News
Dutch DPA published 10 steps to prepare for GDPR
Recently the Dutch Data Protection Authority (Autoriteit Persoonsgegevens: "AP") published a 10-step-plan for Dutch organizations to prepare for the GDPR. A practical plan to encourage organizations to start preparing step by step.
Some "new" obligations under the GDPR, which in other countries still need implementation (such as the data breach notification and the ability for the DPA to impose huge fines) were already incorporated in Dutch law, which should give organizations a little breather. In this article you find the 10-step plan of the Dutch DPA accompanied by some additional practical insights regarding the preparation for the GDPR.
1. Awareness
Key players in the organization (e.g. policy makers) need to be aware of the upcoming privacy rules. They should assess the impact of the GDPR on current processes, services and products and what is necessary to meet the GDPR in May 2018.
The first useful thing to be done within each organization is to identify and list the stakeholders regarding the (risks involved with) processing of personal data. For instance, customers, employees, financiers, shareholders and the works council. This information is useful to create a support base for the implementation of a privacy policy/course of action. The answer to “why” steps need to be taken to make the organization GDPR-proof, apart from being obligated to do so due to the GDPR being the law. Without a sufficient support base within the company, making an organization GDPR ready is next to impossible. For one thing, the support base is needed for the employment of sufficient resources to make it happen. Awareness and support throughout the whole organization is needed to prevent personal data to be processed outside the legal boundaries.
2. Rights of individuals
Individuals have more rights under the GDPR. Organizations should enable these individuals to exercise their rights. Not only existing rights, but also new rights like data portability requests. Organizations should be aware that individuals may file complaints regarding the handling of their personal data with the AP.
Be prepared to handle such requests. Starting to set up a ‘how to handle’ data subjects’ requests after having received the first request will prove to be unworkable. The statutory time limit to respond to such requests requires a procedure to be in place before a request is made. The right to data portability concerns data provided (passively or actively) by the data subject (such as customers and employees) where the processing is based upon consent or on a contract and the processing is carried out by automated means. One of the ways to provide a data subject with its personal data through technical means would be to provide an option to download such data on its personal internal company dashboard. The challenging part will be to ensure that solely the personal data the employee will need in its new employment is transferred.
3. Overview of processing activities
Under the GDPR organizations must map their processing activities to be able to prove they comply with the GDPR. They should make an overview of their processing activities: which personal data do they process, what is the purpose and legal basis for processing, where do these data come from and with whom are they sharing these data.
Identifying and listing all categories of personal data that are being processed within the organization, as well as the other elements which need to be identified and listed to create an overview of the organization’s processing activities needs to be done from a controller and – where applicable - a processor perspective. Not all organizations are processors but each organization is a controller regarding the personal data of its employees and customers.
4. Privacy impact assessment (PIA)
Organizations may be obliged to conduct a PIA to identify the privacy risks in their organization. A PIA is for example obliged in case of high-risk processing activities. If an organization is unsuccessful in finding measures to mitigate the risk they should contact the AP before starting the high-risk processing activities.
The GDPR is risk based rather than rule based. The appropriate measures to be taken depends on the risk level of the processing activity. Each organization needs to decide on its ‘risk appetite’.
5. Privacy by design & privacy by default
Awareness for the principles 'privacy by design' and 'privacy by default' should be created. Organizations should verify how these principles should be implemented in their organization.
Privacy by design as well as privacy by default requires an organization to take such principles into consideration at the first stage of the product or service development process. Taking privacy by design and default into account at a later stage will be more costly and most certainly inefficient.
6. Data Protection Officer
Organizations may be obliged to appoint a Data Protection Officer. They should make clear whether their organization is subject to this obligation on time and start a selection procedure.
A DPO does not have to be appointed within the organization but may also be an external party. What’s important is that such a person has expert knowledge of the GDPR as well as sufficient knowledge of the organization and its processes and can operate independently. If the (board of) director(s) decides not to follow the advice of the DPO, the director will have to document such decision. A DPO is protected against dismissal regarding its role and function as DPO to enable the DPO to operate independently.
7. Mandatory data breach notification
The obligation to report data breaches remains largely the same under the GDPR. However, there are stricter rules for the internal documentation of data breaches. Based on such documentation the AP should be able to verify whether an organization complied with the mandatory data breach notification.
Many data breaches occur due to human error. It is therefore paramount, aside from having state of the art technical security measures in place, to create awareness among staff members about what a data breach entails and which actions need to be taken when confronted with a data breach. Be aware not to instill (too much) fear as data breaches might be swept under the carpet instead of being dealt with in an appropriate manner.
8. Data processing agreements
Existing data processing agreements should be assessed whether they are still adequate and meet the stricter GDPR requirements.
A significant difference in the relationship between the controller and processor is the fact that the GDPR imposes some legal obligations on the processor directly. Such as the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope of context and purposes of processing; the obligation to notify the controller without undue delay after becoming aware of a personal data breach; and under some circumstances, the obligation to appoint a DPO.
9. Lead supervisory authority
If an organization has multiple establishments in various EU Member States, or if processing activities have an impact on various EU Member States, only one supervisory authority will be competent to act as lead supervisory authority. Organizations should identify the lead supervisory authority applicable to them.
10. Consent
Under the GDPR stricter rules apply to the reliance on consent as a legal basis for processing. Organizations should evaluate their way of requesting, obtaining and registering the consent. Where necessary this should be amended. Organizations should be able to demonstrate that they have obtained valid consent from individuals to process their personal data. Besides, it should be as easy to withdraw their consent as it is to give it.
Article provided by: Irvette Tempelman - Cordemeyer & Slager / Advocaten, The Netherlands
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010