What do I need to know about the GDPR legislation?

Privacy legislation

Privacy legislation isn't new. Within the European Union (EU), each member state currently has its own privacy law. These national laws are all based on the 1995 European Privacy Directive. In the Netherlands, the national implementation of this directive is the Personal Data Protection Act (Wbp).

General Data Protection Regulation came into effect on May 25, 2018. This means that from that date on, there will be a single privacy law across the EU. The Wbp will no longer apply, but the basic principles of that legislation will still form the core of the new GDPR. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) monitors compliance with the statutory rules for the protection of personal data.

What is the general purpose of the GDPR?

The overall purpose of the General Data Protection Regulation is to protect EU citizens in the area of ​​privacy regulations and personal data. The GDPR provides rights regarding personal data shared with organizations that collect, store, and process such data.

Who does the GDPR apply to?

The GDPR applies to any organization that collects personal data from EU citizens. An organization does not need to be established in the EU to be subject to the GDPR. If an organization is located outside the EU and collects personal data from within the EU, the GDPR applies to that organization.

What will change?

The new GDPR tightens regulations from the current Personal Data Protection Act. Ultimately, much remains the same. Data minimization, the right to be forgotten, information obligations, and data processing agreements have always been part of the law, albeit sometimes under different names.
A sound privacy policy, a clear privacy statement, sound agreements between data processors and controllers, and a data breach procedure also remain important.

Many existing rules have been significantly tightened in the new GDPR, and several new obligations have been added. Greater emphasis is placed on the responsibility of organizations themselves to comply with the law and to be able to demonstrate compliance.

What can I do myself?

As an organization, you can already take steps to be GDPR-ready. To help you, the Dutch Data Protection Authority listed the 10 most important steps.

What is personal data?

The GDPR specifies that personal data is any information relating to an identified or identifiable natural person. There are many types of personal data. Obvious data include a person's name, address, and place of residence. But telephone numbers and postal codes with house numbers are also personal data. Sensitive data such as a person's race, religion, or health are also called special categories of personal data. These are given additional protection by law.

What does processing personal data entail?

Processing refers to all actions an organization can perform with personal data, from collection to destruction. The law lists the following as examples of processing: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure, and destruction of data.
The law stipulates that an organization may only process personal data if it is necessary for a specific purpose.

Processing principles

The GDPR introduces core principles that all processing of personal data must comply with:

• personal data must be processed in a fair, lawful and transparent manner;
• personal data may only be processed for a specific, explicit purpose;
• only personal data that are necessary for the purpose may be processed;
• data must be correct and current;
• if identification is no longer necessary for the purpose, the personal data must be erased or anonymised, and;
• the personal data must be secured by means of technical and organisational measures.

Controller/processor terminology

The GDPR uses the terms "controller" and "processor" instead of the terms "responsible" and "processor" from the Personal Data Protection Act (Wbp). The Dutch translation of the GDPR provides the following definitions:

Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. These are Teqa's customers who purchase i-Reserve

Processor:
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. This is us as an organization, the supplier of i-Reserve i-Reserve hosting .

The data subject
is the person whose personal data an organization processes. This means the person to whom the personal data pertains. These are your customers, the end users.

Processing special personal data.
In addition to regular personal data, the law also recognizes special personal data. This is data that is so sensitive that processing it could seriously compromise someone's privacy. Under the GDPR, processing special personal data is prohibited unless an exception applies.

Special personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, sex life, or sexual orientation. Such data may therefore only be processed under very strict conditions.

What are the most important changes for organizations?

If the General Data Protection Regulation applies, organisations that process personal data have more obligations.

requirement
is that organizations must be able to demonstrate that they have received valid consent from individuals to process their personal data. It must also be just as easy for individuals to withdraw their consent as it is to give it. This must be an unambiguous expression of will. So, no more pre-ticked boxes! The request for consent must be clear, understandable, and presented in simple language.
Ultimately, organizations must be able to prove that the data subject has given consent. Data subjects have the right to withdraw consent at any time, and this right must be communicated to them.

NOTE:
Requesting consent for the storage of personal data is not always necessary. For example, as long as the data stored is limited to what is necessary for the performance of the agreement. In other cases, you must request consent. To find out what applies to you, you can find more information .

Administrative Obligation:
The GDPR imposes a documentation obligation, meaning that the organization must be able to demonstrate that it is acting in accordance with the GDPR. This includes consent, information provided, data subject rights, data security, processing minimization, and agreements with processors. Therefore: Map out the data processing activities within the organization. Many organizations will need to update their privacy statements, and this is important. Failure to have a (complete) privacy statement will soon result in a hefty fine.

Once the GDPR comes into effect, the Wbp obligation to report data processing to the supervisory authority will no longer apply. Instead, organizations will be required to maintain their own records of processing activities ('processing register') that take place under their responsibility.

Data Processing Agreement:
Concluding a data processing agreement is nothing new, as it is already mandatory under the Dutch Data Protection Act (Wbp). Under the GDPR, this will now be called a data processing agreement, and applies between the controller of the personal data and the party processing the personal data for them (currently known as the processor, soon to be called the processor). What is new, however, is that the GDPR specifies several mandatory elements of this agreement, including:

• the purpose of the processing;
• the type of personal data being processed;
• the categories of data subjects;
• that appropriate security measures will be taken;
• that the processor cooperates with audits to verify whether the processor complies with all obligations, and;
• after processing, destruction or return of the personal data to the controller

From now on, the processor will no longer be allowed to engage an external party to process personal data without prior written consent from the controller.

Privacy Impact Assessment (PIA).
A data protection impact assessment (DPA) is an essential tool for organizations to assess or evaluate their privacy impact. Using the DPA allows organizations to systematically integrate personal data protection into their balancing of interests and decision-making.

The Personal Data Protection Act (PIA) specifies why, how, and for how long personal data is processed. A Privacy Impact Assessment is mandatory if processing personal data, particularly using new technologies, poses risks to data subjects.

Data Breach Notification Requirements:
We already have this requirement in Dutch law: data breach notification. This requirement is also incorporated into the GDPR and remains largely unchanged. However, the GDPR does impose stricter requirements on your own record-keeping of data breaches that have occurred within your organization. You are required to document all data breaches.

Prevent stress by planning in advance how you'll respond if a security risk occurs. For example, as the data controller, in some situations you must report a data breach to the Dutch Data Protection Authority within 72 hours. If the breach is likely to pose a high risk to the individuals whose data is affected, they must also be notified. Therefore, define a security incident workflow in advance, allowing the right people to make timely decisions about the actions to be taken.

The Dutch Data Protection Authority has published policy rules on data breach notification.

You may need a data protection officer.
A data protection officer (DPO) is an independent person within the organization who advises and reports on compliance with the GDPR. While the DPO wasn't mandatory under the Dutch Data Protection Act (Wbp), it is required under the GDPR in some situations. The law requires a DPO when you process sensitive personal data such as health data on a large scale, or if you regularly observe people (physically or digitally). A DPO can be appointed internally, but can also be appointed externally.

Data Subject Rights
: Personal data must be processed lawfully, fairly, and transparently in relation to the data subject. Transparency is paramount: the data subject must be informed about what happens to their personal data. Everything must be communicated in simple and clear language.
In addition to the well-known rights of access, correction, and objection, the GDPR also grants the data subject:

• the right to be forgotten,
• the right to data portability (also known as data portability),
• the right to restrict processing and
• The right to object to certain processing. The data subject has the right to object at any time to the processing of their data for direct marketing purposes. If the data subject files such an objection, their data may no longer be processed for marketing purposes.

Right of access:
A data subject has the right to obtain from the controller confirmation as to whether their personal data is being processed. Where personal data is being processed, the data subject has the right to information about this data. The data subject has the right to information about, among other things:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the personal data are provided;
• the storage period;
• the fact that the data subject has the right to request rectification, erasure or restriction of processing and the right to object;
• the fact that the data subject can lodge a complaint.

Right to rectification and right to object
A data subject has the right to obtain from the controller the correction of inaccurate personal data. This must be done without undue delay. The data subject may object to certain types of data processing, as a result of which the processing of their personal data may have to be stopped. Consider an organization that uses personal data for marketing purposes. (Currently, an absolute right to object already exists for direct marketing. If a data subject exercises this right, you may no longer contact them for marketing purposes.)

Right to be forgotten
In some situations, the data subject has the right to have their data erased completely. The GDPR adds additional grounds for this latter right. The GDPR introduces the right to be forgotten. This means that the controller must erase personal data without undue delay, for example, when the personal data are no longer necessary in relation to the purposes for which they were collected or are further processed. It also requires that, upon such a request, the data controller inform the parties with whom the data has been shared. The names of these parties must also be shared with the data subject. The controller must take reasonable steps to erase the data, including any links, copies, or reproductions thereof.

Also check out the option to automatically anonymize in i-Reserve .

Right to data portability.
The GDPR introduces the right to data portability, or the portability of personal data. This means you may receive requests from your customers to make their personal data available. This applies to all digital data that an organization processes with the data subject's consent, plus data necessary to perform a contract. Search history or location data also fall under the right to portability. As an organization, you are then legally obligated to provide the data in a "structured, commonly used, and machine-readable" format. You can prepare for this by considering how you will make the data available. For example, using a tool that allows your customers to download their data directly and securely.

If technically feasible, the data controller must forward the data directly to another controller. This can be done, for example, using an Application Programming Interface (API), which enables a connection between your system and an application belonging to another party.

In i-Reserve to download their data themselves , the administrator to export , or forward data via an API .

Privacy by default and Privacy by design
The GDPR introduces an obligation to protect data through standard settings (Privacy by default) and through adjustable functionality (Privacy by design) within the software.

The Privacy by Default requirement means that you must implement technical and organizational measures to ensure that, by default, you only process personal data that is necessary for the specific purpose you intend to achieve. For example, where users can adjust their privacy settings themselves, they should be set to the highest level by default.

The Privacy by Design obligation means that you must ensure that personal data is protected when designing products, services and organizational processes.

Examples:

• When offering an app, do not let users register their location if it is not necessary;
• Do not pre-check the box 'Yes, I want to receive offers' on the website;
• If someone wants to subscribe to a newsletter, do not ask for more data than necessary.

Click here to see what i-Reserve does to secure and protect personal data .

Security must be in order – and remain so
. Protecting personal data is crucial. Without encryption, two-factor authentication, and the ability to separate and securely erase personal information, your organization is taking a significant risk.

Violations and Sanctions:
The maximum fine per violation of the current Privacy Act (Wbp) is currently €900,000. The GDPR grants national supervisory authorities greater powers to sanction violations of the GDPR. The fines are substantial, reaching up to €20 million or 4% of global annual turnover if an organization fails to comply with the law's requirements. Fines imposed in the Netherlands are issued by the designated supervisory authority: the Dutch Data Protection Authority (AP).
Looking for details? You can also find answers to frequently asked questions at autoriteitpersoonsgegevens.nl.

Cookies, spam, email, telemarketing, and the GDPR.
Rules for handling electronic communications such as cookies, Wi-Fi tracking, email, etc., are not laid down in the GDPR. These are covered by the ePrivacy Directive —existing European legislation that will be updated in 2018. The ePrivacy Directive is also known as the Cookie Law. The European Union hopes to launch the amended rules alongside the GDPR, simultaneously offering citizens greater protection for their personal information. More generally, this legal text establishes the rules organizations must follow to guarantee the confidentiality of digital communications.