Entrepreneur, pay attention to the privacy of your customers
All (business) organizations in the private as well as the public sector are required since a month ago to bring their business operations in line with the new privacy guidelines. They get 2 years to do this, because the General Data Protection Regulation (GDPR) applies directly in Europe on May 25, 2018. After this date any person is able to call each of these companies to account with respect to the compliance with the GDPR and the companies run the risk of having a maximum fine imposed of 20 million Euros, or 4% of the annual worldwide sales.
The GDPR has a major impact on all companies that process personal data. This does not just involve big companies like Google, Facebook or Twitter, but SME companies that process personal data also have to comply with the new regulation.
Amendment Personal Data Protection Act
In view of the GDPR, the Dutch legislator has already amended the Dutch Personal Data Protection Act as of January 1, 2016. Key points of that change are the notification requirement for data leaks and (perhaps even more important) the power of the Dutch Personal Data Authority to impose fines. Since January 1, 2016 the Dutch Personal Data Authority is entitled to impose fines on companies up to an amount of €820,000, or 10% of the annual sales worldwide.
Six focus points for entrepreneurs with respect to the new privacy legislation
- Notification requirement for every company that processes personal data.
- The Dutch Personal Data Authority has the power to impose fines.
- From now on, companies have to better inform citizens about the processing of their personal data.
- Companies have to make data portable, which means that persons concerned should be able to move their personal data between companies.
- Companies also have to appoint a “data protection officer” (or a data officer) for data protection if they collect large quantities of special personal data, or if collecting personal data is their main activity.
- The person responsible for the data can be required in some cases to perform a ‘data protection impact assessment’ prior to the processing.
Assessment in different forms
A data protection assessment is especially needed with the use of new technologies that carry a high risk with respect to the rights and freedoms of the persons involved. Think of discrimination, identity theft or fraud, financial losses, reputation damage or every other considerable economic or social damage. The supervisory authority, so the Dutch Personal Data Authority in the Netherlands, draws up a list of the types of processing activities that require a data protection impact assessment. The person responsible will coordinate with the data protection officer if such an assessment is necessary.
If a high privacy risk is involved with the personal data processing, the person responsible has to conduct a so-called Privacy Impact Assessment (“PIA”). This impact assessment is a risk analysis of the impact with respect to privacy with new systems and processing, profiling, sensitive processing, and special data and includes a description of the risk analysis, measures to be taken, guarantees, and showing that those measures and guarantees work.
If you regularly deal with personal data and you want to know if your organization complies with the new obligations under the changed law and effective regulation, please contact Fruytier Lawyers in Business. We will gladly advise you.