Privacy and thus the security of the data collected and processed by organizations is a hot topic. Privacy can be the result of either a (self-) imposed standard such as the ISO27002 or the application of the General Data Protection Regulation (GDPR).
MexonInControl is the solution which helps organizations to get in control of all the things that need to be organized and is a tool which gets things done. MexonInControl is therefore the ultimate compliance solution for the GDPR and other standards.
Why is the GDPR so important?
The necessity for any company/organization/association/foundation to assess the impact of the GDPR is enormous. Although not everyone can know the law, the law does apply to everyone! Refraining from action or ignoring the 'hype' are therefore not smart choices, because they don't prevent a fine.
On May 25th 2018 General Data Protection Regulation enters into operation. It replaces local current regulations. The main purpose of this regulation is to protect the privacy of European citizens.
From May 25, 2018, the GDPR will strengthen and extend the rights of the data subjects in the area of privacy. This is mainly achieved by demanding more accountability from your organization. Every organization that does anything with personal data will have to investigate to what extent it has implement this legislation. Necessary because the supervisory authority can impose hefty fines.
Three aspects are crucial:
- Make sure that a Data Protection Impact Assessment is done. This makes it clear if there is any processing of personal data. Record the result (regardless of the outcome)!
- Ensure that a Data Protection Officer is appointed if required.
- Ensure that new applications meet the correct requirements: Privacy by Design and Privacy by Default.
Based on a number of principles, it is permitted to process personal data:
- After permission (make sure this permission is registered!);
- To protect vital interests;
- As a result of a legal obligation;
- To be able to comply to a contract;
- If the public interest is served with it;
- If there is a legitimate interest.
An organization should arrange at least:
- a register of all data processing activities;
- an information protection policy;
- Adequate (digital) security.
Those involved (the data subject) have more rights to exercise control. Make sure they can also exercise these rights and register their requests on:
- the right to access personal data;
- the right to have inaccurate data rectified;
- the right to be forgotten;
- the right to data portability;
- the right to be informed.
What needs to be done?
The regulation is quite complex. Several organizations have defined the neccesary steps. Because the Dutch Autoriteit Persoonsgegevens (AP) is our supervisory authority, we at Mexon Technology use their 10 steps as a guideline. You can however also use the 13 steps of the CBPL or the 12 steps of the English Supervisory Authority:
- Awareness (1);
- Right of data subjects (2)
- Processing activities(3)
- Data Protection Impact Assessment (4)
- Privacy by Design and Privacy by Default (5)
- Data Protection Officer (6)
- Report personal data breach (7)
- Data processing agreements (8)
- Supervisory authority (9)
- Consent (10)
And that's not all!
Websites and webshops
An increasing number of websites (and also webshops) collect personal data. Sometimes this is obvious because this data is explicitly requested. But things that are recorded/registered by cookies can also be subject of the GDPR. So it is important to inform the visitor about the collection of this data and describe the method and justification of this collection.
A notification of cookies usage and the reference to a Privacy Statement on a website is therefore a important first step if not mandatory.
Special personal data should trigger alarms
Some data falls in the category special personal data. If that special data is collected then certain things become mandatory. Things like the substantiation of that data collection, the appointment of a Data Protection Officer and conducting DPIA’s.
It is not always obvious who is responsible for the protection of data. And yet it is very straight forward: the collecting party is responsible. Even if the administration/register is "in the cloud" or "SAAS" (then you need a data processing agreement with your cloud/saas-provider!) the party that collects the data remains responsible. So do not accept "no" as an answer from your supplier if you believe there is a need for a data processing agreement. It is your duty to protect the data.
Do you want to know what MexonInControl can do for you? Please contact us by email email@example.com or phone +31 33 432 17 00.