What is allowed, and what is not allowed according to the GDPR? You want to avoid a fine, but you do not want feel limited in your business operations either. How can you do this? Answer the 10 questions and get to work on the action points.
GDPRThe General Data Protection Regulation is a privacy regulation that applies to the entire European Union. The GDPR sets out the obligations companies need to meet when processing personal data. The GDPR strengthens and expands privacy rights. Users (such as your customers) have more opportunities to stand up for themselves when it comes to processing their data. They have more control over their data and what companies do with it. For example, your customers can request access to their stored data, or withdraw their consent.
Who is affected by the GDPR?
This European data protection regulation applies to all companies and organisations that record personal data of customers, staff, or other persons from the EU. It affects virtually all entrepreneurs, including self-employed professionals and small businesses. The regulation also applies to schools, healthcare institutions, associations, and foundations. International companies doing business with the EU must comply with the GDPR as well.
The size of your company and the nature of its activities determine which GDPR measures you should take. You already need to think of GDPR when you send out a quotation, an invoice, or a (digital) newsletter. The same goes for keeping track of appointments with customers, customer contact details, or personnel records and information. In addition, data linked to IP addresses, cookies, and e-mail addresses also fall under the regulation. Even if you do not know the identity of people linked to these data, you should treat them as privacy-sensitive.
Read the interview with DPA's Monique Verdier: "Excellent customer care? That includes data protection"
GDPR-proof in 10 stepsIn the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) monitors compliance with the legal regulations for the protection of personal data. The DPA has created the AVG-Regelhulp (GDPR Support Tool, in Dutch) to help you determine the impact of the GDPR on your business. It offers the following 10 questions. After answering these questions, you can get to work immediately.
1. What kind of personal data do you process?
Make an inventory of which personal data you process. Personal data is any information that is directly about someone or that can be traced back to someone, such as their name, address, telephone number, and citizen service number (BSN).In addition to 'regular' personal data, there also is special personal data. These include data about someone's health, criminal record, or political affiliation. It is prohibited to use special personal data, unless you have a legal exception (in Dutch).
2. Do you have a basis for processing personal data?You can only process personal data when you really need it to achieve your goals and there is no other way to do so. So you need a good reason, or 'basis'. For example, when you have permission from the person involved. Or because it is necessary for fulfilling an agreement. There are 6 bases defined in the GDPR.
3. Do you need a Data Protection Officer?
Some organisations are required to appoint a Data Protection Officer. This is someone within the organisation who oversees the implementation of, and compliance with, the GDPR. Such an officer is mandatory for:
- governments and public organisations;
- organisations and companies that monitor individuals on a large scale as part of their core activities. Examples are camera surveillance or monitoring someone's health through wearables;
- organisations and companies that process special personal data on a large scale and for whom this is a core activity. Special personal data are, for example, data about someone's health, race, political views, religion, or criminal record.
4. Are you obliged to carry out a data protection impact assessment?
When processing data with a high privacy risk, a data protection impact assessment (DPIA) is mandatory. If the analysis shows that the privacy risks are high, you can take measures to reduce them. A DPIA must be carried out in any case if you:
- process special personal data, such as race, religion, health, political views, genetic or biometric data, on a large scale;
- systematically monitor people on a large scale in publicly accessible areas, for example with camera surveillance;
- combine data in such a way that a person can be classified into a certain category or group and can therefore be contacted or assessed (profiling).
5. Do you work according to the principles of ‘privacy by design’ and ‘privacy by default’?Make sure that during the design phase of new products and services personal data protection forms an integral part of the technical and organisational aspects of the design. This is also called 'privacy by design'. In addition, the default settings must respect someone's privacy (privacy by default) until the person gives permission. For example, you may not use a (web) form with pre-ticked boxes.
6. Do you have to draw up a register of processing activities?
In a processing register you record which personal data you use, for what purpose, where you store them, and with whom you possibly share them. You are obliged to work with a register if your organisation:
- processes personal data of which the processing is more than incidental;
- processes high-risk personal data, such as data about health, religion, or political views;
- has more than 250 employees.
In practice, (almost) all organisations will be obliged to keep a GDPR processing register. This is because organisations usually deal with some form of customer, supplier, or personnel management. If people ask you to correct or remove their data, you may need to rely on this register. Also remember to pass on these requests to other organisations with which you have shared the personal data.
7. Have you taken the right measures to protect personal data?The GDPR states that you must protect personal data well. Determine what technical and organisational measures are necessary to ensure that the processing really happens securely. This is how you ensure a digitally secure company.
8. Do you have the required agreements with parties that process personal data for you?Make sure you have a good data processing agreement with the party to whom you outsource the data processing. As an entrepreneur, you need to be sure that the data used is secure.
9. Do you comply with the obligation to provide information?
Your customers have many rights related to privacy. Make sure that they can easily make use of these rights. Draw up a privacy statement in simple language, stating the following:
- What you do with personal data.
- What you use the data for.
- Why it is important for your customers.
- How long you keep the data.
Make sure that this statement is easy to find.
10. Are you prepared for people wanting to exercise their privacy rights?Users (such as your customers) have a legal say over their data and what companies do with it. Your customer can, for example, request access to stored data or withdraw their given consent. It is important to prepare your organisation for this. Customers who think that their personal data is being processed in a way that violates the data protection regulation can submit a privacy complaint to the Dutch Data Protection Authority (in Dutch). The DPA can then conduct an investigation on the basis of that complaint. This can result in you getting fined. In 2019, more than 27,800 people filed a complaint with the authority regarding possible privacy violations.
Some background on the GDPR
The European Union used to have several privacy laws, which originated from the European Data Protection Directive of 1995. As of 25 May 2018, these laws have been replaced by the GDPR. With this, the European Union has one privacy law. In the Netherlands, the GDPR replaces the Personal Data Protection Act (Wet Bescherming Persoonsgegevens, Wbp).
What has 3 years of GDPR meant for entrepreneurs? We sat down with Monique Verdier of the DPA to find out.