What do I need to know about the GDPR legislation?

Privacy legislation

Privacy legislation isn't new. Within the European Union (EU), each member state currently has its own privacy law. These national laws are all based on the 1995 European Privacy Directive. In the Netherlands, the national implementation of this directive is the Personal Data Protection Act (Wbp).

As of May 25, 2018, the General Data Protection Regulation (GDPR) applies. This means that from that date onwards, only one privacy law applies throughout the entire EU. The Wbp no longer applies, but the basic principles of that legislation still form the core of the new GDPR. The Dutch Data Protection Authority supervises compliance with the statutory rules for the protection of personal data.

What is the general purpose of the GDPR?

The overall purpose of the General Data Protection Regulation is to protect EU citizens in the area of ​​privacy regulations and personal data. The GDPR provides rights regarding personal data shared with organizations that collect, store, and process such data.

Who does the GDPR apply to?

The GDPR applies to any organization that collects personal data from EU citizens. An organization does not need to be established in the EU to be subject to the GDPR. If an organization is located outside the EU and collects personal data from within the EU, the GDPR applies to that organization.

What will change?

The new GDPR tightens regulations from the current Personal Data Protection Act. Ultimately, much remains the same. Data minimization, the right to be forgotten, information obligations, and data processing agreements have always been part of the law, albeit sometimes under different names.
A sound privacy policy, a clear privacy statement, sound agreements between data processors and controllers, and a data breach procedure also remain important.

Many existing rules have been significantly tightened in the new GDPR, and several new obligations have been added. Greater emphasis is placed on the responsibility of organizations themselves to comply with the law and to be able to demonstrate compliance.

What can I do myself?

As an organization, you can already take steps to be GDPR-ready. To help you, the Dutch Data Protection Authority listed the 10 most important steps.

What is personal data?

The GDPR specifies that personal data is any information relating to an identified or identifiable natural person. There are many types of personal data. Obvious data include a person's name, address, and place of residence. But telephone numbers and postal codes with house numbers are also personal data. Sensitive data such as a person's race, religion, or health are also called special categories of personal data. These are given additional protection by law.

What does processing personal data entail?

Processing refers to all actions an organization can perform with personal data, from collection to destruction. The law lists the following as examples of processing: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure, and destruction of data.
The law stipulates that an organization may only process personal data if it is necessary for a specific purpose.

Processing principles

The GDPR introduces core principles that all processing of personal data must comply with:

• personal data must be processed in a fair, lawful and transparent manner;
• personal data may only be processed for a specific, explicit purpose;
• only personal data that are necessary for the purpose may be processed;
• data must be correct and current;
• if identification is no longer necessary for the purpose, the personal data must be erased or anonymised, and;
• the personal data must be secured by means of technical and organisational measures.

Controller/processor terminology

The GDPR uses the terms "controller" and "processor" instead of the terms "responsible" and "processor" from the Personal Data Protection Act (Wbp). The Dutch translation of the GDPR provides the following definitions:

Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. These are Teqa's customers who i-Reserve purchase

Processor:
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. This is us as an organization, the supplier of i-Reserve hosting i-Reserve.

The data subject
is the person whose personal data an organization processes. This means the person to whom the personal data pertains. These are your customers, the end users.

Processing special personal data.
In addition to regular personal data, the law also recognizes special personal data. This is data that is so sensitive that processing it could seriously compromise someone's privacy. Under the GDPR, processing special personal data is prohibited unless an exception applies.

Special personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, sex life, or sexual orientation. Such data may therefore only be processed under very strict conditions.

What are the most important changes for organizations?

If the General Data Protection Regulation applies, organisations that process personal data have more obligations.

Consent
A new requirement is that the organization must be able to demonstrate that it has obtained valid consent from individuals to process their personal data. Furthermore, it must be just as easy for people to withdraw their consent as it is to give it. This must be an 'unambiguous' expression of will. So, no more pre-ticked boxes! The request for consent must be clear and understandable and presented in simple language.
Ultimately, as an organization, you must be able to prove that the data subject has given consent. The data subject has the right to withdraw consent at any time and must be informed of this right.

PLEASE NOTE:
Requesting consent for the recording of personal data is not always necessary. For example, as long as the data being recorded is limited to what is necessary for the execution of the agreement entered into. In other cases, you must request consent. To find out what applies to you, you can find more information.

Administrative Obligation:
The GDPR imposes a documentation obligation, meaning that the organization must be able to demonstrate that it is acting in accordance with the GDPR. This includes consent, information provided, data subject rights, data security, processing minimization, and agreements with processors. Therefore: Map out the data processing activities within the organization. Many organizations will need to update their privacy statements, and this is important. Failure to have a (complete) privacy statement will soon result in a hefty fine.

As soon as the GDPR applies, the obligation under the Wbp to notify data processing operations to the supervisory authority lapses. Instead, organizations must themselves maintain a register of processing activities ('processing register') that take place under their responsibility.

Data Processing Agreement:
Concluding a data processing agreement is nothing new, as it is already mandatory under the Dutch Data Protection Act (Wbp). Under the GDPR, this will now be called a data processing agreement, and applies between the controller of the personal data and the party processing the personal data for them (currently known as the processor, soon to be called the processor). What is new, however, is that the GDPR specifies several mandatory elements of this agreement, including:

• the purpose of the processing;
• the type of personal data being processed;
• the categories of data subjects;
• that appropriate security measures will be taken;
• that the processor cooperates with audits to verify whether the processor complies with all obligations, and;
• after processing, destruction or return of the personal data to the controller

From now on, the processor will no longer be allowed to engage an external party to process personal data without prior written consent from the controller.

Privacy Impact Assessment (PIA)
In Dutch a 'gegevensbeschermingseffectbeoordeling', the PIA is an indispensable tool for organizations to estimate or evaluate the privacy impact. Through the use of the PIA, the protection of personal data can be incorporated in a structured manner into the balancing of interests and decision-making within organizations.

The Personal Data Protection Act (PIA) specifies why, how, and for how long personal data is processed. A Privacy Impact Assessment is mandatory if processing personal data, particularly using new technologies, poses risks to data subjects.

Data Breach Notification Requirements:
We already have this requirement in Dutch law: data breach notification. This requirement is also incorporated into the GDPR and remains largely unchanged. However, the GDPR does impose stricter requirements on your own record-keeping of data breaches that have occurred within your organization. You are required to document all data breaches.

Prevent stress by planning in advance how you'll respond if a security risk occurs. For example, as the data controller, in some situations you must report a data breach to the Dutch Data Protection Authority within 72 hours. If the breach is likely to pose a high risk to the individuals whose data is affected, they must also be notified. Therefore, define a security incident workflow in advance, allowing the right people to make timely decisions about the actions to be taken.

The Dutch Data Protection Authority has published policy rules on data breach notification.

You may need a data protection officer.
A data protection officer (DPO) is an independent person within the organization who advises and reports on compliance with the GDPR. While the DPO wasn't mandatory under the Dutch Data Protection Act (Wbp), it is required under the GDPR in some situations. The law requires a DPO when you process sensitive personal data such as health data on a large scale, or if you regularly observe people (physically or digitally). A DPO can be appointed internally, but can also be appointed externally.

Rights of the data subject
Personal data must be processed in a manner that is lawful, fair, and transparent with regard to the data subject. Transparency is paramount: the data subject must be informed about what happens to their personal data. Everything must be communicated in simple and clear language.
In addition to the well-known right of access, rectification, and objection, the data subject also has under the GDPR:

• the right to be forgotten,
• the right to data portability (also known as data portability),
• the right to restrict processing and
• The right to object to certain processing. The data subject has the right to object at any time to the processing of their data for direct marketing purposes. If the data subject files such an objection, their data may no longer be processed for marketing purposes.

Right of access:
A data subject has the right to obtain from the controller confirmation as to whether their personal data is being processed. Where personal data is being processed, the data subject has the right to information about this data. The data subject has the right to information about, among other things:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients to whom the personal data are provided;
• the storage period;
• the fact that the data subject has the right to request rectification, erasure or restriction of processing and the right to object;
• the fact that the data subject can lodge a complaint.

Right to rectification and right to object
A data subject has the right to obtain from the controller the correction of inaccurate personal data. This must be done without undue delay. The data subject may object to certain types of data processing, as a result of which the processing of their personal data may have to be stopped. Consider an organization that uses personal data for marketing purposes. (Currently, an absolute right to object already exists for direct marketing. If a data subject exercises this right, you may no longer contact them for marketing purposes.)

Right to be forgotten
In some situations, the data subject has the right to have the data completely erased. The GDPR adds extra grounds for this latter right. The GDPR introduces the right to be forgotten. This means that the controller must erase personal data without undue delay, for example when the personal data are no longer necessary for the purposes for which they were collected or are being further processed. It is also mandatory to inform the parties with whom you have shared the data in response to such a request. The names of these parties must therefore also be shared with the data subject. The controller must take reasonable measures to erase the data, but also to erase any link, copy, or reproduction.

Also check out the option to automatically anonymize in i-Reserve.

Right to data portability
The GDPR introduces the right to data portability, or the transferability of personal data. This means that you may receive requests from your customers to make their personal data available. This concerns all digital data that an organization processes with the consent of the data subject, plus the data necessary to perform a contract. Search history or location data also fall under the right of portability. As an organization, you are then legally obliged to provide the data in a 'structured, commonly used, and machine-readable' format. You can prepare for this by already thinking about how you will make the data available. For example, via a tool that allows your customers to download their data directly in a secure manner.

If technically possible, the controller must forward the data directly to another controller. This can be done, for example, via an Application Programming Interface (API), which enables a connection between your system and an application and that of another party.

In i-Reserve their own data to download, for the administrator to export , or for data to be forwarded via an API .

Privacy by default and Privacy by design
The GDPR introduces an obligation to protect data through standard settings (Privacy by default) and through adjustable functionality (Privacy by design) within the software.

The Privacy by Default requirement means that you must implement technical and organizational measures to ensure that, by default, you only process personal data that is necessary for the specific purpose you intend to achieve. For example, where users can adjust their privacy settings themselves, they should be set to the highest level by default.

The Privacy by Design obligation means that you must ensure that personal data is protected when designing products, services and organizational processes.

Examples:

• When offering an app, do not let users register their location if it is not necessary;
• Do not pre-check the box 'Yes, I want to receive offers' on the website;
• If someone wants to subscribe to a newsletter, do not ask for more data than necessary.

Click here to see what i-Reserve does to secure and protect personal data.

Security must be in order – and remain so
. Protecting personal data is crucial. Without encryption, two-factor authentication, and the ability to separate and securely erase personal information, your organization is taking a significant risk.

Violations and Sanctions:
The maximum fine per violation of the current Privacy Act (Wbp) is currently €900,000. The GDPR grants national supervisory authorities greater powers to sanction violations of the GDPR. The fines are substantial, reaching up to €20 million or 4% of global annual turnover if an organization fails to comply with the law's requirements. Fines imposed in the Netherlands are issued by the designated supervisory authority: the Dutch Data Protection Authority (AP).
Looking for details? You can also find answers to frequently asked questions at autoriteitpersoonsgegevens.nl.

Cookies, spam, email, telemarketing, and the GDPR
Rules for the handling of electronic communications such as cookies, Wi-Fi tracking, email, etc., are not laid down in the GDPR. You will find this in the ePrivacy Directive – existing European legislation that is receiving an update in 2018. The ePrivacy Directive is also known as the Cookie Law. The European Union hopes to launch the updated rules together with the GDPR, in order to offer citizens more protection for their personal information in one fell swoop. More generally, this legal text lays down the rules that organizations must follow to guarantee the confidentiality of digital communications.