What do I need to know about the GDPR legislation?
On 25 May 2018 the General Data Protection Regulation (AVG or GDPR in English) came into effect. This means that from that date only one privacy law applies throughout the EU. The Wbp no longer applies, but the basic principles of that legislation are still the core of the new GDPR. The Dutch Data Protection Authority (De Autoriteit Persoonsgegevens) supervises compliance with the statutory rules for the protection of personal data.
Privacy law
Privacy legislation is not new. In the European Union (EU), each member state had its own privacy law. These national laws were all based on the European privacy directive from 1995. In the Netherlands, the national implementation of this directive was the Personal Data Protection Act (Wbp).
On 25 May 2018 the General Data Protection Regulation (AVG or GDPR in English) came into effect. This means that from that date only one privacy law applies throughout the EU. The Wbp no longer applies, but the basic principles of that legislation are still the core of the new GDPR. The Dutch Data Protection Authority (De Autoriteit Persoonsgegevens) supervises compliance with the statutory rules for the protection of personal data.
What is the general purpose of the GDPR?
The general purpose of the General Data Protection Regulation is to protect EU citizens in the area of privacy regulations and personal data. The GDPR offers individuals rights with regard to personal data that is shared with organizations that collect, store and process such personal data.
To whom does the GDPR apply?
The GDPR applies to any organization that collects personal data from EU citizens. An organization does not have to be set up in the EU to fall under the terms of the GDPR. If an organization is outside the EU and collects personal data from the EU, the GDPR would still apply to this organization.
What is going to change?
The new regulation tightens the rules from the previous Personal Data Protection Act. Ultimately, much remains the same. Data-minimization, the-right-to-be-forgotten, information obligations and processor agreements have always been in the law, albeit sometimes under different names.
Of course, a good privacy policy, an understandable privacy statement, good agreements between processors and controllers, and a procedure for data leaks remain important.
Many existing rules have been considerably tightened up in the new GDPR, and a number of new obligations have been added. More emphasis is placed on the responsibility of organizations themselves to comply with the law as well as to be able to demonstrate that they comply with the law.
What can I do myself?
As an organization you should already have taken steps to conform to the GDPR. To help you with this, the Dutch Data Protection Authority guides you with these 10 most important steps at a glance (in Dutch).
What constitutes personal data?
The GDPR indicates that personal data is any data regarding an identified or identifiable natural person. There are many types of personal data. Obvious information would be someone's name, address and place of residence. But telephone numbers and postcodes with house numbers are also personal data. Sensitive data such as a person's race, religion or health are considered to be special personal data. Such data is afforded extra protection by law.
What does the processing of personal data mean?
Processing is understood to mean: all actions an organization can perform with personal data, from collecting it, up to and including its destruction. The law refers to processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The law stipulates that an organization may only process personal data if this is necessary for a specific purpose.
Processing principles
The GDPR introduces core principles with which all processing of personal data must comply:
- personal data must be processed in a proper, lawful and transparent manner;
- personal data may only be processed for a specific, explicitly defined purpose;
- only personal data that are necessary for the purpose may be processed;
- data must be correct and up-to-date;
- if personal data is no longer necessary for the purpose for which it was collected, the personal data must be deleted or anonymised, and;
- the personal data must be secured through technical and organizational measures.
Terminology controller / processor / data subject
The GDPR uses the terms 'controller', 'processor' and 'data subject' which are defined below:
Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. These are the customers of Teqa who purchase the i-Reserve product.
Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. This would be Teqa (the supplier of i-Reserve), and our server administrator (with regard to the hosting of i-Reserve).
The data subject
A natural person whose personal data is processed by a controller or processor. These are your customers whose information you collect in your i-Reserve application.
Processing special personal data
In addition to ordinary personal data, the law also refers to special personal data. This is data that is so sensitive, that processing it could run the risk of seriously affecting someone's privacy. According to the GDPR, the processing of special personal data is prohibited, unless an exception applies.
Special personal data refers to data about race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, genetic data, biometric data with a view to the unique identification of a person, data on health, sexual behaviour or sexual orientation. Such data may therefore only be processed under very strict conditions.
What are the most important changes for organizations?
If the GDPR applies, organizations that process personal data have more obligations.
Consent
New, is that the organization must be able to demonstrate that it has received valid permission from data subjects to process their personal data. And that it should be as easy for people to withdraw their consent, as to give it. This must be an 'unambiguous' expression of consent. So no pre-checked boxes anymore! The request for consent must be clear, understandable and presented in simple language.
As an organization you must ultimately be able to prove that the person concerned has given permission. The data subject has the right to withdraw their consent at any time, and must also be informed of this right.
NOTE:
Requesting consent for recording personal data is not always necessary. For example, as long as the data that is recorded is limited to what is necessary for the execution of the contract. In other cases you must ask permission. To find out what applies to you, you will find more information here.
Administration duty
The GDPR imposes a documentation obligation, which means that an organization must demonstrate that it acts in accordance with the GDPR. Consider, for example, consent, information provided, rights of data subjects, data security, minimization of processing and agreements with processors. So: Map the data collected / processed in your organization to be aware of all your data aspects. Many organizations will have to adjust their privacy statement and this is important. Not having a (full) privacy statement could attract a fine.
Once the GDPR applies, organizations themselves must keep a register of processing activities ('processing register') that take place under their responsibility.
Processing agreement
The conclusion of a processing agreement is nothing new in itself, because it is was already mandatory within the DPA. This remains in the GDPR, and applies between the person responsible for collecting the personal data (controller), and the party that processes the personal data for them (processor). However, the GDPR includes a number of additional mandatory components to this processing agreement, including:
- the purpose of the processing;
- the type of personal data that is being processed;
- the categories of data subjects involved;
- that appropriate security measures that will be taken;
- that the processor reasonably cooperates with audits to confirm whether the they keep to all their obligations, and;
- that after the processing has been completed, the personal data will be destroyed or returned to the controller.
From now on, the processor will no longer be allowed to use an external (third) party to process personal data without the prior written consent of the controller.
Privacy impact assessment (PIA)
The PIA is an indispensable tool for organizations to assess or evaluate any privacy impact. By using a PIA, an organisation can analyse and determine (in a structured way) how/if it should protect any personal data it collects.
The PIA specifies why, in which way and for how long personal data will be processed. Implementing a Privacy Impact Assessment is mandatory if the processing of personal data, in particular with the help of new technologies, involves risks for those involved.
Obligation to report/record data leaks
This was included in the DPA and remains largely unchanged in the GDPR. The GDPR does impose stricter requirements on the registration of the data leaks that occurred in your organization. You must document all data leaks.
Avoid stress by thinking in advance about how you should act when a safety risk occurs. For example, in some situations as a controller, you must report a data breach to the Dutch Data Protection Authority within 72 hours. Is the leak likely be a high risk for the people to whom the data relates? Then they must also be informed of the leak. Therefore is it prudent to determine a workflow for security incidents beforehand, in which the right people can make a timely decision about the actions that need to be taken.
The Dutch Data Protection Authority has published policy rules for reporting data leaks.
You may need a data protection officer
A data protection officer (DPO) is an independent person within the organization who advises and reports on compliance with the GDPR. A privacy officer was not an obligation in the DPA, but in some situations under the GDPR, it is. According to the law, this is mandatory if you process sensitive personal data such as health data on a large scale, or if you structurally observe people (physically or digitally). A DPO can be someone who is appointed internally, but can also be someone who is appointed externally.
Rights of the data subjects
Personal data must be processed in a manner that is lawful, proper and transparent with regard to the data subject. Transparency is paramount: the data subject must be informed about what happens to his personal data. Everything must be communicated in simple and clear language.
In addition to their right to access, right to be informed and right to correction, the person concerned under the GDPR also has:
- the right to be forgotten,
- the right to transfer data (also called data portability),
- the right to restrict processing and
- the right to object to certain processing. The data subject has the right at all times to object to the processing of his data for direct marketing purposes. If the person submits such an objection, his data may no longer be processed for marketing purposes.
Right to access
A data subject has the right to know from the controller whether their personal data are being processed. And if it is being processed, the data subject has the right to information about this data, such as:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients to whom the personal data are provided;
- the storage period;
- the fact that the data subject has the right to submit a request for rectification, a request to delete or restrict the data and the right to object;
- the fact that the person can submit a complaint.
Right to rectification and right of objection
A data subject has the right to the correction of inaccurately held personal data. This must be done without unreasonable delay. The data subject may object to certain forms of data processing, as a result of which the processing of his personal data may have to be discontinued. Think of an organization that uses personal data for marketing purposes. (At the moment there is already an absolute right of objection for direct marketing. If a data subject exercises this right, then you may not approach this person for marketing purposes).
Right to be forgotten
In some situations, the data subject has the right to have the data completely removed. This means that the controller must delete the personal data without unreasonable delay. For example, when the personal data are no longer needed for the purposes for which they were collected or further processed. It will also be mandatory to inform any other parties with whom you have shared that data, of the data subjects request. Their names must be shared with the data subject concerned. The controller must take reasonable measures to delete the data, but also to delete any link, copy or reproduction.
With this in mind, take a look at the possibility to automatically anonymize data in i-Reserve.
Right to data portability / transfer of data
The GDPR introduces the right to data portability, ie the transferability of personal data. This means that you can receive requests from your customers to make their personal data available to them. This concerns all digital data processed by an organization with the consent of the data subject, plus the data required to execute an agreement. Search history or location data also falls under the right of transferability. As an organization, you are legally obliged to provide the data in a 'structured, current and machine readable' format. You can prepare yourself for this by already thinking about how you will make the data available. For example via a tool that allows your customers to download their data directly in a secure manner.
If it is technically possible, the controller should be able to forward/transfer the data directly to another controller. This can be done, for example, with an Application Programming Interface (API), which allows a connection between an application on your system and that of another party.
In i-Reserve it is possible for the customer to download their data themselves (if they have sufficient permissions). It is also possible for the administrator to export customer data as an excel or .csv file, or to send data via an API.
Privacy by default and Privacy by design
The GDPR introduces a data protection obligation via standard settings (Privacy by default) and via adjustable functionality (Privacy by design) within the software.
The Privacy by default obligation means that you must take technical and organizational measures to ensure that you only process personal data that is necessary for the specific purpose that you want to achieve. Where users can adjust their privacy settings themselves, for example, they must be set to the highest level by default.
The obligation of Privacy by design means that you must ensure that personal data is protected when designing products, services and organizational processes.
Examples:
- When offering an app the users do not have their location registered if that is not necessary;
- Do not pre-tick the box 'Yes, I want to receive offers' on the website;
- If someone wants to subscribe to a newsletter, do not ask for more information than necessary.
View here what i-Reserve does towards the security and protection of personal data.
Security must be in order - and remain so
Personal data security is crucial. Without encryption, two-factor authentication and being able to separate and securely erase personal information, you as organization take a very big risk.
Violations and sanctions
In the GDPR, the national supervisory bodies receive more powers to sanction violations. The fines are substantial and can amount to 20 million euros or 4% of the worldwide annual turnover, if an organization does not meet the requirements of the law. In the Netherlands, this process is overseen by the Authority for Personal Data (AP).
Need more details? You can also find the answers to frequently asked questions on autoriteitpersoonsgegevens.nl
Cookies, spam, e-mail, telemarketing and the GDPR
Specific rules for handling electronic communications such as cookies, Wifi tracking, e-mail etc are not recorded in the GDPR. Those, you will find in the ePrivacy-directive - an existing European legislation that should receive an update and become regulation in 2018. More generally, this legal text lays down the rules that organizations must follow to ensure the confidentiality of digital communication The ePrivacy directive is also known as the cookie law. The European Union hoped to be able to launch the adapted rules together with the GDPR, however this has been delayed. Check the progress on the internet.