GDPR: what does it mean for you?

If your business or organisation works with personal data, the General Data Protection Regulation (GDPR) privacy law applies. This law states how you should handle personal data. Take 10 steps to comply with the privacy law.

1. Check what kind of personal data you process

Make an inventory of which personal data you process. Personal data is any information that is directly about someone or that can be traced back to someone, such as their name, address, and telephone number. But also customer and staff numbers, online purchasing behaviour, and video and audio recordings on which a person is recognisable.

In addition to 'regular' personal data, there is also special personal data. This includes, for example, a person's health or criminal records, or political affiliation.

Finally, there is sensitive personal data. This includes the citizen service number (BSN) and financial data. You are only allowed to work with special or sensitive personal data when you have legal grounds to do so.

2. Check whether you have a good reason to process personal data

You must have a good reason to process personal data.

The GDPR lists 6 reasons:

  1. You have permission from the person concerned. Example: Someone wants to receive your newsletter and clicks ‘yes’ to give permission.
  2. You must retain personal data in order to fulfil an agreement. Example: A customer orders a product online. You use the address details to deliver the product.
  3. You are legally obliged to retain data. Example: You save your employees' salary details because the law requires it.
  4. You save personal data to protect someone's life or health. Example: In the event of an accident, a doctor passes on medical information to emergency services to save lives.
  5. It is necessary to save personal data to fulfil a task in the public interest or to exercise public authority. Example: A municipality uses personal data to apply for passports or to organise elections.
  6. You save personal data to protect the interests of the organisation. Those interests must outweigh the rights of those involved. Example: A business uses security cameras to prevent theft in a shop. 

3. Check if you need a data protection officer

In some organisations a Data Protection Officer is required. This is someone who oversees the application and compliance of the GDPR within the organisation. This officer is mandatory for:

Government and public organisations;

  • Organisations and companies that monitor individuals on a large scale as part of their core activities. Examples are camera surveillance and monitoring someone's health;
  • Organisations and companies that process special personal data on a large scale and for whom this is a core activity. Special personal data are, for example, data about someone's health, race, political views, religion, or criminal record. 

4. Check if a risk analysis is mandatory

When processing data with a high privacy risk, a data protection impact assessment (DPIA) is mandatory. If the DPIA's analysis shows that the risks are high, then you must take measures to reduce them. You must perform a DPIA if you:

  • Process special personal data; 
  • Systematically monitor people on a large scale in publicly accessible areas, for example with camera surveillance; 
  • Combine data in such a way that a person can be classified into a certain category or group and can therefore be contacted or assessed. This is called profiling.

5. Work according to the principles of ‘privacy by design’ and ‘privacy by default

Make sure that you properly protect personal data during the design phase of new products or services. This is called 'privacy by design'.

The default settings of your product or service should also be privacy friendly. For example, a box on a web form should not be pre-ticked by default. Or do not ask someone who wants to subscribe to your newsletter for more information than is necessary. This is called 'privacy by default.'

Video: GDPR: privacy and personal details

6. Check if you have to set up a register of processing activities

Almost all businesses and organisations store personal data on customers, suppliers and personnel, for example. You are often obliged to keep a processing register. This is an overview of all the types of personal data you process. The register must meet a number of requirements.

For example, you record the purpose of the data processing, how long you will keep the data, and who else has access to the data, such as an accountant or supplier.

7. Protect personal data

The GDPR states that you must protect personal data. A few measures can prevent your own personal data and that of your customers from falling into the wrong hands. This way you can prevent a data breach and the misuse of that data. Determine which measures are necessary. Do you work digitally securely? Use this checklist to make certain.

8. Make agreements with parties that process personal data for you

Ensure a good processing agreement with the organisation to which you outsource data processing. As an entrepreneur, you must be sure that they also handle your data securely.

Does another business  work with personal data that you have collected and stored? For example, an accountant or bookkeeper? If so, you are obliged to enter into a ‘data processing agreement’.

This includes explaining the processing of data, confidentiality, security and privacy rights. You must be certain that they will also handle your data securely. You remain responsible.

9. Check if you comply with the information obligation

Create a privacy statement in plain language. Include what you do with personal data, what you use it for, how long you keep it and why it is important. Make sure this statement is easy to find. Customers have the right to know what happens to their data. You have a duty to inform them about this.

10. Ensure that people can withdraw their consent

If you process personal data of, for example, customers, employees and suppliers, these people have the right to decide what happens to their personal data. A customer can, for example, withdraw their consent. They can also ask what personal data you have stored about them. Make sure you offer these options.

Do you have no good reason to process personal data or a good reason to keep that data? Then you must delete that data. The person whose data you have processed or stored has the 'right to be forgotten'. This means that the organisation must ‘forget’ this person.

Individuals can file a privacy complaint with the Dutch Data Protection Authority (AP, in Dutch). If the complaint is valid, you can get a fined.

Get started with the GDPR

Would you like to know how to handle personal data even better? Then get started with the  GDPR scan (Regelhulp AVG, in Dutch) from the Dutch Data Protection Authority. The scan will help you determine how the GDPR will affect your business.