As of 25 May 2018, the General Data Protection Regulation (GDPR) will be applied throughout the European Union. The European Commission wants to strengthen the position of citizens towards all companies and agencies that process their personal data. But what are the consequences of the new European privacy regulation for your company?
More effective supervision should be possible by obliging companies to map out exactly what they do with personal data. If your company does not adequately protect processed personal data you risk a fine that may amount to 4% of annual sales. In order to prepare your company for the GDPR, follow the 10 steps below.
1. Assess the scope of the data processing
Determine the risks for your company and map the scope of the processing of personal data.
2. Be accountable
Make sure that the people in your business making decisions and having knowledge about the legal and technological processing of data are aware of these new privacy rules.
3. Actively protect the rights of those involved and ensure legal consent
The new law ensures that the people whose personal data is processed can properly exercise their privacy rights. You are therefore obliged to respect these rights, including the right to receive information, the right to object to profiling and automated decision-making, the right to be forgotten, and the right to data portability, which means that individuals can receive their personal data in a standard format so these can easily be passed on to another supplier of a similar service.
4. Determine if you are required to perform a Privacy Impact Assessment
A Privacy Impact Assessment is a risk analysis that has to be performed particularly in case of data processing with an increased privacy risk (such as large scale processing, profiling, prognoses, special data, linking of data collections, new technologies, processing outside the EU, etc.).
5. Establish a register of your data processing
Your company must establish and maintain a register of all the data processing activities taking place within the company and/or under the responsibility of the company. Supervisors may request access to this register.
The protection of personal data should already be ensured during the design process of products and services (Privacy by design). Subsequently, you are required to take technical and organizational measures to make sure that you are only processing the absolutely necessary data for the specific purpose of your company (Privacy by default).
7. Determine retention periods
In step 1, you have identified with what purpose your company processes certain data. Now, determine how long you are allowed to store this data for that specific purpose, when this term starts to run, and how it is maintained.
8. Create a data breach protocol and maintain a register
A data breach means that personal data has been unintentionally released, made accessible, destroyed or modified. The law does impose stricter requirements on the registration of data breaches within your company. Therefore, your company should document data breaches accurately so that the supervisory authority can check whether you have complied with the notification requirement.
9. Assess the agreements with your data processors
Consider your administration office, cloud- and IT services, as well as other service providers storing or otherwise accessing the personal data collected by your company. Your company is required to enter into agreements with all these data processors in order to ensure that all processed data is properly protected and the data processor fulfill their obligations under the GDPR.
10. Determine your supervisory authority
Do you have offices in other EU Member States? Then you will only have to deal with the “leading supervisor”. This will usually be the supervisory authority of the Member State where your main office is located.
Download the complete white paper here
Heffels Spiegeler Advocaten
T +31 70 217 02 00
M [email protected]