Do you know exactly what personal information your organization holds? Have you reached agreements with your customers and suppliers about what you do with their data? And explained clearly how they can view it or have it deleted? Have you properly documented how you secure data?
These may seem like simple questions, but a negative answer to any of them could mean that you are breaking the law. With the risk of incurring a very substantial fine. That is a result of the introduction of the General Data Protection Regulation (GDPR), the new privacy law for the whole of Europe.
The questions above are just a few of the many you have to be able to answer under the GDPR, or for which you need to have a protocol. In particular, organizations working with privacy-sensitive material such as personal medical or financial data need to take far-reaching measures to comply with the regulation. Companies with more than 250 employees are obliged to keep a “record of processing activities”, as are smaller firms if they process personal data systematically.
The GDPR is intended primarily to give consumers confidence in the digital economy. By complying with the legislation, you assure your customers and suppliers that their data is safe with you. At the same time, the safeguards it requires also help prevent cybercriminals and hackers gaining access to your valuable company information and leaking it. So compliance protects not only those you do business with, it also protects you.
The GDPR officially entered into force two years ago, but after a transitional period the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) began enforcing the regulation from the 25th of May 2018 . For breaches, it can impose fines of up to €20 million or 4 per cent of global turnover. If your information security is not yet in order, it could take some time to put the necessary measures in place. So act quickly if you are not sure that you are fully compliant with the GDPR.
Are you unsure whether your organization complies with all the new regulations? If so, it is important to act quickly and decisively. We can help by undertaking a condensed risk analysis. Within a week you find out how well you are observing the new privacy rules, and what measures you still need to take. We conduct the analysis in-house, among other things by conducting conversations with you and your personnel. This produces what we call a baseline measurement, generating a report describing what is already been done right and what points still need to be addressed. That forms an excellent basis for a plan of action to comply with the GDPR.
Starting from our baseline measurement, we can help you prepare a plan of action. In this we prioritize those activities which are most important or most urgent due to the time they take to complete. We can also provide practical support with, for example, the creation of a record of processing activities, the development of controls in the form of process descriptions and the drafting of processing agreements with customers.
If you believe you are already fully compliant with the new legislation but want to be absolutely sure, or need confirmation that your processor has taken the appropriate security measures, an independent opinion can provide reassurance. We offer this in the form of a privacy audit, to check that you are indeed GDPR-ready.
DRV has staff specially trained in privacy, GDPR and cybersecurity issues. All are highly skilled professionals with extensive practical experience in the real economy. They understand that, as an entrepreneur, you need to be able to collect data within the rules in order to do business successfully.
Any organization processing personal data may have to conduct a Data Protection Impact Assessment (DPIA). This is a tool used to chart the effect upon privacy of data processing activities. Under the EU’s General Data Processing Regulation (GDPR), a DPIA is mandatory if the processing of personal data entails a high risk to the privacy of the individuals concerned.
Under the General Data Processing Regulation (GDPR), organizations are required to explain how they ensure the privacy of people whose data they process. This means, for example, that they must demonstrate that they are compliant with the legislation, that they actively consider how they process personal data and that they have put the necessary technical and organizational safeguards in place.
To comply with the General Data Processing Regulation (GDPR), you may have to appoint a Data Protection Officer (DPO). They are designated “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The DPO advises you on data-protection legislation and privacy issues in general, monitors compliance with the law, engages with the relevant authorities and acts as a contact person in this area.