Are you ready for the GDPR?
What you need to know about the GDPR
GDPR LEGISLATION: THE MOST IMPORTANT CHANGES FOR YOUR ORGANISATION
On May 25th 2018 the new General Data Protection Regulation (GDPR) will come into force (AVG in Dutch). This legislation gives consumers more control over personal data, provides more transparency concerning its use, and sets high standards with regard to security. This law applies to all businesses that are active within the EU.
GDPR IS GOING TO CHANGE THE RULES
The General Data Protection Regulation (GDPR) will be a European-wide law that will replace the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens (WBP)) as of 2018. The aim of the GDPR is to better protect the privacy and integrity of consumers’ personal data. It makes businesses responsible for assuring that privacy. If there is a question of a data leak, an organisation must be able to notify the authorities and any customers who may have been affected within 72 hours. Failure to abide by the rules may incur a fine of up to 20 million euro or 4% of global turnover.
In the new regulation, the definition of personal data has been changed to “all data that directly or indirectly makes it possible to identify a person”. This definition is very broad because it relates to all information about “an identifiable natural person”. This can include a name, location details and economic, social or cultural identity. These are usually defined as “personal data”.
All data that is processed must be communicated in advance with the persons concerned in a clear and transparent way. This means that one must state very clearly in advance how and why this data will be processed, with what aim, and what the subsequent action is.
FOR WHOM HAS THE LAW BEEN DEVELOPED?
The legislation applies to all businesses that process the personal data of EU citizens. The law was developed because the EU wishes to create a uniform, secure, European digital environment. As soon as a company processes personal data, the people concerned must have access to their own data. It must be easy to rectify mistakes in one’s own data. Furthermore, it must be possible to delete and export data.
GDPR VS CURRENT LEGISLATION
The old legislation was no longer adequate for the constantly changing world of today. A number of significant new requirements are set out below.
INFORMING THE GOVERNING AUTHORITY
After identifying a data leak, you are obliged to inform the governing authority within 72 hours.
The GDPR requires you to obtain explicit permission from the person concerned at the moment when you collect personal data. Organisations must provide specific information about the data that is collected, and how the data will be stored and processed, and they must do so in plain language. In this context, an ‘opt-in’ will not comply with the regulation. Furthermore, it must be as easy to revoke permission as to give it.
TRANSFERRING DATA OUTSIDE THE EU
Personal data must not leave the EU unless you have permission from the governing authority or if the person concerned is aware of the data transfer. In addition, the person concerned must be aware of the associated risks and authorise the transfer.
APPOINTMENT OF A DATA PROTECTION OFFICER (DPO)
If you process data on a large scale, you must nominate a DPO for your organisation. The DPO is your representative to the governing authorities which monitor and safeguard compliance with the regulation. He or she is also the contact person for and questions or complaints emanating from candidates. In addition, they lead your compliance activities, as required by the Data Protection Impact Assessment (DPIA), and communicate about security policy, evaluations, compliance, subject requests and, among other things, failed notifications.
COSTS OF NEGLIGENCE
Businesses and organisations that fail to comply with the GDPR may incur a fine that can run to € 20 million or 4% of their global annual turnover. The fines are evaluated and assessed. Even when organisation commit this offence for the first time, fines can amount to 2% of their global annual turnover. In addition, additional costs may be charged to organisations. Legal expenses are an example of these: if EU citizens feel that their rights have been infringed, and initiate and win a claim in court, these expenses can be claimed from your organisation.
HOW CAN WE HELP YOU?
Would you like to know how prepared your organisation is regarding the legal AVG / GDPR requirements, and how to prepare from them? If so, please contact us. We will be happy to help.