GDPR CHECKLIST – 10 Focus points
Just a little more than 2 months to go before the General Data Protection Regulation (“GDPR”) (de Algemene Verordening Gegevensbescherming (AVG)) enters into force on 25 May 2018.The regulation under the GDPR largely matches the obligations existing under the Dutch Data protection act (Wet bescherming persoonsgegevens), but it also entails a number of new obligations and contains detailed substantive and procedural provisions. Below, we give an overview of the focus points that are important for you as a company.
If you have any questions about the GDPR or need assistance with the correct implementation of the GDPR, we are happy to help you. You can reach us at firstname.lastname@example.org or +31(0)207603136.
Nr. 1 – Map the processing of personal data (the data flows) within your company
In order to be able to determine which adjustments are necessary on the basis of the GDPR, it is important to first clearly map the processing that takes place within your company. The following must be mapped:
- Which personal data will be processed?;
- For what purposes are these personal data being processed?;
- What is the legitimate basis for the personal data being processed (consent, legitimate interest etc.)?;
- For what duration will the personal data be processed?;
- Do additional requirements apply (e.g. following from MiFID or PSD)?;
- Which persons within your organization are involved in the processing of the personal data?
Nr. 2 – Update your internal processes
Adjust your internal processes in accordance with the requirements of the GDPR. New requirements under the GDPR are, for example, maintaining a register of processing activities (register duty) and having to perform a data protection assessment prior to a new high-risk processing activity. When developing new processes, use standard settings and designs in which the basic requirements for the legitimate processing of personal data have already been incorporated (Privacy by Design and Privacy by Default).
Nr. 3 – Consent
When you have established that the processing operations will (partially) take place on the basis of consent, the next step is to check if this consent meets the requirements under the GDPR. The consent meets the requirements under the GDPR if this:
- Has been given freely (vrijelijk gegeven);
- For specific purposes (specifiek);
- Which the person concerned has been informed about (geïnformeerd); and
- It has been expressed by the person concerned through and unambiguous indication (ondubbelzinnige wilsuiting).
As the controller, you must be able to show that the consent has been granted in accordance with the above requirements. If the consent has been given by means of a written statement, the purpose for which the person concerned gives consent must be easily distinguishable from other matters included in this same written statement.
Nr. 4 – Rights of the person concerned
As controller, you must ensure during your processing that the person concerned whose personal data you process can efficiently exercise its rights under the GDPR, such as the right of access, the right to rectification and the right to object. The GDPR has a number of new rights for the person concerned, such as the right to transfer data (data portability) and the right to be forgotten. Inform the people concerned adequately about these rights.
Nr. 5 – Update your privacy documentation
After you have mapped all the data streams and you know for what purposes and on the basis of which legitimate basis you are processing the personal data, you can start updating your privacy documents, such as your privacy statement and processor agreements. Ensure that this documentation is in accordance with the extensive information requirements under the GDPR.
Nr. 6 – Check whether it is necessary for your company to appoint a Data Privacy Officer
Based on the processing that takes place within your company, you can determine whether you are obliged to appoint a Data Privacy Officer (DPO) (functionarisgegevensbescherming). This obligation exists, for example, if your company is mainly responsible for processes, which, due to their nature, their size and/or their purposes, require regular and systematic observation on a larger scale of people concerned. If you are not obliged to appoint a DPO, your can still do so on a voluntary basis.
Nr. 7 – Duty to report data breaches
Since 1 January 2016, you are obligated in the Netherlands to report data breaches to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens (AP)). Note that the wording of the provision in the GDPR is different from the former article 34a of the Dutch Data protection act (Wbp). Under the GDPR, only actual breaches of the personal data must be reported and not a breach of security that only leads to the considerable chance of serious adverse consequences.
Nr. 8 – Data security
Ensure that your company maintains an adequate level of protection when processing personal data. You should take into account the state of the technology, the implementation costs and the nature, scope and context in which you process the data. These factors can change over time. You should regularly evaluate whether the measures you have taken are still appropriate.
Nr. 9 – Regulator
If your company is part of an international concern with several branches in Europe, it is important to determine which regulator qualifies as the lead supervisory authority. In principle, the lead supervisory authority is the regulator of the country in which the European head office is located. The leading regulator is the only point of contact for your concern (one-stop-shop).
Nr. 10 – Raise awareness
Awareness is important for ensuring correct compliance with the GDPR within your organization. The persons who are involved in the processing of personal data within your organization must be aware of the basic principles and must be aware when they need to check with an expert in the field of personal data protection (for example with the DPO if one is appointed).