The AVG is coming. What does that mean to you?
At the end of 2015, the new European Personal Data Protection Act was adopted by the European Parliament. This new law, the
General Data Protection Regulation
(AVG) or “General Data Protection Regulation (GDPR)” will formally take effect from May 25, 2018. Many of the principles in the new legislation are similar to those in the existing “Personal Data Protection Act (Wbp),” so if your already complies with that, your will probably be able to adopt your current policies to a large extent for the new situation. However, there are new sections and tightenings, which you will presumably have to do certain things differently or redesign.
The AVG puts more emphasis on collecting and documenting personal data and being able to account for it. In this article, we list a number of steps that you can take to ensure you that you have your policies and procedures in place. The impact will be greater for some organizations than others, so look critically at where your business will be most affected.
Inventory and classify your personal data
The impact of the GDPR on your organization depends largely on the kind of data you collect from your users, customers and your own staff. Each type of (personal) information requires a specific approach to its collection, storage, security, management and disposal.
Look carefully at what personal information you store and ask yourself carefully whether it is actually needed for your business operations. Keep track of this information in a so-called
processing register
. If you may collect personal information from minors, please ensure that you is aware of this and that explicit parental or guardian consent may be required. If your works with extra-sensitive information (special personal data), such as data about race, religion or health, you should be extra aware of this and take strict security measures (if your have not already taken them). In such cases (if the privacy risks are high) you are required to have a
Privacy Impact Assessment
(PIA) to be conducted.
If your has personal data that third parties can access or that your exports to a third party, your should describe this in your processing register. The data that your shares with third parties should your be recorded in a processing agreement, in which your also states the reason why it is shared. Als SQR.NL het beheer voert over jouw systemen en je werkt met persoonsgegevens op die systemen, is het met klem aan te raden om dit te inventariseren en vast te leggen in een verwerkersovereenkomst die je met SQR.NL afsluit.
Your privacy policy and how you handles data should be transparent at all times and reported to anyone that you collects data about.
Create awareness within your organization
The AVG doesn’t just hit your IT department. It is important that everyone within your organization is aware of the data they are facing and working with. Irrespective of one’s position, one will occasionally have to deal with personal information. Creating awareness of this and the changes caused by the AVG should permeate all departments and functions within your organization. Don’t provide one-time awareness when a new colleague joins, but also consider regular repetition and offering training and courses.
Evaluate techniques and processes
The storage and retention of data involves both technical systems and the policies and business processes affected by them. There are a number of things your should set up:
Storage, security and encryption
You need to choose a safe and reliable place to store the data of your customers. Of the data should you set up a backup or some other way to prevent data loss or corruption. Secure storage of personal data actually always requires encrypted storage and access to it. The way you set that up can you in principle choose for yourself, but you should provide measures appropriate to the type of personal data. One precautionary measure is to encrypt data entered on your website when using a contact or newsletter subscription form. You arrange this by
installing an SSL certificate
.
Dealing with data breaches
Despite the fact that your obviously tries to avoid this, your should be prepared for how to act in the event of a
data leak
. You are required by law to record and report data breaches, both to the affected party whose data has been misappropriated and to the “Personal Data Authority. So establish a policy for this and set up the corresponding procedures.
Linking and deleting data
All personal data that your collects and links to your customers should your describe and classify. This policy should be transparent to affected users so that they know what data you are keeping on him or her. In addition, the so-called “right to be forgotten” applies. If anyone asks, you should
in certain cases
be able to delete personal data. Data that you are legally required to keep (for example, for your accounting records) are among the exceptions. Always document retention periods in your policy.
Keeping shared data current with third parties
Do you collect data that you also share with third parties? As mentioned above, this does not have to be a problem in itself, but your should be very mindful of this. Your should ensure that not only your own data is kept up to date, but that your also communicates changes to these third parties.
Privacy by design
Make sure you pursue the principle ‘privacy by design’ in everything you set up . Personal data protection should be an integral part of any system or process that you design and implement.
Retrieval and transfer of personal data
Under the AVG, individuals must also be able to retrieve their digital personal data and do so in such a way that it is transferable to another organization (data portability). Thus, data must be able to be provided in a structured, commonly used and machine-readable format.
Designate a security officer
For organizations with 250 or more employees, designating a “Data Protection Officer” is mandatory. But even for smaller organizations, it is advisable to have someone formally responsible for compliance and compliance. It is particularly wise to have at least one person who is up to date on the regulations and stays on top of the news and developments in them. This employee will need to have sufficient knowledge and technical expertise; not necessarily to perform everything himself, but to properly assess the quality and compliance of the measures taken.
Review and refine
The preparations and measures you are taking for the AVG are obviously important, but also just a start. Indeed, once these measures are in place, they also thereby represent the opportunity for ongoing evaluation and improvement of your business processes related to data and governance. Therefore, ensure a periodic review of policy and implementation and make adjustments where appropriate.
Business to business and the AVG
Officially, the AVG does not apply to legal entities (business to business). However, once the data keeps track of your says something about an identifiable individual, it is still personal data and falls within the scope of the AVG. If your records business e-mail addresses or phone numbers associated with a specific person (not a department) they do fall under the regulations, as do, for example, turnover figures from a VOF or ZZP.
Want to know more?
SRQ.NL is
ISO 27001, ISO 20000 and NEN 7510 certified
and therefore has a demonstrable, professional security and service management policy and measures to ensure it. Before the introduction of the AVG, we too are taking additional measures to comply with the additional requirements it entails.
Want to get your organization AVG-ready, too? Our sister company
Cyso
can also advise you in achieving your own AVG compliancy. They can advise and assist in classification of your data and taking appropriate, additional security measures.
Please contact
one of their account managers to discuss your situation.