Have you heard about the updated Privacy law which comes into effect on the 25th May this year? Have you thought about how it might impact your business?
If you were at our networking on April 19th, you would have been thankful that Bieneke Braat from Legal Tree took us step by step through the regulations and shared her knowledge so that we know the steps we need to take to ensure our clients privacy data is being protected.
Here I can share a summary with you!
Bieneke Braat Legal Tree GDPR
Bieneke started by sharing a slide with us that shows the layout of how data is processed. Each of the numbers corresponds with a different area that needs to be considered and I will endeavor to share my efforts to record this information!
What is the GDPR?
This regulation concerns the electronic processing of personal data and personal data that is processed on paper in an ordered form.
Whose rights do you have to protect?
The rights of the data subject should be protected. This can be a client or employee.
Now I will take you round Bieneke’s description of each of these spots on her diagram.

Bieneke Braat Legal Tree GDPR

1.Personal Data

You may process personal data information if you have legal ground (purpose).
Personal data – is any data that identifies an individual: name, email address, even I.P. address! An info@ email address is not classified as personal data.
Special Categories – which is prohibited to process this particular information unless you have an exception is information related to:

  • heath
  • criminal convictions
  • political opinion
  • religious beliefs
  • race
  • ethnic origin
  • I.D. number/BSN

Employers cannot process any of this information unless there are exceptional circumstances, and/or there is consent given.
Children (under 16)
If you want to gather information from Children, there will need to be stricter controls and a parent will need to give consent for this information to be processed. (Think an app that kids will play on – in order to collect data, a parent will first have to give consent)
Data minimisation – first ask, do you really need this data? The more data you have, the more risk it brings.

2. Privacy Statement

You need to prepare a privacy statement which shows how you will collect data, what the data is required for, how it is stored and where it will be used. You need to show the legal ground in which you are collecting it, whom you will share it with and if the data will be sent outside the EU.

3. Purposes

The “Controller” (business owner, Gemeente, Zzper) determines the purpose and the means of data processing.
You have to write down what you are going to be using the data for and if transferring outside of the EU. This information needs to be written in your ‘register’. Some legal grounds might be to communicate, or to perform your contractual obligations.
You can ONLY use the data you have collected for these specific purposes. If you want to use the data for a different purpose, then you will have to ask consent.

4. Legal Grounds

  • Consent is given
  • You might be legally obliged to process the data (i.e. invoice has to have name and address on it)
  • Vital Interest – if the situation is life threatening
  • You need the personal data for legitimate interest (i.e. you have an email address of a client from sales, you can use this email address to inform of other products you sell)
  • Public bodies can use personal data.

If you don’t have a basis for legal grounds to process the data, then you can’t.

5. Security

The AP (Autoriteit Persoonsgegevens https://autoriteitpersoonsgegevens.nl/) is the authority that oversees the GDPR here in NL.

  • Does your site have an SSL certificate? https://en.wikipedia.org/wiki/Certificate_authority
  • Do you need to be using encrypted email? (Such as the Dutch service Startmail?)
  • You cannot ask someone to tick a box to give consent.
  • You have to keep access to the data you hold secure.
  • You mustn’t share logins
  • For employees, you should make security guidelines
  • If you have a data breach (loose your phone) and have concerns about sensitive data you hold, you have to notify the AP (Especially Special Category Data)

If you are using your phone to access a clients personal data, then it might be an idea to set up a remote swipe of your phone or make sure the data is encrypted, then you wouldn’t have to notify.

6. Data Processor Agreements

List the agreements you have with processors. Do the tools you use to process your data have privacy statements (see 8. Data export)? (i.e. Dropbox, Mailchimp, Google etc)

7. Data Breach notification

You have to list what will be done it… (data breach etc) in your privacy statement.

8. Data Export

You have to keep the data you are processing in the EU.
You cannot transfer the data outside of the EU without an adequate level of protection.
If the tool you are using (such as dropbox) has a Privacy Shield, then its OK to use this tool to process the information. You also need to record this!
You can find more information about which companies hold privacy shields here.
On a side note, Trump signed the CLOUD Act recently which makes the transference of data outside the EU more complicated. You can read more about this here.

9. Sharing data with 3rd parties

You have to ask yourself:

  • Is there legal ground?
  • Do I have to share this data?
  • Do I have to ask consent to share this data.

10. Agreements with other controllers.

You should list which other controllers (companies etc) you have agreements with regarding personal data.

11, Documentation, register

You should keep a register and document all of your decisions as to what process you have regarding Personal Data. You need to indicate what, why, where etc. (i.e. name & email address obtained on 19.04.18 at WBII networking, consent given to hold P.D. for contact purposes.
This does make me wish I had asked Bieneke do we really have to ask permission when we are handed a business card – and do we need written consent??

12. Confidentiality by employees

You need to keep the information of your employees confidential

13. Data Protection Impact Assessment

D.P.I.A. : in some situations (i.e. health and new processes) you need to look and document the risks imvolved with your data processing.

14. Privacy by design and by default

15. Rights of data subjects.

It is possible for a data subject to invoke their rights regarding the data you hold on them.
For example, you can ask Facebook what data they have on you, and you can ask them to delete it. They can say no if they can show there are reasonable rights for the data not to be deleted.

16. Profiling

17. Data Protection Officer

If your company has large quantities of data to process, then you are obliged to assign a Data Protection Officer.
There is a handy website: https://www.smithanddoe.com/ that has tools and factsheets to help you determine your processes. It is in Dutch however!
Bieneke Braat Legal Tree GDPR
It was a large amount of information to cover in the hour that Bieneke had, but she gave an amazing outline of what we all need to do, and consider, regarding the GDPR.
So good luck with writing your own Privacy Statements and keeping your register!

Author: Lisa Hall Lemonberry
Photos: Anne Bybjerg Image & Style