Since 25 May 2018, the General Data Protection Regulation (GDPR) has been in force. In practice, we notice that many companies are not yet (fully) GDPR-compliant. Are you curious about how GDPR-proof your organisation is? By answering the following 6 questions, you will quickly see what still needs to be done.
1 Do you have the processing of personal data in order?
GDPR compliancy starts with mapping out the various personal data processing activities within your organisation. Do you know what types of personal data you process? For what purpose? On what basis? How do you obtain these data? And what personal data do you share with other parties?
In some cases, you are obliged to list the answers to these and other questions in a processing register. In other cases, this is advisable. Under the GDPR, you have a duty of accountability; this means that you must be able to demonstrate that you are compliant. A processing register is one of the documents with which you comply with this obligation.
2 Do you have an GDPR-proof privacy statement?
Under the GDPR you must inform those concerned – the people whose personal data you process, such as customers, visitors (to your website) and employees – about the data you process, what you do with it and what rights they have.
This is done in a privacy statement, in which you include the following:
– The contact details of your organisation
– Whose personal details you are processing
– The type of personal details that you process
– The purpose and the basis for which data are processed
– The retention period of the personal details
– To which third parties you provide the data
– The rights of data subjects
– The right of data subjects to lodge a complaint with the Dutch Data Protection Authority (AP).
You can download many standard privacy declarations online. However, a privacy statement is often customized. Therefore, we advise you to ask a GDPR specialist to draft or assess your privacy statement.
3 How adequately does your organisation respond to requests from data subjects?
Data subjects have various rights under the GDPR. They have, for example, the right to inspection, rectification, oblivion and data transferability. They also have the right to object.
Your organisation must be able to deal with such requests in accordance with the GDPR. This means: in the right way and in time. Do you have a procedure and a contact for this?
4 Do you have GDPR-proof processing agreements?
Do you engage third parties to process personal data, such as a payroll administrator, pension fund or factoring company? Then you must have GDPR-proof processing agreements with these parties.
A processing agreement states how the third parties must handle the personal data you have collected. Why do they process the data, what can they do with it and what do they have to do to protect the data?
Processor agreements can also be downloaded online. To ensure that you make the right agreements and do not run any unnecessary risks, we advise you to have your processing agreements drawn up or assessed by an GDPR specialist.
5 Do you know what to do in the event of a data breach?
The chance that a data breach occurs within your organisation is fairly high. In that case, you must take a number of steps. In some cases, you must report the data breach to the AP and/or the person(s) involved.
It is therefore advisable to draw up a data breach protocol and inform your employees accordingly.
6 Have you taken sufficient security measures?
The GDPR requires you to take appropriate technical and organisational measures to secure the personal data you process. The rule is: the greater the risk, the stricter these security measures must be.
Incidentally, it is not only about technical measures. It is also important that privacy is not just something for you and/or the management. All your employees must be aware that they must handle personal data with care.
And, is your company GDPR compliant?
After reading this blog, do you conclude that your GDPR compliancy is fine? Great! But did you conclude that your company is not yet GDPR-proof? And could you use some help in taking stock of your obligations and putting them in order? Please feel free to contact one of our privacy lawyers. You can do so by calling +31 (0)72 514 46 66. You can also complete the contact form and we will reply within 24 hours.