GDPR: what does it mean for you?

GDPR

The General Data Protection Regulation (GDPR), has been in effect for the European Union since 25 May 2018. In the Netherlands it is known as privacywet Algemene Verordening Gegevensbescherming or AVG. As an entrepreneur, you have obligations when processing personal data due to the GDPR.

Your customers, employees and suppliers must know what data you have about them and suppliers must know what data you have about them and can stand up for themselves when it comes to processing their data. For example, your customers can request access to their stored data, or revoke a previously given permission.

Practical example

The video below explains part of the GDPR and shows how the law is properly applied.

Who does the GDPR apply to?

The European data protection regulation applies to all companies and organisations that record personal data of customers, staff, or other persons from the EU. Virtually all entrepreneurs have to deal with privacy-sensitive information, including self-employed professionals and small businesses. The regulations also apply to government, schools, healthcare institutions, associations, and foundations. International companies doing business with the EU also must comply with the GDPR.

The size, type of work, and services of your company determine which GDPR measures you should take. You already need to think about this when you send out a quotation or newsletter. Or keep track of appointments and contact details of (future) customers and employees. 

GDPR-compliant in 10 steps

The AVG-Regelhulp (GDPR Support Tool, in Dutch) from the Dutch Data Protection Authority (AP) helps you determine the impact of GDPR on your company. This contains the 10 questions below. After answering these questions you can get started right away.

1. What kind of personal data do you process?

Make an inventory of which personal data you process. Personal data is any information that is directly about someone or that can be traced back to someone, such as their name, address, telephone number, and citizen service number (BSN).

In addition to 'regular' personal data, there is also special personal data. This includes, for example, a person's health or criminal records, or political affiliation. It is illegal to use special personal data, unless you meet a number of strict conditions. 

2. Do you have a good reason to process personal data?

You can only process personal data when you really need it to achieve your goal and there is no other way to do so. You need a good reason, or 'basis'. For example, that you have permission from the person it concerns. There are 6 bases in the GDPR.

3. Do you need a Data Protection Officer?

In some organisations a Data Protection Officer is required. This is someone who oversees the application and compliance of the GDPR within the organisation. This officer is mandatory for:

• Government and public organisations;
• Organisations and companies that monitor individuals on a large scale as part of their core activities. Examples are camera surveillance and monitoring someone's health;
• Organisations and companies that process special personal data on a large scale and for whom this is a core activity. Special personal data are, for example, data about someone's health, race, political views, religion, or criminal record.

4. Are you obliged to carry out a data protection impact assessment?

When processing data with a high privacy risk, a data protection impact assessment (DPIA, in Dutch) is mandatory. If the DPIA's analysis shows that the risks are high, then you must take measures to reduce them. You must in any case perform a DPIA if you:

• Process special personal data on a large scale; 
• Systematically monitor people on a large scale in publicly accessible areas, for example with camera surveillance; 
• Combine data in such a way that a person can be classified into a certain category or group and can therefore be contacted or assessed. This is called profiling.

5. Do you work according to the principles of ‘privacy by design’ and ‘privacy by default’?

Make sure that you properly protect personal data during the design phase of new products or services. This is called 'privacy by design'. In addition, the default settings must respect someone's privacy until the person gives permission. This is called 'privacy by default.' For example, you may not use a (web) form with pre-ticked boxes.

6. Do you have to set up a register of processing activities?

In a processing register you record which personal data you use, for what purpose, where you store the data, and with whom you share it. You are obliged to work with a register if your organisation:

• Regularly processes personal data.
• Processes high-risk personal data, such as data about health, religion, or political views.
• Has more than 250 employees.

Virtually all businesses store customer, supplier, or personnel data and must keep a processing register. The processing register is an overview of all types of personal data that you process. The register must meet a number of requirements. You must include, what the purpose of the data processing is and how long you keep the data. Find out how to set up a GDPR processing register. 

7. Have you taken the right measures to protect personal data?

The GDPR states that you must protect personal data. Determine what technical and organisational measures are required for this. This way you ensure a digitally secure company. Are you working in a digitally secure way? Take a look at this checklist.

8. Do you have the required agreements with parties that process personal data for you?

Ensure a good processing agreement with the organisation to which you outsource data processing. As an entrepreneur, you must be sure that they also handle your data securely.

9. Do you comply with the information obligation?

Create a privacy statement in plain language. Include what you do with personal data, what you use it for, how long you keep it and why it is important. Make sure this statement is easy to find. Customers have the right to know what happens to their data. You have a duty to inform them about this.

10. Are you prepared for people wanting to exercise their privacy rights?

Users, such as your customers, have control over their data and what you do with it. For example, your customer can request access to stored data or withdraw their previously given consent. Prepare your organisation for this. Customers who think that their personal data is not being processed in accordance with the privacy regulation can submit a privacy complaint to the Dutch Data Protection Authority (in Dutch). If the complaint is justified, you can be fined.

Do you no longer have a good reason to process personal data? Then you have to remove it. The customer has the right to be forgotten. This means that the organisation 'forgets' the customer.