Know what you're collecting!
On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force in the Netherlands. The GDPR is the EU's new privacy law, which regulates the legitimate and reasonable use of (personal) data by businesses and government bodies. The emphasis is on strengthening and extending privacy rights, stricter requirements and increased responsibilities for organisations, and uniform powers for all privacy regulators across Europe. Organisations have had since 25 May 2016 to bring their operations into line with the GDPR. As a partner at Considerati, Bart Schermer advises companies on conforming to the new regulation. He spoke to SIDN Connect about how to get started preparing for 25 May.
Equal rights, equal opportunities
"The importance of the new legislation lies in the fact that it's about personal information and handling that information appropriately. There's a lot of scope for things to go wrong where personal data is concerned, especially if you don't have your security in order. People can have all sorts of negative experiences with the processing of data," Bart points out. The new legislation additionally creates a level European playing field for organisations, hosting service providers, registrars and other stakeholders. "Whether you operate in France, the Netherlands or anywhere else in the EU, you'll soon have to comply with exactly the same rules," Bart sums up.
Start at the beginning
"The GDPR identifies twenty things you've got to take care of. At first, it looks like twenty separate rules, but they're actually all related. If you take an integrated approach and clearly identify who within your organisation is responsible for each point, you make everything as relevant as possible for the departments that have to ensure compliance," Bart explains.
As with any process, the first step is to establish where you currently stand. "Where the GDPR is concerned, that means asking two questions: what data processing currently goes on in our organisation and what are we doing to protect the data involved," Bart continues. "That's how we always start a project. And, very often, the client doesn't know the answers. But building a picture of the current situation has to be the starting point. That's what defines the risk and the urgency of putting through certain measures."
Security and an appropriate access policy are central to compliance. As Bart points out, "Security can be realised in many different ways, including password protection and access policy. Who can see what data and under what circumstances? Other possibilities include encryption – storing data in encoded form – and using firewalls and antivirus software. All normal information security measures have to be used for personal data protection as well."
"For information security, the main thing is to do a thorough risk assessment, because your security measures need to be proportionate. But, in order to decide what's proportionate, you need a clear picture of the data processing that goes on within your organisation."
"The GDPR is quite a bit stricter than the existing law. Until now, not many people gave much thought to privacy legislation. But when the GDPR comes in, companies are going to have to give the subject a lot more attention, or they could be facing hefty fines. And there are significant implications for hosting service providers. Any data controller that uses a hosting service provider is now obliged to choose one that complies with the requirements. As a result, data controllers will seek to mitigate the risk of fines by insisting on contracts in which the hosters promise to do everything by the book. So the GDPR will drive privacy awareness amongst data controllers. But it'll also promote awareness amongst the general public. And that will trigger a whole new debate."