May 25 is the date and the General Data Protection Regulation (AVG) will apply. What needs to be done, however, is not yet clear to many. It’s important to know that you should at least “do something” before the new rules take effect.
For example, you will at least need to prepare an overview of your data registries, and you will need to formulate a privacy policy. In addition, you may need to prepare a processor agreement. This is the case when you exchange personal data with third parties. This will be the case if you use cloud services or a payroll administrator, for example.
What data needs to be AVG Proof?
Basically, any information that can be traced back to a person is covered by the AVG. In addition, a distinction is made between “ordinary” personal data and “special” personal data. Stricter rules apply to special personal data. This includes information on:
- Ethnicity,
- Political views or preferences
- Health data
- Data on sexual orientation
- Copy of ID data
- BSN number
In particular, the last 2 may appear in your records. This is the case, for example, if you employ staff.
Note that the threshold of a special personal data can be low! For example, if you hold a meeting and people can indicate that they are in a wheelchair, that says something about someone’s health. Special personal data is then involved. Advice is not to keep such data in your records.
You may retain special data only if there is a valid basis for doing so. The most common bases are:
- You have received explicit consent from the data subject
- Processing is necessary for the execution of rights and obligations in the field of labor law (this includes your payroll)
- The data subject has (already) disclosed that personal data themselves
There are more reasons to be allowed to store special data. In addition, to carry out your order, may be a basis for retaining your client’s data. Be sure to ask for explicit permission, then, to keep that special data.
Action Item 1: Review what data you currently keep in your records. This could include data in your (financial) administration package, physical files and/or the internal folder structure. Then map out the basis on which you keep that data, what you do with that personal data, and the retention period.
Creating a Privacy Policy
To comply with the law, you must have a privacy policy (privacy policy). This is a document in which you declare your compliance with the AVG, why you collect information, and the reason behind it.
There are several models available on the Internet for formulating a Privacy Policy. If you use such a model, you will soon realize that you are already in compliance with most of the conditions of the AVG. Also, you will also become aware of the requirements of the AVG for companies.
Action Item 2: Review some Privacy Policies and then draft your own.
Make these available to stakeholders of your organization, through your website, for example.
To process or not to process?
You may also need to create a processor agreement in addition to a Privacy Policy. This is the case when you exchange personal data with third parties. You then enter into an agreement with the party processing personal data on your behalf.
Regarding processors, you can think of an online administration package, your payroll processor, tax advisor or, for example, your cloud administrator. Both parties are responsible for drafting such an agreement. In practice, it often happens that the big market players offer you a deal.
Currently, there is still ambiguity among specialists as to when such an agreement would be necessary, and in what situations a processor is involved.
Evaluating your current security
According to the size of your business, and the data you hold in your records, you should have adequate security. How far you should go in this is yet to be crystallized in coming juris prudence.
At a minimum, you must ensure that people who do not (or no longer) have authority to access personal data cannot access it. Therefore, at least make use of passwords, and change them periodically as well.
Depending on whether the information is confidential in nature, you can take stronger measures. You can consider technical measures such as using 2-step verification (password + text message) and/or double securing confidential documents with an additional password on the document. You can also take organizational measures such as allowing only certain employees to access data.
Take care of security on other devices as well!
In addition to business computers, you should also consider cell phones, laptops, tablets and other devices that provide access to your data. For a mobile, it is advisable to use PIN and/or fingerprint security. After all, a swipe password can be cracked more easily than a PIN.
Besides security through passwords, you should also make sure that all ICT software, is up to date. This includes firewalls, antivirus software and Windows/Apple updates.
Securing physical files
Papers present in a physical state within the organization, and containing personal data, should be stored in a cabinet that can be locked.
No storing data outside the EU
The AVG states that data must be stored within the EU. If you use Dropbox, for example (U.S. servers), you may be at risk of not complying with the AVG. It is therefore recommended that you look into alternative options for keeping your data within the EU. Here you can think of a cloud solution, or a well-secured local network.
Making backups
To protect personal data from loss or theft, back up. In addition, you must ensure that that data is properly protected. Do you keep a backup on an external hard drive or a local server? If so, it is advisable to keep those records in a safe and/or a fireproof cabinet. It is also advisable to keep such data in another location.
Direct Marketing and approaching prospects
Are you deploying direct marketing to target customers? If done digitally (email), you need permission to contact the prospect that way. If you make contact by phone, you do not need an agreement.
Reporting a Data leak
A data leak occurs when personal data is lost. This is the case, for example, if personal data on a USB or laptop is lost due to theft or a fire.
Those to be notified may be the individuals whose data was leaked and/or the AFM. Failure to report a data leak may be punishable by a fine. When to report depends on the situation. If there is a risk that data breach will harm the data subject, in most cases you will have a duty to notify.
If there are multiple USBs or laptops used in your organization, it may be wise to inventory them and, as a procedural measure, number the devices. This allows you to keep an overview of the devices within your organization that have personal data on them.
In conclusion
There are several providers on the market for AVG “proofing” your organization. We used the AVG program from the AVG Foundation. In any case, make sure that you have clarified your data records, assessed the security and that a privacy policy is in place. If you have taken those steps, your organization is (probably) already largely compliant with the law.
In terms of enforcement, don’t expect too much risk. The Personal Data Authority has already indicated that it does not have sufficient budget to adequately monitor compliance with the AVG. In addition, you need to understand that the AVG is specifically designed to prevent extensive data breaches. In that sense at least, the big companies will have to get their act together. Smaller companies will be “targeted” to a lesser extent. With that said, we do of course recommend that you comply with your legal obligations, and most importantly, ensure adequate security. In addition, it may be wise to have the measures taken reviewed by an expert.
Although this article has been compiled with the greatest care, you cannot derive any rights from it.