Hopefully you already have the AVG (General Data Protection Regulation) heard. This has actually taken effect on 24 May 2016, and will actually be maintained from 25 May 2018. This enforcement means that from 25 in May 2018 sanctions (read: fines) can be imposed.
Previously, the countries in the European Union had different laws and regulations concerning privacy. In the Netherlands we had the Personal Data Protection Act. The Wbp expires per 25 May 2018. Thanks to the AVG, the protection of personal data in all EU countries is regulated in the same way and the same rules apply in each Member State.
What is changing?
The AVG strengthens the position of the involved (ie, the persons whose data are being processed). They receive new privacy rights and their existing rights are strengthened. Organizations that process personal data get more obligations. The emphasis is - more than now - on the responsibility of organizations to be able to demonstrate that they (and their suppliers) comply with the law.
How do you prepare?
Make sure that the relevant people in your organization are well informed about the new privacy rules. They must make an assessment of the impact of the AVG on your current processes and services and what adjustments are necessary to comply with the AVG.
2. Rof the people involved
Under the AVG, data subjects will receive more and improved privacy rights. Therefore, make sure that if someone uses one of the rights, you are prepared for it. In addition to the existing rights, such as the right of access, the right to correction and the right to removal (right to be forgotten), these are also new rights, such as the right to data portability. With this right you must ensure that the person concerned can easily obtain his data and then pass it on to another organization if he wishes.
3. Overview of processing
Map your data processing. Document which personal data you process and for what purpose you do this, where this data comes from and with whom you share it. Under the AVG you have a documentation obligation, which means that you must be able to demonstrate that your organization acts in accordance with the AVG.
You may also need the overview if data subjects exercise their privacy rights. If they ask you to correct or delete their data, you must report this to the organizations with which you have shared their data.
4. Processor agreement
Did you outsource your data processing to an editor (called AVG 'processor' in the AVG)? Then check whether the agreed measures in the existing contract with the processor are still sufficient and meet the requirements in the AVG.
The following topics must be recorded in the agreement (source: Authority Personal Data):
- General description
A description of the subject, the duration, the nature and purpose of the processing, the type of personal data, the categories of data subjects and your rights and obligations as controller.
- Instructions processing
In principle, processing takes place solely on the basis of your written instructions. The processor may not use the personal data for his own purposes.
Persons employed by or working for the processor have a duty of confidentiality.
The processor takes appropriate technical and organizational measures to secure the processing. For example, pseudonymisation and encryption of personal data, permanent information security, restoration of availability and access to data in the event of incidents and regular security tests.
The processor does not switch on subprocessor (s) without your prior written permission. The processor submits to a subprocessor, in a subprocessing agreement, the same obligations as the processor has towards you.
In the agreement you can also immediately agree that, and under what conditions, the processor may use sub-processors.
Does the subprocessor fail to fulfill his obligations? Then the processor remains fully liable to you for the fulfillment of the obligations of the subprocessor (see article 28, member 4 of the AVG).
- Privacy rights
The processor helps you to comply with your duties, if data subjects exercise their privacy rights (such as the right of inspection, correction, oblivion and data portability).
- Other obligations
The processor also helps you to fulfill other obligations. As with reporting data leaks, performing one privacy impact assessment (PIA) and with prior consultation.
- Delete data
After the processing services have finished, the processor deletes the data. Or will he return it to you, if you wish. He also removes copies. Unless the processor is legally obliged to keep the data.
The processor cooperates with your audits or those of a third party. And makes all relevant information available to be able to check whether he, as a processor, adheres to the aforementioned obligations (from article 28 AVG).
A processor agreement is concluded with every supplier that processes data from you. A processor contract must also be concluded with the supplier who only stores the data (such as a data center).
Your data processing may be based on the consent of the data subjects. The AVG sets stricter requirements for permission. Therefore, evaluate the way in which you request, receive and register permission. Adjust these if necessary. You must be able to demonstrate that you have received valid permission from people to process their personal data. What you process, what purpose it has and whether you share the data with third parties, you describe in a privacy statement. The moment you obtained permission and the version of the privacy statement that was applicable at that time will be saved.
It must also be as easy for people to withdraw their permission as to give it.
6. Reporting duty data leaks
The obligation to report data leaks remains largely the same under the AVG. The AVG does impose stricter requirements on your own registration of the data leaks that occurred in your organization. You have to document all data leaks. With this documentation, the Dutch Data Protection Authority must be able to check whether you have complied with the reporting obligation. This goes further than the current protocol requirement from the Wbp, which only relates to the reported data leaks.
And how is Measuremail prepared?
Measuremail has a sharp eye on information security from its origin. For example, we believe that our systems must be optimally secured, that you never have to add more data than is necessary, a processor agreement has been standard for years when entering into a collaboration and we believe that everyone should use a personal account (without extra costs). ). You can also store opt-ins data that are relevant to your burden of proof, such as the version of your privacy statement, the conditions and origin of the opt-in. To make this explicitly visible, we have had it for years Privacy Guarantee and recently it too ISO 27001: 2013 certificate.
Do you want to know more about the AVG and the impact for your organization? We are happy to organize a knowledge session on this subject. If you are interested, mail to email@example.com.