By Richard van Schaik and Róbin de Wit
Last week, the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) published a step-by-step plan for organiations to prepare for the upcoming GDPR. The plan, consisting of 10 steps, reads as follows.
As a first step, key players within the organization (e.g. policymakers) need to be aware of the upcoming set of rules. They must assess the impact of the GDPR on current processes, services and products and the adjustments necessary to meet the requirements under the GDPR.
The AP stresses that the implementation of GDPR requirements may be time-consuming. Therefore, the AP strongly recommends to commence as soon as possible with identifying compliance gaps and implement GDPR-proof solutions.
- Rights of individuals
Secondly, the AP points out that individuals have more rights under the GDPR in view of their personal data. Therefore, processes that enable individuals to actually exercise such rights should be implemented. Organizations are strongly encouraged to create their own (technical) means to obey requests of individuals, including data portability requests.
The AP emphasizes that individuals may file complaints with the AP regarding the handling of their personal data. The AP is obliged to take each complaint into consideration and to start enforcement action where appropriate.
- Records of processing activities
Furthermore, organizations should map their processing activities as the GDPR requires organizations to maintain a record of processing actions that fall under their responsibility. Such records should not only contain information about e.g. the purposes of processing, data subjects involved and the personal data processed, but each category of personal data should also specify the legal basis for processing.
- Privacy Impact Assessment (PIA)
As a fourth step, organizations are encouraged to conduct PIA’s in order to identify privacy risks associated with data processing activities. PIA’s serve as a useful tool to identify compliance gaps and take subsequent actions in order to reduce enforcement risks.
The AP stresses that PIA’s are especially valuable with a view to high-risk processing activities, such as activities involving sensitive data.
Also, if an organization is unsuccessful in finding measures to mitigate privacy risks, consultation with the AP is required prior to the start of the relevant processing undertakings.
- Privacy by design & privacy by default
In addition, awareness shall be created within the organization where it comes to the principles of ‘privacy by design’ and ‘privacy by default’. Also, it must be verified how these principles should be implemented.
For example, organizations must take measures to ensure that – by default – personal data is only processed insofar necessary in view of the processing purpose(s). The AP clarifies that this means that, e.g.:
- apps may not process the location of users if such processing is not necessary;
- tickboxes related to marketing may not be pre-ticked;
- in case of newsletter subscriptions, organizations may not request to fill out more data than necessary in view of the newsletter request.
- Data Protection Officer (DPO)
Organizations may be obliged to appoint a DPO. The AP encourages organizations to identify whether they are subject to this requirement.
If yes, the recruitment and selection procedure should start in due course.
If no, organizations may want to choose to appoint a DPO after all.
- Data breach notification duties
The obligation to report data breaches (with the AP and, under circumstances, individuals) will remain largely the same under the GDPR. However, the GDPR contains stricter rules as to the internal recordkeeping of data breaches. All breaches must be documented so that the AP is able to verify that mandatory notification duties have been complied with.
Organizations should make necessary preparations in that respect, and also create data breach awareness amongst employees.
- Data processing agreements
As a following step, the AP points out that existing data processing agreements should be examined in order to ensure that the agreements are still adequate and meet the stricter requirements under the GDPR. If not, necessary changes should be agreed upon in time.
Where relevant, new data processing agreements should be drafted with a view to the GDPR requirements.
- Lead supervisory authority
If an organization has multiple establishments throughout EU Member States, or if processing activities have an impact on various EU Member States, only one supervisory authority will be competent to act as lead supervisory authority for the cross-border processing. Organizations are encouraged to identify the lead supervisory authority applicable to them.
As a final step, the AP indicates that the GDPR stricter rules apply to the reliance on consent as the legal basis for processing. Therefore, organizations should evaluate the manner in which consent is requested, obtained and registered, and should amend where necessary.
Also, organizations should be able to demonstrate that valid consent has been obtained from individuals to process their personal data. Moreover, it must be as easy to withdraw consent as to give it. Therefore, organizations should have appropriate (technical) tools in place to make sure stricter consent requirements under the GDPR are observed.