GDPR: what does it mean for you?

You want to reach out to customers, but you are not sure if this is allowed under the General Data Protection Regulation (GDPR, or AVG in the Netherlands) privacy regulation. Here are 10 questions that can help you identify the actions you need to take to comply with the law. This is how you become GDPR compliant and avoid fines.

GDPR

The General Data Protection Regulation (GDPR) has been in effect for the European Union since 25 May 2018. In the Netherlands it is known as privacywet Algemene Verordening Gegevensbescherming or AVG. As an entrepreneur, you have obligations when processing personal data due to the GDPR. Your customers, employees and suppliers must know what data you have about them and suppliers must know what data you have about them and can stand up for themselves when it comes to processing their data. For example, your customers can request access to their stored data, or revoke a previously given permission.

Practical example

The video below explains part of the GDPR and shows how the law is properly applied.

Who does the GDPR apply to?

The European data protection regulation applies to all companies and organisations that record personal data of customers, staff, or other persons from the EU. Virtually all entrepreneurs have to deal with privacy-sensitive information, including the self-employed professionals and small businesses. The regulation also applies to government, schools, healthcare institutions, associations, and foundations. International companies doing business with the EU also must comply with the GDPR.

The size, type of work, and services of your company determine which GDPR measures you should take. You already need to think of it when you send out a quotation or newsletter. Or by keeping track of appointments and contact details of (future) customers and employees. Data that is linked to IP addresses and tracking software, such as tracking with cookies, also fall under the regulation. Even if you do not know who owns the data, you should treat it as privacy-sensitive information.

GDPR-compliant in 10 steps

The AVG-Regelhulp (GDPR Support Tool, in Dutch) from the Dutch Data Protection Authority (AP) helps you determine the impact of GDPR on your company. This contains the 10 questions below. After answering these questions you can get started right away.

1. What kind of personal data do you process?

Make an inventory of which personal data you process.  Personal data is any information that is directly about someone or that can be traced back to someone, such as their name, address, telephone number, and citizen service number (BSN).

In addition to 'regular' personal data, there also is special personal data. This includes, for example, a person's health or criminal records, or political affiliation. It is illegal to use special personal data, unless you meet a number of strict conditions. 

2. Do you have a good reason to process personal data?

You can only process personal data when you really need it to achieve your goal and there is no other way to do so. You need a good reason, or 'basis'. For example, that you have permission from the person it concerns. There are 6 bases in the GDPR.

3. Do you need a Data Protection Officer?

In some organisations a Data Protection Officer is required. This is someone who oversees the application and compliance of the GDPR within the organisation. This officer is mandatory for:

• Government and public organisations;
• Organisations and companies that monitor individuals on a large scale as part of their core activities. Examples are camera surveillance and monitoring someone's health;
• Organisations and companies that process special personal data on a large scale and for whom this is a core activity. Special personal data are, for example, data about someone's health, race, political views, religion, or criminal record.

4. Are you obliged to carry out a data protection impact assessment?

When processing data with a high privacy risk, a data protection impact assessment (DPIA, in Dutch) is mandatory. If the DPIA's analysis shows that the risks are high, then you must take measures to reduce them. You must in any case perform a DPIA if you:

• Process special personal data, such as race, religion, health, political views, genetic or biometric data, on a large scale; 
• Systematically monitor people on a large scale in publicly accessible areas, for example with camera surveillance; 
• Combine data in such a way that a person can be classified into a certain category or group and can therefore be contacted or assessed. This is called profiling.

5. Do you work according to the principles of ‘privacy by design’ and ‘privacy by default’?

Make sure that you properly protect personal data during the design phase of new products or services. This is called 'privacy by design'. In addition, the default settings must respect someone's privacy until the person gives permission. This is called 'privacy by default.' For example, you may not use a (web) form with pre-ticked boxes.

6. Do you have to set up a register of processing activities?

In a processing register you record which personal data you use, for what purpose, where you store it, and with whom you share it. You are obliged to work with a register if your organisation:

• Regularly processes personal data.
• Processes high-risk personal data, such as data about health, religion, or political views.
• Has more than 250 employees.

Because customer, supplier, or personnel management is common, many organisations are obliged to keep a processing register. The processing register is an overview of all types of personal data that you process. The register must meet a number of requirements. You must include, what the purpose of the data processing is and how long you keep the data. Find out how to set up a GDPR processing register. 

7. Have you taken the right measures to protect personal data?

The GDPR states that you must protect personal data must be properly secured. Determine what technical and organisational measures are required for this. This way you ensure a digitally secure company. Are you working in a digitally secure way? Take a look at this checklist.

8. Do you have the required agreements with parties that process personal data for you?

Ensure a good processing agreement with the organisation to which you outsource data processing. As an entrepreneur, you must be sure that they also handle your data securely.

9. Do you comply with the information obligation?

Create a privacy statement in plain language. Include what you do with personal data, what you use it for, how long you keep it and why it is important. Make sure this statement is easy to find. Customers have the right to know what happens to their data. You have a duty to inform them about this.

10. Are you prepared for people wanting to exercise their privacy rights?

Users, such as your customers, have control over their data and what you do with it. For example, your customer can request access to stored data or withdraw their previously given consent. Prepare your organisation for this. Customers who think that their personal data is not being processed in accordance with the privacy regulation can submit a privacy complaint to the Dutch Data Protection Authority (in Dutch). If the complaint is justified, you can be fined.

Do you no longer have a good reason to process personal data? Then you have to remove it. The customer has the right to be forgotten. This means that the organisation 'forgets' the customer.

Tips

Aleid Wolfsen is the chairman of AP, the organisation that supervises compliance with the GDPR in the Netherlands. Wolfsen gives the following tip: "Use your common sense. Always ask yourself: do I really need this data, and can I use this data just like that or should I ask permission? Then you will come a long way towards knowing what is and what is not allowed."

Monique Verdier, vice president of AP, adds: "Entrepreneurs cannot know everything. Join a trade association. They have roadmaps that will help you meet the basic requirements."