Organizations are legally required to comply with the General Data Protection Regulation (GDPR). But what does this mean in practice? We offer you a practical checklist to help you ensure privacy compliance within your organization.
Privacy and the handling of personal data are becoming increasingly important. Organizations must handle personal data correctly. Failure can result in data breaches, negative publicity, or even fines. That's why compliance with the General Data Protection Regulation (GDPR) is essential. Organizations are required to comply with the rules of the General Data Protection Regulation (GDPR).
The GDPR contains a number of core principles that govern how organizations must handle personal data carefully. Below, we summarize the key points.
Lawfulness, fairness and transparency
Data subjects must be clearly informed about which of their personal data is being processed. This communication must be easy to understand, and all processing must comply with the law.
Purpose limitation
Personal data may only be used for a specific purpose.
All personal data processed within an organization must be accurate. If you discover that a customer's data is incorrect, the data must be corrected.
An organisation may only process personal data if there is a legal basis. The GDPR contains six legal bases:
Organizations inform data subjects about which personal data is processed through a privacy statement. It is a common practice to publish the privacy statement on the website. In this document, an organization explains what personal data is processed, why it is needed, on what legal basis, and for how long it is retained. It is also mandatory to explain what rights data subjects have, and to which third parties the data is transferred.
Organisations use all kinds of software packages and systems. Think of an HR or CRM system, or an accounting package. Another example is the use of security cameras in the office or in a warehouse. Suppliers that provide such systems or packages process personal data. The agreements regarding the handling of these personal data are laid down in a data processing agreement.
A data breach is a security incident resulting in the unauthorized access, accidental loss, or unlawful disclosure of personal data. As an example, employee A accidentally received the payslip of employee B, or an order confirmation for customer C was sent to customer D. In such cases, it is important that an organisation acts quickly. The error must be rectified, and the data breach must be registered internally. It may even be mandatory to report the data breach to the Dutch Data Protection Authority and the data subject(s).
The GDPR distinguishes between a data controller and a data processor. The data controller determines the purpose and means of the data processing. And the data processor acts on behalf of the data controller. These parties must enter into a data processing agreement. In this agreement, the parties make arrangements on how the personal data is handled.
When both parties are joint controllers, they make arrangements in a data sharing agreement. If the parties are independent controllers, this type of agreement is not mandatory but recommended. This is to ensure that the recipient does not process the data for a purpose other than that for which it was provided.
It is often said that the GDPR is a 'paper tiger'. Organisations must have various documents in place. The following documents are a must-have:
Complying with the GDPR is not always easy. Organisations sometimes can't see the wood for the trees. To help organisations on their way to becoming GDPR compliant, we created a simple 5-step checklist.
Short on time or resources? We're here to help. We conduct privacy inventories for your organization.
The GDPR applies to all organisations. The reason is simple: every organisation processes personal data. Think of the data of your own employees, but also your customers and website visitors.
Some organisations are legally required to appoint a Data Protection Officer (DPO). The DPO informs and advises on the handling of personal data. In doing so, the DPO holds an independent position.
The following organizations are required to appoint a DPO:
Even for organisations that do not fall under one of these categories, it is advisable to appoint a DPO to ensure privacy compliance.
The Dutch Data Protection Authority (Dutch DPA) is the supervisory authority for privacy in the Netherlands. The Dutch DPA has the authority to address organisations when they do not act in accordance with the GDPR. The Dutch DPA also has the power to impose fines. Naturally, organisations want to avoid fines due to the financial impact. But organisations often forget that reputational damage might be much worse. To prevent any kind of damage, organisations are well advised and remain GDPR compliant.
The GDPR has six basic principles for processing personal data:
Accountability: organisations are required to demonstrate compliance with the above-mentioned basic principles. This can be achieved through clear documentation, such as records of processing activities and privacy statements.
The GDPR requires organisations to not retain personal data longer than necessary. Data may only be kept as long as it remains relevant to the purpose for which it was collected. For certain types of data, such as financial records, statutory retention periods apply. Implementing a sound retention policy helps mitigate risks and strengthens trust in your organisation.