A few weeks ago we informed you about the content of the new regulation, but in this blog we will discuss a number of terminologies in more detail. To refresh your memory: the European Privacy Regulation (EPV) is also known as the General Data Protection Regulation (GDPR). In any case, it is important that everyone complies with this new regulation by May 2018. It is even possible that the Netherlands will introduce a new law based on the EPV as such. A lot of developments!
Transparency & trust
Each organisation will not only have to realise which personal data are being processed, but will also have to record this in its own register. It is important to specify the purpose and the basis for the processing. This will be difficult or perhaps a good thing for a number of organisations to determine whether the processing is ‘legal’. This will lead to a more transparent organisation, which will also radiate more confidence to the outside world. Consider also the obligation to appoint a Privacy Officer within organisations. This applies to organizations where personal data are processed, which is anyway mandatory in the public and in the private sector if the main activity is the processing of special personal data or if regular or systematic observation of the person involved is involved.
Reach your goals
In addition, it is important to determine which characteristics of a person are processed. The same applies here: the goal is very important. For example: ‘do I really need the phone number or e-mail address of the person to reach the goal? The question that needs to be asked is: ‘Can I achieve the same goal with less personal or other data? Furthermore, data should be destroyed when they are no longer needed. It is important to link a retention period to the set of data.
In the previous blog, the terms privacy by default, privacy by design and privacy impact assessments were briefly mentioned. What do these terms actually mean?
Privacy by default
Privacy by default is best illustrated with an example. After registering on a website, you will often be asked to receive newsletters. From the point of view of ‘privacy by default’, it is important that the choice to receive the newsletter is ‘off’ by default. The user in question must then tick whether he/she wants to receive the newsletter.
Privacy by design
When developing new applications, it is important to take the privacy aspects into account. Preferably before the application is built. This is also called ‘Privacy by design’.
Privacy impact assessment
As the data controller, or as the processor of the personal data, it is important to carry out a ‘privacy impact assessment’. The starting point is to map out which personal data are processed for which purpose and on which basis. The risks associated with this processing must then be mapped out in order to take appropriate measures to mitigate these risks.
In summary, it can be stated that, just as in the case of security, employees must also be made aware of the processing of personal data in the case of privacy. This ensures that one’s own behaviour is adapted when processing personal data and that the right decisions or considerations can be made. Processes and procedures can then be drawn up within the organisation to ensure compliance with the law.