest;
- You have a justified cause for processing the data. For instance, you must process personal data in your personnel records to be able to pay wages.
2. Inform your customers of their rights under the GDPR
Your customers have extensive privacy rights. You must enable them to use these rights. For instance, your customers can:
- View, edit, and delete their data;
- Curb or withdraw any permissions previously given by them;
- Request their data to facilitate their move to a different company service provider. This is called data portability (follow the link to download the EU guidelines about this).
Your customers can file a complaint with the DPA. The DPA is obliged to deal with every complaint.
3. Keep a record of your processing activities
You have to prove you are accountable for how you process data. To do so, you are obliged to keep a record of how and why you process personal data. This is called a processing register. The record has to contain information on where the data comes from and who you share it with. You must be able to notify the organisations you share data with of any changes or deletions of customer data.
This register falls under what is known as accountability. You must always be able to justify how you handle data.
4. Find out if you need to perform a Data Protection Impact Assessment (DPIA)
Do you process data with a high privacy risk? You will need to perform a Data Protection Impact Assessment (DPIA). A DPIA is an extensive survey to chart the risks of data processing. Based on the DPIA, you can take measures to reduce the privacy risks.
Are you unable to take risk-reducing measures? Then confer with the DPA before you start processing the personal data. The DPA will determine whether the data processing is allowed according to the GDPR, or not. You will receive written advice.
You run a high privacy risk if you:
- Evaluate personal aspects in a systematic and extensive manner, based on automatic processing, including profiling, and if on these evaluations you base decisions that have consequences for people;
- Process special personal data on a large scale, or process criminal data;
- Systematically follow people on a large scale in a public access area, for instance by using CCTV.
View a list of processing methods that require a DPIA (in Dutch).
5. Take privacy into account when designing new products or services
When you devise new products or services, ensure that personal data are already well-protected in the design phase. This is referred to as ‘privacy by design’. You should not process more personal data than is necessary. This is referred to as ‘privacy by default’. Examples include:
- An app should not record the user’s location without good cause;
- Do not pre-check the ‘yes, I want to receive offers’ radio button on your website;
- Do not ask for more information than necessary to record a subscription to a newsletter.
6. Find out if you need a data protection officer
Does your company process data on a large scale? Then you may be obliged to employ a Data Protection Officer or DPO. This is called a Functionaris Gegevensbescherming or FG in Dutch. A DPO is responsible for checking if your organisation acts in accordance with the GDPR. Your organisation can also appoint a DPO voluntarily. On the DPA website, you can find Guidelines on Data Protection Officers plus the FG registration form (in Dutch).
7. Document and report data leaks
A data leak means personal data are released that should not be. Examples are:
- You lose a laptop, tablet, storage device, or papers that contain non-encrypted personal data;
- You email personal data to the wrong person;
- The personal data you process is stolen in a cyber attack;
- Your system has been infected with ransomware, rendering the personal data inaccessible.
You have to report every serious data leak to the DPA. Also, you must record and document every data leak in your organisation, even the internal ones that you do not have to report. View the guidelines (PDF) to find out which data leaks to report. These guidelines have not been made final. You only have to notify the persons whose data are involved in the data leak, if it has serious consequences for their rights and freedoms.
Do you process privacy-sensitive data on behalf of your clients? Then you will have the legal obligation to report any data leaks occurring during those processes to them, so they can notify the DPA.
8. Draw up a data processor agreement
Do you work with companies that process personal data on your behalf and which follow your instructions? Make sure you draw up a data processor agreement in accordance with GDPR Articles 28 and 29. Even if the processing company is affiliated with your company, or based abroad. A helpdesk viewing the data constitutes a form of processing. Did you have a data processor agreement under the Protection of Personal Data Act (Wbp)? Be aware that the GDPR is stricter. Most likely you will have to draw up a new agreement.
9. Determine the supervisor for your company
Is your organisation active in several European countries? Or do your data processing activities affect several EU member states? The GDPR requires you to deal with only one privacy supervisor, for instance, the Dutch DPA. This is called the one-stop-shop mechanism.
10. Ask permission to process data
Some data processing activities require the permission of the persons involved. Also, you have to be able to prove that the permission was given. It pays to analyse how you request, acquire, and register people’s permission to process data.