GDPR: what does it mean for you?

You want to reach out to customers, but you are not sure whether this is allowed under the GDPR (Algemene Verordening Gegevensbescherming, AVG) privacy regulation. There are 10 questions that can help you identify the actions you need to take to comply with the law. This is how you become GDPR-proof and avoid fines.

GDPR

The General Data Protection Regulation is a privacy regulation that applies to the entire European Union since 25 May 2018. The GDPR sets out the obligations companies need to meet when processing personal data. The GDPR strengthens and expands privacy rights. Users (such as your customers) have more opportunities to stand up for themselves when it comes to processing their data. They have more control over their data and what companies do with it. For example, your customers can request access to their stored data, or withdraw their consent.

Practical example

Watch the video below for an example of how to apply the GDPR. The video takes an e-commerce example, but gives a sense of how all entrepreneurs can think of their customer's data and privacy.

Deze video kun je alleen afspelen als je cookies hebt geaccepteerd. Wijzig je cookieinstellingen en ververs (F5) vervolgens deze pagina, zodat je de video kunt bekijken.

Je kunt jouw voorkeuren wijzigen op http://www.kvk.nl/cookies.

Who is affected by the GDPR?

This European data protection regulation applies to all companies and organisations that record personal data of customers, staff, or other persons from the EU. It affects virtually all entrepreneurs, including self-employed professionals and small businesses. The regulation also applies to schools, healthcare institutions, associations, and foundations. International companies doing business with the EU must comply with the GDPR as well.

The size of your company and the nature of its activities determine which GDPR measures you should take. You already need to think of GDPR when you send out a quotation, an invoice, or a (digital) newsletter. The same goes for keeping track of appointments with customers, customer contact details, or personnel records and information. In addition, data linked to IP addresses, cookies, and e-mail addresses also fall under the regulation. Even if you do not know the identity of people linked to these data, you should treat them as privacy-sensitive.

Read the interview with DPA's Monique Verdier: "Excellent customer care? That includes data protection"

GDPR-proof in 10 steps

In the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) monitors compliance with the legal regulations for the protection of personal data. The DPA has created the AVG-Regelhulp (GDPR Support Tool, in Dutch) to help you determine the impact of the GDPR on your business. It offers the following 10 questions. After answering these questions, you can get to work immediately.

1. What kind of personal data do you process?

Make an inventory of which personal data you process. Personal data is any information that is directly about someone or that can be traced back to someone, such as their name, address, telephone number, and citizen service number (BSN).

In addition to 'regular' personal data, there also is special personal data. These include data about someone's health, criminal record, or political affiliation. It is prohibited to use special personal data, unless you have a legal exception (in Dutch).

2. Do you have a basis for processing personal data?

You can only process personal data when you really need it to achieve your goals and there is no other way to do so. So you need a good reason, or 'basis'. For example, when you have permission from the person involved. Or because it is necessary for fulfilling an agreement. There are 6 bases defined in the GDPR.

3. Do you need a Data Protection Officer?

Some organisations are required to appoint a Data Protection Officer. This is someone within the organisation who oversees the implementation of, and compliance with, the GDPR. Such an officer is mandatory for:

  • governments and public organisations;
  • organisations and companies that monitor individuals on a large scale as part of their core activities. Examples are camera surveillance or monitoring someone's health through wearables;
  • organisations and companies that process special personal data on a large scale and for whom this is a core activity. Special personal data are, for example, data about someone's health, race, political views, religion, or criminal record.

4. Are you obliged to carry out a data protection impact assessment?

When processing data with a high privacy risk, a data protection impact assessment (DPIA, in Dutch) is mandatory. If the analysis shows that the privacy risks are high, you can take measures to reduce them. A DPIA must be carried out in any case if you:

  • process special personal data, such as race, religion, health, political views, genetic or biometric data, on a large scale; 
  • systematically monitor people on a large scale in publicly accessible areas, for example with camera surveillance; 
  • combine data in such a way that a person can be classified into a certain category or group and can therefore be contacted or assessed (profiling).

5. Do you work according to the principles of ‘privacy by design’ and ‘privacy by default’?

Make sure that during the design phase of new products and services personal data protection forms an integral part of the technical and organisational aspects of the design. This is also called 'privacy by design'. In addition, the default settings must respect someone's privacy (privacy by default) until the person gives permission. For example, you may not use a (web) form with pre-ticked boxes.

6. Do you have to draw up a register of processing activities?

In a processing register you record which personal data you use, for what purpose, where you store them, and with whom you possibly share them. You are obliged to work with a register if your organisation:

  • processes personal data of which the processing is more than incidental;
  • processes high-risk personal data, such as data about health, religion, or political views;
  • has more than 250 employees.

In practice, (almost) all organisations will be obliged to keep a GDPR processing register. This is because organisations usually deal with some form of customer, supplier, or personnel management. If people ask you to correct or remove their data, you may need to rely on this register. Also remember to pass on these requests to other organisations with which you have shared the personal data.

Do you not have a good reason (anymore) to process personal data? Then you must remove the data from your records. Your customer has the 'right to be forgotten' (in Dutch), which means that your business 'forgets' the customer.

7. Have you taken the right measures to protect personal data?

The GDPR states that you must protect personal data well. Determine what technical and organisational measures are necessary to ensure that the processing really happens securely. This is how you ensure a digitally secure company.

8. Do you have the required agreements with parties that process personal data for you?

Make sure you have a good data processing agreement with the party to whom you outsource the data processing. As an entrepreneur, you need to be sure that the data used is secure.

9. Do you comply with the obligation to provide information?

Your customers have many rights related to privacy. Make sure that they can easily make use of these rights. Draw up a privacy statement in simple language, stating the following:

  • What you do with personal data.
  • What you use the data for. 
  • Why it is important for your customers. 
  • How long you keep the data.

Make sure that this statement is easy to find.

10. Are you prepared for people wanting to exercise their privacy rights?

Users (such as your customers) have a legal say over their data and what companies do with it. Your customer can, for example, request access to stored data or withdraw their given consent. It is important to prepare your organisation for this. Customers who think that their personal data is being processed in a way that violates the data protection regulation can submit a privacy complaint to the Dutch Data Protection Authority (in Dutch). The DPA can then conduct an investigation on the basis of that complaint. This can result in you getting fined.

Tips

Aleid Wolfsen is the chairman of AP, the organisation that supervises compliance with the GDPR in the Netherlands. Wolfsen gives the following tip: "Use your common sense. Always ask yourself: do I really need this data, and can I use this data just like that or should I ask permission? Then you will come a long way towards knowing what is and what is not allowed."

Monique Verdier, vice president of AP, adds: "Entrepreneurs cannot know everything. Join a sector association. They have roadmaps that will help you meet the basic requirements."

Lees dit artikel in het Nederlands

InfoPage