On 25 May 2018 your organization must be ‘GDPR-proof’, in other words: you must comply with even more requirements in the area of privacy than currently apply. Each undertaking that collects or otherwise processes personal data will need to comply with the European General Data Protection Regulation.

Wait and see

Wait and see what happens? That’s simply not an option. Even now, breaches of current privacy rules can incur fines of up to €820,000 or 10% of the annual turnover, but from May 2018 onwards that can rise to as much as €20,000,000 or 4% of worldwide annual turnover. Perhaps you think it will not be so bad. However, if you do nothing, the danger of a fine is actually real. And in addition, also think about directors’ and officers’ liability, compulsory measures, a ban on any further processing of personal data, negative publicity and dissatisfied customers and stakeholders.

A forest of rules

There are a great many conditions that need to be complied with and which also apply to small and medium-sized enterprises. For example, the requirement to implement an appropriate level of security for IT systems, including in many instances the obligation to pseudonymize and/or encrypt data; facilitating the data subjects (those whose personal data are being processed) in exercising their rights such as the right to access their data and have them corrected, the right to data portability; the obligation to delete data of data subjects; obligations regarding the setup of an organization and systems in order that the requested information can be provided fast and effectively; effective processing agreements with all processors; the use of processors providing sufficient guarantees regarding the implementation of appropriate organizational and technical measures; the administration of all personal data processing activities, with corresponding objectives, legal basis for the processing and retention periods; the ability to demonstrate per processing purpose that consent has been granted when the processing is based upon consent; the obligation to have everything in this context documented in writing and to be able to demonstrate to a regulatory body what the policy is and why certain choices have been made; the obligation to inform the data subjects regarding the processing of their personal data in a transparent and easily accessible form and the obligation to report data breaches. And so we could go on.

In addition, it is obligatory in many cases to appoint a Data Protection Officer (DPO): this applies to government bodies and undertakings whose core activity comprises the regular and systematic monitoring of data subjects, or the processing of special personal data on a large scale. The voluntary appointment of a DPO is also possible, in which event the legal requirements regarding a DPO also need to be abided.

It can be done. Our approach

It is essential that the management and other important decision-makers are (made) aware that something needs to be done (1. Awareness). Convert the obligations into positive objectives; an effective privacy policy is usually positive for one’s reputation and is appreciated by all stakeholders.Then, all business processes should be analysed where personal data are processed (2. Describe all business processes). There are all kinds of tools to achieve this. What is important is that the right persons in the undertaking are involved. Once the various processes have been clearly identified and analysed, the next step is to assess what measures (really) need to be taken (3. Measures). After this the measures must be implemented (before May 2018) (4. Implementation) and then, if that is successful, the implemented measures must be continually monitored (5. Monitoring).

For specific subjects such as data breaches, it is a good idea to have a contingency plan ready so that action can be taken quickly (within the stipulated periods) and internal and external communication can be arranged with and by a team that has already been formed. The set-up of the DPO function and the person appointed to this role, together with the procedures appropriate to the undertaking, must also be carefully thought through, among which enhancement of awareness amongst personnel and staff.

Solutions

We fully understand that the above can be overwhelming. We shall be pleased to help you in this process. By acting promptly and swiftly in a structured manner, much can be achieved in the relative short period until May 2018. To help you with this, we work with Richard Kranendonk of Rent-a-CIO, specializing in IT governance and project management and Paul Domburg, specialized in Cybersecurity. With the ‘Rent-a-DPO’ solution, we provide you with a multidisciplinary integral solution that combines the necessary expertise in the areas of Privacy, Cybersecurity, Governance and Project Management to meet the GDPR requirements. In addition, we offer you various products and services specifically aimed at the GDPR. A modular construction allows you to easily choose what you can do yourself, or what you want to have done by us, at predictable costs. For a no-obligation discussion, please contact Irvette Tempelman, Bob Cordemeyer of Christiaan Jeekel on +31 (0)23 534 01 00, or via email: info@cslaw.nl.