GDPR - Are you ready for it?
By: Niek Boonman
The GDPR (General Data Protection Regulation) goes into effect on May 25th, 2018 and gives individuals more rights over their privacy, while organizations have to meet more obligations to ensure them. The AVG is the Dutch implementation of the new General Data Protection Regulation (GDPR) that will apply to all European member states and replaces the Dutch Personal Data Protection Act (Wbp).
For all personal data that is processed the legitimacy of its collection must be justified. From your own employee and customer administration, to visitors of a website and recipients of marketing communications. Data may not simply be collected. You must have a purpose to collect it and you can only request the strictly necessary data. You also need a legal basis to process this information - for example because this is necessary for an agreement or because of a legal obligation, or because you have the permission of the person yourself. In addition, the privacy of the person must be the starting point and the security has to be optimal.
So the GDPR applies to your organisation as a whole, but since we're an online software supplier we want to use this article mainly to introduce the consequences for websites and online platforms. The Authority on Personal Data (Autoriteit Persoonsgegevens) has a dossier (in Dutch) about the new GDPR, with extensive informationg, and developed a GDPR tool (in Dutch) to give you a first impression what the consequences for your organisation are. Would you like further advice on how to introduce the GDPR in your entire organization? Then take a specialized party in hand.
The AVG requires a good preparation. To begin with, you need to know which personal data is being processed. Processing envelops all actions that you can apply on data, such as storing, changing and deleting, but also, for example, viewing and distributing. So you have to get clear how your site processes personal data:
- Which data is processed via the site?
- For what purpose is this data processed?
- Can I process this data according to the regulation?
- How long do I keep this data?
- With which other parties do I share this data?
These aspects of data processing must be documented so that you can account for this to visitors and the authorities. Documenting data leaks is now also mandatory under the new GDPR legislation and must be reported to the authorities if the leak has serious consequences. In some cases it may be necessary to carry out a risk analysis or appoint someone with expertise in the field of privacy and security.
The GDPR legislation in practice
Which measures should be taken for a website to meet the GDPR legislation? You should, for example, think of:
- Not placing tracking cookies without permission.
- Only ask essential informatie of your visitors.
- Get explicit consent before you process personal data.
- Allow visitors to exercise their rights, such as deletion of their data.
- Use a secure SSL connection and take other security measures.
- Limit access to the data of the website to authorized employees.
In the GDPR legislation, a distinction is made between the controller, that determines the purposes and means of processing personal data, and the processor, that processes data on behalf of a controller. As an online software supplier we work on behalf of our customers and are therefore a processor. You will therefore have to account for your online activities and set up processing contracts with your processors to make this justification complete. For example, we can provide you with information about which security measures have been taken or make changes to your site if required by the legislation. Feel free to contact us.