Some "new" obligations under the GDPR, which in other countries still need implementation (such as the data breach notification and the ability for the DPA to impose huge fines) were already incorporated in Dutch law, which should give organizations a little breather. In this article you find the 10-step plan of the Dutch DPA accompanied by some additional practical insights regarding the preparation for the GDPR.
1. Awareness
Key players in the organization (e.g. policy makers) need to be aware of the upcoming privacy rules. They should assess the impact of the GDPR on current processes, services and products and what is necessary to meet the GDPR in May 2018.
The first useful thing to be done within each organization is to identify and list the stakeholders regarding the (risks involved with) processing of personal data. For instance, customers, employees, financiers, shareholders and the works council. This information is useful to create a support base for the implementation of a privacy policy/course of action. The answer to “why” steps need to be taken to make the organization GDPR-proof, apart from being obligated to do so due to the GDPR being the law. Without a sufficient support base within the company, making an organization GDPR ready is next to impossible. For one thing, the support base is needed for the employment of sufficient resources to make it happen. Awareness and support throughout the whole organization is needed to prevent personal data to be processed outside the legal boundaries.
2. Rights of individuals
Individuals have more rights under the GDPR. Organizations should enable these individuals to exercise their rights. Not only existing rights, but also new rights like data portability requests. Organizations should be aware that individuals may file complaints regarding the handling of their personal data with the AP.
Be prepared to handle such requests. Starting to set up a ‘how to handle’ data subjects’ requests after having received the first request will prove to be unworkable. The statutory time limit to respond to such requests requires a procedure to be in place before a request is made. The right to data portability concerns data provided (passively or actively) by the data subject (such as customers and employees) where the processing is based upon consent or on a contract and the processing is carried out by automated means. One of the ways to provide a data subject with its personal data through technical means would be to provide an option to download such data on its personal internal company dashboard. The challenging part will be to ensure that solely the personal data the employee will need in its new employment is transferred.
3. Overview of processing activities
Under the GDPR organizations must map their processing activities to be able to prove they comply with the GDPR. They should make an overview of their processing activities: which personal data do they process, what is the purpose and legal basis for processing, where do these data come from and with whom are they sharing these data.
Identifying and listing all categories of personal data that are being processed within the organization, as well as the other elements which need to be identified and listed to create an overview of the organization’s processing activities needs to be done from a controller and – where applicable - a processor perspective. Not all organizations are processors but each organization is a controller regarding the personal data of its employees and customers.
4. Privacy impact assessment (PIA)
Organizations may be obliged to conduct a PIA to identify the privacy risks in their organization. A PIA is for example obliged in case of high-risk processing activities. If an organization is unsuccessful in finding measures to mitigate the risk they should contact the AP before starting the high-risk processing activities.
The GDPR is risk based rather than rule based. The appropriate measures to be taken depends on the risk level of the processing activity. Each organization needs to decide on its ‘risk appetite’.
5. Privacy by design & privacy by default
Awareness for the principles 'privacy by design' and 'privacy by default' should be created. Organizations should verify how these principles should be implemented in their organization.
Privacy by design as well as privacy by default requires an organization to take such principles into consideration at the first stage of the product or service development process. Taking privacy by design and default into account at a later stage will be more costly and most certainly inefficient.
6. Data Protection Officer
Organizations may be obliged to appoint a Data Protection Officer. They should make clear whether their organization is subject to this obligation on time and start a selection procedure.
A DPO does not have to be appointed within the organization but may also be an external party. What’s important is that such a person has expert knowledge of the GDPR as well as sufficient knowledge of the organization and its processes and can operate independently. If the (board of) director(s) decides not to follow the advice of the DPO, the director will have to document such decision. A DPO is protected against dismissal regarding its role and function as DPO to enable the DPO to operate independently.
7. Mandatory data breach notification
The obligation to report data breaches remains largely the same under the GDPR. However, there are stricter rules for the internal documentation of data breaches. Based on such documentation the AP should be able to verify whether an organization complied with the mandatory data breach notification.
Many data breaches occur due to human error. It is therefore paramount, aside from having state of the art technical security measures in place, to create awareness among staff members about what a data breach entails and which actions need to be taken when confronted with a data breach. Be aware not to instill (too much) fear as data breaches might be swept under the carpet instead of being dealt with in an appropriate manner.
8. Data processing agreements
Existing data processing agreements should be assessed whether they are still adequate and meet the stricter GDPR requirements.
A significant difference in the relationship between the controller and processor is the fact that the GDPR imposes some legal obligations on the processor directly. Such as the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope of context and purposes of processing; the obligation to notify the controller without undue delay after becoming aware of a personal data breach; and under some circumstances, the obligation to appoint a DPO.
9. Lead supervisory authority
If an organization has multiple establishments in various EU Member States, or if processing activities have an impact on various EU Member States, only one supervisory authority will be competent to act as lead supervisory authority. Organizations should identify the lead supervisory authority applicable to them.
10. Consent
Under the GDPR stricter rules apply to the reliance on consent as a legal basis for processing. Organizations should evaluate their way of requesting, obtaining and registering the consent. Where necessary this should be amended. Organizations should be able to demonstrate that they have obtained valid consent from individuals to process their personal data. Besides, it should be as easy to withdraw their consent as it is to give it.
Article provided by: Irvette Tempelman - Cordemeyer & Slager / Advocaten, The Netherlands