It is really imminent now: the General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. From that moment onward, uniform privacy legislation shall apply for the entire EU.
For the past half-year the GDPR has been hot news: one could not open a newspaper without immediately finding such menacing headlines as “Companies panic about European privacy law” and “If your company has not taken the requisite measures, the end is nigh.”
Data Protection Authority announces enforcement measures
In a recent interview, Aleid Wolfsen, chair of the ‘privacy watchdog,’ the Dutch Data Protection Authority (DPA), indicated that the DPA is at the ready to execute enforcement measures from 25 May. Such enforcement can include the imposition of fines (up to € 20 million or four per cent of a company’s world-wide turnover), as well as rapid interventions, such as letters or telephone calls to violators. The DPA will select the most effective enforcement measure, depending on the case in question, Wolfsen explained.
In short, the GDPR has ‘teeth,’ and national oversight bodies such as the DPA will have the tools they need to push companies in the right direction.
Most important changes
The main changes which will result from the GDPR come down to, on the one hand, strengthening and augmenting the rights of the persons whose data are processed, and, on the other, ensuring that organisations which process personal data have more personnel to realise this. Interested parties will, for example in addition to the right to inspect and change their data, soon have the right to have such stored data removed. Organisations will be obliged to create and maintain a register of all of their personal data-processing. In addition, many organisations will be required to appoint a privacy officer to oversee their application of, and compliance with, the GDPR. Further, organisations will be obliged to carry out a so-called Data Privacy Impact Assessment (DPIA) in connection with certain portions of their data processing, with the aim of identifying privacy risks and taking relevant measures where necessary.
Many organisations are presently so confused that they can no longer see the forest for the trees and have no idea where to start. As we stressed at our September 2017 seminar, The Good, the Bad and the Smart, on privacy in the HR context, there is no reason for panic, as the lion’s share of the obligations under the GDPR are already in effect by virtue of the current Dutch Personal Data Protection Act. It is however important critically to examine how personal data are processed within your organisation and, where needed, to take relevant measures. Standing still is certainly not an option.
Draw up a plan of action
Organisations that are not yet compliant with the GDPR still have time to take action. We advise taking the following steps:
- In order to help organisations in the run-up to 25 May, the DPA has provided an online introduction to the GDP. Using a step-by-step plan, it helps organisations to gain insight into their obligations and the measures which need to be taken in preparation for the GDPR. A practical and accessible way to create a global inventory of the current situation at your organisation. On the basis of the results of the inventory, organisations might opt to call in external help.
- Appoint a privacy officer for your organisation. This can be an existing employee or an external specialist.
- Create a taskforce at your organisation and identify which personal data are processed, for which purpose this is done and with whom they are shared. In connection with risk-sensitive processing, a DPIA should be carried out and any necessary measures taken. Create a register of your processing activities that includes information on these activities.
- Implement a privacy protocol; because the GDPR will affect your entire organisation, it will not be sufficient to vest all responsibility in one person, for example the privacy officer. Privacy must be a priority at all levels of the organisation. Having a privacy protocol can be highly useful in this regard. Such a protocol stimulates awareness amongst employees about the fact that responsibility for privacy must be shared throughout the organisation. A good privacy protocol makes clear what the employer and the employee can expect from one another as to obligations and protective measures in the area of privacy.
- Draw up a good model processor’s agreement. Organisations are obliged to effect a processor’s agreement when they assign work involving the processing of personal data to other organisations, for example when they call in an external payroll administrator or ARBO service. The client however continues to be responsible for the processing of the personal data in question by the external party. A processor’s agreement minimally must mention the topic and duration of the processing, the nature and purpose of the processing, the type of personal data involved and the categories of the individuals involved, as well as the rights and obligations of the person responsible for processing. By using a good processor’s agreement, tailored to the specific activities for which a given external organisation has been called in, your organisation can ensure that it is not violating the GDPR via its suppliers.