Since the 25th of May 2018 a new privacy law is applicable in Europe: the General Data Protection Regulation (GDPR). It is impossible you missed this hype. Do you want to have an overview regarding the most important changes by this new law? In this article you will read about the consequences of the GDPR for both employer and employee.
For whom is the new privacy law applicable?
Everybody who processes personal information by use of a file or a (partly) automatized way of processing (such as name, date of birth, salary, images of security camera’s, pictures on badges, sickness absenteeism rates, etc.).
What will change relative to the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens, Wbp)?
• Organisations will have an information obligation towards the persons of whom they process personal information. This relates to the purpose of the use, the legal basis, the identity and contact details of the data protection officer, the responsible person for the processing, whether personal information is being send outside Europe, and who receive the personal information. This is no different than is was in the Wbp before, however now with the GDPR the processing should be more transparent. All involved persons should be pointed to their rights.
• People concerned have more privacy rights.
1. Right to data portability (new): the people concerned have the right to have their personal data transferred in a standard format. This makes it easier to pass along personal information to, for instance, a supplier.
2. Right to be informed (new): regarding which personal information an organization possesses about the people concerned and what the information is used for.
3. Right to have insight: people concerned can ask which personal information is being stored, with what reason, with whom this information is being shared, and for how long the information is kept.
4. Right to Erasure: delete the personal information (also among the organisations the data is shared with) when the person concerned requests this. It can be requested when the details are not needed anymore, the person concerned withdraws the permission to process the data, the person concerned objects (e.g. against direct marketing), the processing of data was illegal or wrong, the legal storage period is expired, or when the person concerned is younger than 16 years old.
5. Right to rectification: the person concerned has the right to modify or to complement the personal data.
• Stricter requirements on the registration of data breaches (= invasion on the security of personal information), such as losing a flash drive, or accidently sending information to someone else than intended. Organizations should document all data breaches, and not only the ones that are reported. Guidelines are prepared by the authorities.
• Companies should have a legal basis to process personal information. Those foundations should be expressed to the people concerned.
1. Permission: you should be able to demonstrate that you have permission for every separate target of the processing and that the people concerned are well informed. This became more strict compared to the Wbp.
2. Legal obligation
4. Common interests
5. Legitimate interests
6. Vital interests
• In case you probably have a high privacy risk (e.g. when profiling), you are obliged to perform a Data Protection Impact Assessment (DPIA). This is an instrument to expose all privacy risks. Based on the outcome of the DPIA, you can take action to reduce those risks. Under the Wbp only the government was obliged to perform a DPIA, but nowadays more companies in Europa will have to comply. You should decide for yourself whether you need to perform to DPIA, but when you choose not to do so you need proper arguments. Examples of organizations who perform a DPIA: a hospital processing patient details, a bank processing customer details, and a search engine that processes personal information to show advertisements based on internet use.
• Organizations that follow individuals on a large scale (e.g. camera surveillance, profiling), or that processes special personal data on a large scale (e.g. political view, race), or a public authority/government, are obliged to appoint a data protection officer within their company. This officer monitors the application and compliance with the GDPR, informs and advises, and cooperates with the national data protection authority. This obligation did not exists previously.
What can you do?
• Map all the data processing: what personal data is specifically being processed, where does the data come from, what is the goal of the data processing, and with whom is the data being shared. Differently stated: keep track of a register with all the data processing activities. With this register you will comply (partly) with your accountability obligations and it allows involved people to appeal to their privacy rights.
• To comply with your information obligation you can post an online privacy statement on your website. In this privacy statement you can among other things define what happens with the data of customers. An online statement, possibly along with a pop-up function, is easy to find for all customers.
• Investigate whether your company applies the obliged bases of privacy by design (protecting personal data by the design of products and services, such as software) and privacy by default (technical and organizational measures to only process necessary personal data, such as apps without location function).
• When a company has a processor agreement (when data processing is outsourced, such as salary administration), then you should check whether the agreed measures still comply with the new regulation. The employer is the responsible party.
• When a company is located in more EU-states, or the processing of data has an impact in more than one EU-state, then you should corporate with a privacy supervisor. Investigate who this person will be in your case in particular.
• Enhance awareness of the new regulation within your organization. It is important that everyone deals with personal information correctly.
• Possibly search for someone within the organization willing to fulfil the role of data protection officer. This person should not necessarily be a jurist, but background knowledge of the GDPR is a must.
How can Optimus Acorro help you?
• Offering support (advising and controlling) with the mapping of data processing within the company. We can also provide you with a format data processing register that you should keep track of.
• Setting up a privacy statement.
• Offering a checklist in case of data breaches. Since all data breaches should be reported it might be easy to know when something can be regarded as a data breach, when the data breach is of high risk, how and where to report the breach, what actions to take, how to prevent those breaches in the future, et cetera.
• Performing a DPIA. Even though it might not be obliged for your organization to perform a DPIA, it provides you with a lot of insight in your privacy risks after which you can take appropriate measures to reduce those risks. With this assessment you demonstrate compliance with the GDPR.
Why would you use the support of Optimus Acorro?
There are high fines applicable. When you don’t comply with the GDPR, the data protection authorities can impose a fine of maximum 20 Million Euros or 4% of the maximum worldwide annual revenue. To prevent this of happening, Optimus Acorro supports with her knowledge and insights. Optimus Acorro has experiences with creating a data processing register and the execution of a DPIA. Besides, we offer a checklist you can use in case of (suspected) data breaches. We also support with creating a privacy statement.
Our employees also have experiences within other companies and they see examples of how the GDPR is (not) applied. These experiences are used to offer you customized support, which corresponds with our core values. We strongly believe that every company is different and therefore requires another approach. Hence we will analyse specially for your organization what needs to happen in order to comply with the GDPR.
Together we create viability towards the future. Isn’t that what you want?
You can reach us via: email@example.com