The most important questions about the General Data Protection Regulation answered

As of the 25th of May 2018, the General Data Protection Regulation (GDPR) will be effective. From this date, the same privacy legislation applies to all countries in the EU. Handling personal data incorrectly can then result in a hefty fine for your company. That is why it is important to delve (more) into the GDPR and to prepare yourself with the right measures.

What is the current state of affairs regarding the General Data Protection Regulation?

The General Data Protection Regulation came into effect in the spring of 2016, but we are currently in an intermediate period. This allows companies and organizations to meet all rules and components of the regulation before it takes effect. After all, the GDPR has major consequences for organizations that manage and process personal data; we will tell you more about this later on.

Empowerment is the most important reason for the switch to the GDPR. Citizens will have more control over and what happens to their data. Organizations should be clear about why they need certain (personal) data and why they use such data. Citizens, in turn, can easily request insight into the saved data, revoke consent, submit complaints, and use the right to be forgotten.

What will be changing with the implementation of the General Data Protection Regulation?

The European privacy legislation is much stricter than current local legislation in the various Member States. Fines can rise to 4 percent of the annual turnover or 20 million euro. It’s good to take this into account. In the Netherlands for instance, the data breach notification obligation applies since the 1st of January 2016. This means that companies and authorities should immediately report serious data breaches. They should also, in some instances, report the data breach to the data subjects whose personal data got leaked. A similar reporting obligation is included in the GDPR. A new thing is a right to data portability, in other words, transferability of personal data. This means that citizens have the right to receive the personal data an organization saves about them.

Companies and authorities should make data protection really a top priority from the 25th of May next year. They need to get control over which data they process and what happens with this data. This means that they should map exactly where the data comes from, how they are protected and who has access to them. International organizations that process data of European citizens also should meet the requirements of the GDPR, even if they don’t have a European office. Before they approach customers, they should investigate what the impact on the privacy will be.

The appointment of a Data Protection Officer (DPO) is also important. This is the one who is responsible for the reporting obligation and who has an independent position within the organization. Keep in mind that this person will, therefore, be less easily fired.

Which steps should I take to prepare for the General Data Protection Regulation?

Ideally, organizations use the current intermediate period to map which measures are still needed to meet the GDPR. Does everybody within the organization exactly know what the new privacy rules mean and what their impact is on the processes and recourses? Make clear with a time planning which actions are needed at what time and how much budget is needed for these actions.

Besides, you can already start with the following steps:

  • Map which personal data are processed, for what purpose, where they come from and with whom they are shared.
  • Create awareness, train employees in device and data protection and make agreements (for example, about access and rights). Also, read the 6 ways to prevent yourself from data breaches.
  • Think about who (within the organization) should be the Data Protection Officer. The longer you wait, the more difficult it will be to find a suitable DPO.
  • Bring data safely together at one place to make it all manageable. Delete old and redundant data and check who has access to which data.