The General Data Protection Regulation (GDPR) is an EU-wide regulation that aims to strengthen and unify data protection for all individuals within the European Union. It imposes a strict data compliance regime on organisations, with hefty fines for non-compliance.
25 May 2018
Applies to organisations worldwide
€20m / 4% of global turnover, whichever is greater
At its core, GDPR obligates organisations
to lawfully process personal data and limit the collection and processing of data for specified, explicit and legitimate purposes.
Data subjects receive extensive control
over how their personal data is used, including the right to access, rectify and erase.
Personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Any processing of personal data must have a legitimate basis.
Data processing is limited to what is necessary for the above purposes.
The controller must take every reasonable step to ensure that incorrect personal data is erased or rectified without delay.
Personal data may not be retained for longer than is necessary for the purposes for which the personal data were processed.
The data controller is responsible for and must be able to demonstrate compliance with the GDPR.
The processing of personal data must be based on a ground (AG consent, execution of a contract or the legitimate interest of the data controller).
The controller must provide information about the data processing in a concise, transparent, intelligible and easily accessible form. This amongst others includes information about the purposes of processing and the categories of personal data.
The data subject has the right to access and obtain a copy of their personal data undergoing processing.
The data subject may obtain without undue delay the rectification of inaccurate personal data and the completion of incomplete data.
The data subject has the right to obtain the erasure of personal data,
The data subject has the right to receive personal data, which he has provided to a data controller, in a structured, commonly used and machine-readable format, where the processing is based on consent or on a contract.
Where the processing is based on the legitimate interest of the controller, the data subject shall have the right to object to the processing, unless the processing is necessary for the establishment, exercise or defense of legal claims or the controller demonstrates other compelling legitimate grounds.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him.
When the data subject exercises one of the above rights, the controller has to respond within one month.
The controller or processor shall designate a DPO if its core activities consist of processing on a large scale of special categories of personal data or processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
De verwerkingsverantwoordelijke moet betrokkenen op een beknopte, transparante, begrijpelijke en toegankelijke wijze informeren over hoe gegevens worden verwerkt. Dit omvat o.a. informatie over de doeleinden van verwerken en de categorieën van persoonsgegevens.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the privacy of data subjects, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Where a type of processing is likely to result in a high risk for the privacy of the data subject, the controller shall, prior to such processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The controller shall, both at the time of the determination of the means of processing and at the time of processing itself, implement technical and organisational measures which are intended to protect personal data and to limit the processing by default to only what is necessary.
The controller and processor shall maintain a record of all personal data processing activities.
In case of a personal data breach, the controller shall without undue delay and, where feasible, no later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of persons.
Where the personal data breach is likely to result in a high risk to to the rights and freedoms of persons , the controller shall communicate the breach to them without undue delay.
Create an inventory of all personal data processing activities within your organisation.
Translate the inventory into a record of personal data processing activities and analyse which GDPR regulations your organisation needs to follow. For example, does your organisation need to hire a DPO?
Apply the relevant GDPR regulations to your organisation by formulating policies which could concern:
It is also important to update your privacy statements (for customers, website visitors and employees) in accordance with the new transparency regulations.
Finally, your organisation needs to put standard instruments in place to handle data subject access requests (i.e. via dashboard) and create a data protection impact assessment.
Contact Hester.de.Vries@kvdl.com to get started
We are a leading firm in matters of privacy and the protection of personal data. We support Dutch and international companies as well as government bodies in matters concerning (EU) privacy legislation, compliance and enforcement.
We can help you with creating the inventory of data processing activities, the follow-up analysis as well as the translation of GDPR regulations to policies for your organisation.
Would you like to know more? Please get in touch. You can also leave behind your e-mail address or phone number so we can call