As from next year, important changes in the area of privacy legislation will be implemented. New European legislation, the EU General Data Protection Regulation (GDPR), will take effect at that time, on 28 May 2018 to be precise, two years after the regulation was published in the Official Journal of the European Union. This regulation will apply throughout the EU and entail a number of changes that have an impact on all businesses in the EU. We have closely studied the regulation and listed the most important changes for you.
More rights for all parties involved
The GDPR will widen the scope of privacy legislation to a considerable extent. In addition, the explanation about how you, as an organization, are dealing with privacy will have to be much more transparent. Among other things, this entails:
- Not only name and address details, but also IP addresses, cookies, MAC addresses, or RFID tags will be covered by the new legislation. This means that all these data will have to be considered the same sensitive information as someone’s bank account number, and treated accordingly.
- Data that have been collected must be deleted as soon as possible.
- Data subjects have the right to access their data, and to amend, supplement, or delete these.
- Your privacy statement needs to be as transparent as possible. It must state that persons can turn to the local Data Protection Authority if they have any complaints about data processing.
- The right to receive data in a standard format under certain conditions (right to data portability) has been added.
Documentation will become more important
Other rules will also apply for data leaks. All data leaks must be documented internally, including those that do not have to be reported the local Data Protection Authority.
A new type of processor’s agreement
A third party that processes data is called a data processor under the GDPR. Just like under the current Personal Data Protection Act, you must enter into an agreement, called a processor’s agreement, with this data processor. You will have to enter into an agreement with all suppliers and clients with whom data are processed. Permission plays an important part in this: data subjects must have given their permission in a clear manner, and can also withdraw this permission.
Privacy by design & privacy by default
Two important additions to the GDPR are privacy by design and privacy by default. Privacy by design means that privacy-enhancing systems must be part of the development of products and services. Privacy by default means that data minimisation should be taken into account. This means that as few data as possible, and therefore only the necessary data, may be processed, and only for the specific purpose for which the service is intended.
Compulsory Privacy Officer (in some situations)
If data are processed on a large scale, e.g. in hospitals, appointing an internal or external privacy officer may be compulsory.
Privacy Impact Assessment
If the processing of data involves high risks, a Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA) must be performed in accordance with the GDPR. Although they have different names, these assessments actually have the same meaning. In any case, the assessment is required i.a. for profiling, when data are processed on an extensive scale, or when data are gathered in a publicly accessible area.
If your organization has several business locations, or if you do business with several member states, it is important that you will have to deal with only one leading supervisor. Make also sure to check if your suppliers cooperate with foreign parties, and that these countries also comply with strict privacy legislation.
Permission and penalties
Basically, all data processing should be based on permission from your clients, and your clients should know who are using their data, how they are using them, and where. Further, it must be perfectly clear that data subjects may also withdraw their permission.
Huge fines will be imposed if you do not comply with the rules as from 28 May 2018. For now, the maximum fine amounts to € 900,000, but this will be a maximum of € 20,000,000, or 4% of your annual global turnover.
Start working with the GDPR
Many organizations will be faced with major changes. The website of the Dutch Data Protection Authority contains a wealth of data to help you get your organization ready for the new legislation. A good way to start are these 10 steps to GDPR compliance.
What does this mean for Savvii? We are nominated for the ISO27001 certification, which means that we will receive this certificate soon. In the coming period, we will also start preparing internally to comply with all changes. What do you think of the new legislation? How much impact do these changes have on your business?
If you have some time to spare in the meantime: here you can find the complete regulation.