General Data Protection Regulation (GDPR) Compliance

Legislators within the European bloc give great importance to protecting the privacy and confidentiality of individuals' data, as it is an integral part of European national security and the internal security of member states. For this reason, the European General Data Protection Regulation (GDPR) was applied on May 25, 2018 to all member states of the European Union.

General Data Protection Regulation (GDPR) – European Union

“GDPR” is an abbreviation for “General Data Protection Regulation,” which is a set of rules and laws established by the European Union to protect the rights of all citizens of the Union.

It was approved on April 14, 2016 by the European Commission.

The regulation was implemented in May 2018. The regulation grants the user the right to remove his data, partially or completely, from the Internet, which is considered an advanced step, according to “Euronews” on January 27, 2017.

According to the basic regulation Users must also consent to the handling of their data, according to “DW” on March 17, 2020.

General Data Protection Regulation (GDPR) controls – European Union

The General Data Protection Regulation (GDPR) enhances citizens' rights to protect their data. The General Data Protection Regulation (GDPR) governs some controls, the most important of which are:

• The right to consent: The user has the right to express and clear consent to allow the company to dispose of his private data, unlike what was the case in the past, where companies were satisfied with the user’s silence and inaction to modify the characteristics of his data.
• Portability: The new law established the right of users to transfer their data and reuse it in other services.
• The right to erasure: Internet users within the European Union can now request the erasure of their personal data.
• The right to be forgotten: The latest European regulation codified a principle previously approved by a European court in 2014, through which Google was forced to grant European users the right to delete any information or links that they did not wish to be associated with their names in the digital space. European intelligence admits to using spyware and surveillance software.

Processing Register

All processing operations are mapped out in a processing register, including the categories of personal data that are processed, the processing purposes, the bases used and the retention periods applied. With one exception, every organization must have and maintain a processing register.

Processing Agreement

If an organization uses a processor, the agreements with that processor must be recorded in a processing agreement. The GDPR lists the minimum topics that must be addressed in the processing agreement, but otherwise the parties are free to implement this. It is therefore important to look at this critically, especially because a processor processes data under the responsibility of the organization that has engaged the processor. Since processors have more obligations under the GDPR than before, it is also important for processors to have a good processing agreement with their clients.

Privacy Statement

The GDPR requires that every organization must inform those involved about various topics. It is customary to fulfill that obligation by publishing or submitting a privacy statement/privacy statement/privacy memorandum.

This includes, among other things, how the organization processes personal data and what the rights of data subjects are in this regard. The transfer of personal data abroad can also be included. For the staff, this information can also be included in an employee handbook, for example.

Privacy Policy

Not mandatory as such, but necessary to comply with various obligations under the GDPR, it is necessary to have a privacy policy.

In this (internal) policy document, the organization describes how personal data is handled practically and organizationally within the organization, how security is arranged (technically and organizationally) and how requests from data subjects and data leaks are handled. If desired, reference can be made to other documents.

Data protection impact assessment (‘DPIA')

Some organizations must have a DPIA carried out for certain types of personal data processing. With a DPIA, certain privacy risks can be identified in advance, after which measures can then be taken to reduce those risks. A DPIA is mandatory, among other things, for large-scale processing of special personal data (for example medical data) or for the systematic and extensive assessment of personal aspects of data subjects (such as profiling).

Data Protection Officer (‘FG')

In certain cases, organizations must set up a FG. This person internally monitors compliance with the GDPR, informs and advises on the GDPR, works with the British Data Protection Authority if necessary and has a special (employment law) position within the organization. Government agencies, among others, are obliged to establish a FG. The same applies to organizations that process special personal data on a large scale or to organizations that regularly and systematically observe data subjects on a large scale (for example through camera surveillance or via apps or wearables).

Incident Register

Every organization must record personal data breaches, regardless of whether this is a data breach that must be reported to the British Data Protection Authority and/or made known to the relevant data subjects.

This obligation can be fulfilled, for example, by creating an incident register. If desired, the British Data Protection Authority can inspect this document/register and check whether the obligation to report/disclose data leaks has been fulfilled. In addition, this document is also a useful tool for discovering trends and preventing data leaks.

Security

Both the controller and the processor must ensure that the personal data they process is appropriately secured, both technically and organizationally.

What constitutes appropriate security depends on the specific processing and the associated risks. This security must always comply with the ‘state of the art', so that the security can always be kept up to date. In addition, the implementation costs, the nature, scope, context and purposes of the processing also play an important role in the level of security.

This not only concerns technical security, but also the internal organization of the controller or processor. This includes access to personal data, password management and usage instructions. The GDPR mentions examples of security, including encryption, confidentiality and making a backup and a security policy.

Data Breach Protocol

A data breach must be reported to the British Data Protection Authority by every controller within 72 hours of discovery and, depending on the nature of the data breach, must also be made known to the relevant data subjects as quickly as possible. If this obligation is not fulfilled (in a timely manner), the British Data Protection Authority may impose a fine. This happened, among other things, in a data breach at Uber that was not reported in a timely manner.

To prevent this, it is necessary that all incidents relating to personal data are reported in a timely manner and to the right person and that all persons involved know how to deal with them. This method can be recorded in a data leak protocol.

Other Regulations

In addition, privacy-related obligations are also imposed on organizations in other regulations. An example of this is the regulations regarding direct marketing via e-mail under the Telecommunications Act.

FAQ About General Data Protection Regulation (GDPR) Compliance