Data & Intelligence September 08, 2017
GDPR: amended rules for the protection of personal data
We are receiving more and more questions about the European General Data Protection Regulation (GDPR), or in Dutch: Algemene Verordening Gegevensbescherming. In this blog, we would like to inform you about some of the core principles of the GDPR, its current legal status and the implications of this new piece of privacy legislation for the Netherlands.
In a nutshell
The GDPR will come into effect on 25 May 2018. From that moment on, privacy legislation of the EU member states will have been harmonised. The GDPR brings a number of changes with it. In short, it will provide more protection for the rights of individuals whose personal data is processed (the data subjects). Their privacy rights are strengthened and expanded. In general, the data subject must be informed in clear language about the purpose of the process of collecting personal data, about who receive such data and for how long the data will be stored. The data subject should also have the possibility to gain insight in which personal data has been processed and to have such data amended or deleted. An example of a new right under the GDPR is the right to data portability which allows data subjects to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, for example e-mails held by an e-mail provider.
Additionally, the GDPR results in a higher degree of responsibility for organizations which process personal data. This includes controllers (organizations which determine the purpose and means for the process) and processors (which only process personal data on behalf of a controller). Processing parties are required to show accountability and governance. They need to do so by implementing appropriate organisational and technical measures to ensure that data will be securely processed. Examples include the possibility to easily unsubscribe from e-mails used for direct marketing purposes, an internal protocol regarding the notification of data breaches and maintaining a high security level of IT-systems where (sensitive) personal data is being stored. In the case of non-compliance with such obligations, Data Protection Authorities (in the Netherlands the Dutch Data Protection Authority) can impose major financial sanctions to the infringing party.
At this moment, the Dutch law regarding the national implementation of the GDPR is still in draft form. Some relevant aspects still need to be further filled in. Shortly after finalization of the Dutch law, we will provide you with a more detailed update. Obviously, in the meantime we are fully focused to prepare ourselves for the new legislation.