GDPR Implementation: More than just a privacy statement …
Organizations often make mistakes when it comes to GDPR implementation. There are certain misconceptions, which we will discuss in this blog. We also discuss various implementation points, the principles for lawful data processing and we will address the interests in complying with the GDPR. Do you have any direct questions about this topic? Please contact us so that we can schedule a no-obligation appointment.
We are regularly approached at XY Legal Solutions with questions about the General Data Protection Regulation (GDPR, or in Dutch: AVG). We then noticed that there are still quite a few misconceptions. For example, some organizations think that the job is done with a simple privacy statement. This is not the case: there is much more to it (as you will read in this blog article).
It is also often assumed that the privacy statement is just one simple document: “I found a generator on Google where I could draw up the statement myself for € 50! Why shouldn’t I just do that? ” or “I’ll just copy one from another website, then I just have it…”. Neither is handy: a privacy statement should be tailor-made for the organization in question. In addition, there is much more to it than just that.
Now these misconceptions often seem to be the product of (slight) frustration. After all, on May 25, 2018, the European law was suddenly there, and suddenly costs have to be incurred that you may not have been (or are waiting) for. Quite understandable, but apart from complying with that legal obligation, there are also plenty of other reasons for wanting to comply with the GDPR (think of ethical conduct and “the image of your organization”, as discussed below).
A number of things in a row when complying with the GDPR
As mentioned, there is a common belief (misconception) that a single privacy statement is sufficient to be “GDPR Compliant”. Now we do not want to create a misconception again and imply that compliance with the GDPR is regulated by checking off a checklist (after all, it is a continuous process). But for the sake of convenience, below we list a number of things that you should consider, in addition to the privacy statement (not exhaustive):
- Cookie statement (GDPR, in conjunction with the Telecommunications Act 11.7A also known as the Cookie Act);
- Processing registers;
- Register for data leaks; – Possibly a Data Protection Impact Assessment (DPIA) – a type of risk analysis when processing on a large scale, or for example when processing personal data at risk;
- Guidelines for a Data Protection Officer if one has been established;
- Internal privacy statement;
- Processor agreements;
- Data breach protocol;
- Information for employees;
- Information for customers;
- And more…
Now imagine, you are going to cross of the list above. Is it enough to be “descriptive”? No: simply describing the current way of handling personal data within the organization is still not enough. The processing of personal data must be lawful …
Data processing on a lawful basis: going by a “funny” example
Article 6 paragraph 1 of the GDPR mentions conditions for lawful processing: there is consent from the data subject (explicit), the processing is necessary (for example to fulfill an agreement), processing must be based on a legal obligation (such as the obligations with regard to accounting), processing is necessary for the performance of a task carried out in the public interest (for example in the context of the exercise of official authority) or the processing is necessary for the defense of the legitimate interests of the controller or of a third party (if these interests outweigh the data subject’s fundamental rights).
It is therefore not just a matter of describing how your organization handles personal data: the data processing must be lawful under the GDPR. Let’s take a somewhat extreme example:
Piet goes to the party shop because it is almost carnival. He sees a beautiful purple wig that matches his outfit perfectly. He walks with the wig to the checkout to pay for it. Just before paying, the cashier asks Piet if he could provide some insight into the medical data of all his family members. Piet frowns and remembers a GDPR training he had at work. As educated as he is through that training, he asks the cashier to provide a legitimate basis for this form of data processing. “Oh, just cause”, says the cashier, “I think that it is very interesting! I collect this information so that I can maintain a blog website where I inform people about who exactly has which condition.” Naturally, Piet refuses to provide this information.
The example above shows that invoking bases for data processing cannot be done just like that: the processing must be lawful (and at least logical). The processing of named invoices for the purpose of submitting the tax return is therefore a significant counterpart: processing is now necessary on the basis of a legal obligation.
With the examples above we want to indicate that it is important to not just assume that the data processing methods within your organization are all okay.
Questions to ask about the organization when implementing the GDPR
Are you going to implement the GDPR? Then make sure you do some preparatory work by asking questions about the data processing that takes place within the organization. A number of useful questions (again by no means exhaustive):
- Do the reasons (bases) for data processing within the organization seem logical?
- Do employees have access to management accounts for/of customers from their own computer? And how does this work when an employee leaves employment?
- Does it happen that employees still have access to “the work email” after leaving employment?
- Is a company laptop used, and if so; can employees go to a secure environment?
- Have the employees been informed on subjects related to the GDPR?
- What is done when there has been a data breach?
GDPR compliance is important for several reasons
Compliance with GDPR legislation is important for several reasons. It is of course the case that the Dutch Data Protection Authority has strong sanctioning powers. Fines can amount to millions of euros. This is definitely a strong reason to comply with the GDPR: you want to prevent such risks. Yet at XY Legal Solutions, we believe this is not the most important reason. Compliance with the GDPR is also strongly related to personal responsibility (as of the first of February there is no English version); with ethical behavior. As an organization you have to want to comply with the GDPR because it benefits customers and other stakeholders. You send out the right signal and this automatically instills confidence.
During various GDPR processes at organizations, as well as with ISO 27001 activities, we have repeatedly noticed how pleasant this GDPR-compliant method is experienced. Reliability and professionalism are radiated and this ultimately delivers many benefits for an organization (larger deals are closed more easily, for example). Therefore, taking GDPR implementation seriously is not only an ethically correct choice: it is also a worthwhile investment.
The way XY Legal Solutions works for GDPR implementation for companies
At XY Legal Solutions we support various organizations with the correct implementation of the GDPR rules. We follow an efficient working method:
Step 1: The baseline measurement. How are things currently going? Which documents are available; which parts of the GDPR are implemented correctly or not? What is known about the GDPR and how is it complied with within the organization?
Step 2: Analysis and planning. After we have the necessary information from the baseline measurement, we can determine what is needed for the organization. We plan the work in a logical manner and prepare appropriate questions.
Step 3: The questionnaires and consultations. We share the questionnaires and schedule consultations with the responsible persons. Based on the answers received, we can get started with step 4.
Step 4: Advice and implementation. We advise on areas to improve and prepare the necessary documents for the organization in the correct manner.
Step 5: We support the implementation of the new GDPR method. We then come back after 6 months to see if everything went well. After that, we schedule an annual appointment to keep everything up to date.
Curious about the possibilities with GDPR implementation for your organization? We always follow up with a customized GDPR quotation after a free, no-obligation exploratory meeting. Schedule this meeting by filling in the contact form, or directly call 030 – 227 03 86.