GDPR - hot topic, tepid execution - 1A First Alternative

On 25 May 2018 the new European privacy regulation GDPR will be implemented. Much has been published on this subject. Then why publish an article again? Many people are worried about the feasibility within their organization, especially now that the deadline is approaching. In practice, a Dutch adage applies: the soup is never consumed as hot as it is served. But you must be able to prove that you are working on compliance.

What is the GDPR really about?

The GDPR applies to the personal data of EU citizens and / or data processors based in the EU. Personal data is data that can be attributed to an individual, or with which an individual can be identified: name, photo, telephone number, address, bank account number, e-mail address, IP address, fingerprint, medical data, and so on.

The following rules must be followed:

transparency: ask explicit permission from each person to be allowed to store their personal data, state what you are going to use it for and state their rights;
goal limitation: use the personal data only for the purpose for which you have obtained the approval of the owner;
data limitation: collect only the necessary data;
accuracy: make sure that the personal data is and remains correct;
storage restriction: keep the personal data no longer than necessary for the intended purpose;
integrity and confidentiality: protect the personal data against unauthorized access, loss and destruction;
accountability: make sure that you can demonstrate compliance with these rules.

GDPR compliance checklist

The basis of the principle behind the GDPR can be summarized as two main principles:

application of data protection principles through design (privacy by design)
application data protection by default settings (privacy by default)

In order to accomplish this, a number of questions have to be answered:

what data is used and are they really needed?
what is the data used for?
where and how is the data stored?
is the data encrypted or otherwise non-attributable to persons?
how is the person whose data is processed being informed?
how is permission obtained and processed?
How are the rights of the person whose data is processed met?

Minimum efforts for May 25, 2018

To ensure that your company is ready for 25 May, there are a number of issues that really need to be taken care of.

Appointing a data protection officer

Designate someone as the data protection officer. This person is responsible for everything regarding the GDPR and must also have full authority to ensure that the company complies with the GDPR.

Take stock and draft an action plan

First create a list of business processes where you process personal data. Think of software such as CRM / ERP, accounting and mailing lists, but also individual documents. Then answer the questions mentioned in the GDPR compliance checklist above.

Then indicate for each process what needs to be done to comply with the GDPR and when that should be finished.

Set up a procedure for data leaks

The obligation to report data leaks has been applicable since 1 January 2016. This is also included in the GDPR. As a result, it is mandatory to report this immediately to the Dutch Data Protection Authority after having been made aware of the data breach and to prepare a report within 72 hours. The persons whose personal data has been leaked must be informed, unless the personal data was made incomprehensible by pseudonymisation (such as encryption).

Notifications can be made via the website https://datalekken.autoriteitpersoonsgegevens.nl

Not immediately necessary, but useful nonetheless

In order to ensure that taking stock of existing business processes doesn’t become an endless cycle, it is advisable to answer the questions mentioned above in the GDPR compliance checklist above, even before taking it into commission. Then you are immediately ensured of compliance for new business processes.