If your organisation processes personal data of a person who is in the EU, you must comply with the GDPR. It does not matter if your organisation is not established in the EU or if the processing does not take place within the EU. And if there was any doubt before: the definition of personal data now explicitly includes online identifiers, such as IP and MAC addresses or a cookie-ID.
You must explain clearly and fully, using plain language, how you use personal data and why. Furthermore, you must advise people of their rights, such as the right to view their data, to amend or erase it if there are clear mistakes, to object to excessive processing, and to take their data to another service provider. If you create interest profiles, you must be able to destroy them upon request. Finally, you should not forget to explicitly advise people of their right to file a complaint with the supervisory authority, as this is now required by law.
You need to document how personal data is handled and secured within your organisation.
Raising awareness of this policy among employees is key. Periodic training will also be required.
The records must include, among other things, a description of the personal data processed, the purpose for processing them, and how they are protected. This obligation applies to organisations with more than 250 employees, but also to organisations with fewer than 250 employees provided they process personal data on a regular basis or they process special categories of personal data.
Under current privacy legislation, you are required to document only those data breaches that you are obliged to report to the supervisory authority. The GDPR makes it compulsory to document all data breaches internally, even those which you are not required to report. If you process personal data on a client’s behalf, the GDPR also imposes a legal obligation to report all data breaches that occur during such activities to the client, so that they can notify the supervisory authority.
If you store personal data with a third party abroad, you must check whether the data is stored within or outside of the EU. The latter is only permitted if the third party meets strict legal requirements, e.g. the country in question has been certified by the European Commission. With regard to third parties in the United States, the so-called Privacy Shield offers the necessary safeguards. However, please note that customers may demand that their data simply does not leave the EU at all.
The GDPR contains more specific requirements for data processing agreements, which must be concluded if you process personal data on behalf of another organisation, or if another organisation processes personal data on your behalf. For example, if you process personal data on behalf of another organisation, you need permission before subcontracting any processing operation.
A PIA is an extensive assessment intended to identify privacy risks, and to eliminate such risks as much as possible, so that privacy is not put in jeopardy beyond what is strictly necessary and proportionate. You may not carry out a processing activity which poses a risk to privacy until after the PIA has been conducted and its outcomes have been implemented.
Even though current privacy legislation already requires data minimisation, you may be keeping data longer than necessary, ‘because you never know’. Under the GDPR you must take active steps to erase information as soon as it has lost its relevance. You must also put in place policies for the assessment of the relevance of information and its erasure in case of irrelevance.
This means that privacy considerations must be identified and incorporated at every step in the development process. In addition, the default settings of any new service must be as privacy-friendly as possible.
If you create interest profiles or risk analyses for your clients, visitors, etc., you must be able to explain to them how you do this and why at their request. This also applies to activities which may seem trivial or highly ordinary, such as cookies for personalised advertising.
The security of personal data is crucial. In this day and age, if you don’t restrict access to only those users with a need-to-know, using strong (multi-factor) authentication and encryption, if you don’t use TLS, firewalls, anti-virus software, or if you don’t patch your software and systems in time, you are at serious risk. You are also at risk if you do not regularly evaluate and update your security measures.
The GDPR provides more rights to individuals to access, correct or erase their data, or take their data with them to another provider. Under normal circumstances, any request from a person regarding their personal data should be handled within one month. Is your helpdesk up to speed?
A data protection officer is an independent person who advises and reports on GDPR compliance. Appointing a DPO is compulsory if you process more sensitive personal data (such as medical records) on a large scale, or if you are engaged in regular and systemic monitoring of people’s activities on a large scale. The DPO can be appointed either internally or externally, for example one of Legal ICT’s (virtual) privacy officers.
If you offer an online service that allows people to store their personal information, they must be able to export all their information in a commonly used digital format for transfer to another organisation. This might involve downloading photos, social media posts or forum contributions.
Does your organisation make use of fingerprints or other biometrics, e.g. for access control? Then you need to comply with the GDPR’s strict protection regime for biometric data.
Under the GDPR, the supervisory authorities may issue penalties of up to the higher of 20 million euro or 4% of global turnover. Privacy now really requires boardroom attention.
Please contact Legal ICT’s privacy specialists Matthijs van Bergen and Michelle Wijnant on +31 20 66 31 941 or at firstname.lastname@example.org.
Do you disseminate information on the Internet? Then you can be held liable or prosecuted (by the public prosecutor) for that information. Think of defamation and infringements of copyright or trademark rights, but also child pornography or texts that incite terrorism. This even applies if your customers or users have posted the content.
Anyone wanting an Internet presence needs a good domain name because the company’s website and email addresses will be linked to it.
Avenue Louise 65, 1000, Brussels, +32 (0)2 535 77 55, email@example.com