GDPR stands for General Data Protection Regulation and it’s the new legislation in Europe concerning privacy. In the Netherlands we call it the AVG (Algemene Verordening Gegevensbescherming).The AVG is largely in line with the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens), which has been in force for years and has recently been supplemented by the Data Breach Notification Act (Wet Meldplicht Datalekken). By adapting the Dutch legislation the government made it possible for us to become familiar with it before the European privacy legislation goes into effect.

A summary of the GDPR
It is impossible for SMEs to understand what is expected of them by all rules and laws. They are supposed to know the law; that is, to know the Civil Code, the GDPR, the Archives Act, the Medical Treatment Agreement Act, the Client Law Rights Act on Electronic Processing of Data, the Electronic Signature Act – the list is endless. For a company’s day-to-day operations an incomprehensible jumble of rules. You will have to look at those laws in their entirety to avoid misinterpretations.

If I have to summarize the legislation, this is what it would come down to:

As a company you have to first make sure whether you are responsible for the data or whether you are a ‘processor’. If you have a contract with the end-customer this means you are responsible. A processor has a signed processing contract with the responsible party that includes agreements regarding data management on behalf of the responsible party. The responsible party is the one that reports a data breach and supervises its processors/suppliers. This supervision ensures that a data breach is recognized as such and reported in time.

Customers must always be informed in advance and agree on the purpose for which their personal information is used. If it turns out later that their personal data has been used for another purpose, then there is a legal violation. This is called purpose limitation.

Secondly, you want to give the customer access (transparency) to the registered data, so that the customer can modify this data in case it is incorrect and/or has been changed. Right of inspection is still something other than ownership and/or copyright of the data. That is the right of the responsible party. Information about a person therefore often has two owners with different rights and obligations.

Thirdly, data may not be kept unnecessarily long; there are all kinds of laws that apply to different types of data; financial data, patient data, personal data, transport data, telephone details and so on.

Finally, data must be demonstrably appropriately secured (eg secure access, management and maintenance, logging, etc.). If you are hacked and data is stolen, you will only be granted exemption if everything is appropriately secured and done by the book (ISO27001: 2015, NEN7510: 2011, ISAE3402, type I / II). Note that I am briefly pointing out the main elements.

If a supervisor, such as the Dutch Data Protection Authority, will impose fines, it will mainly focus on large (foreign) companies with a lot of money and European users (Facebook, Microsoft, Google, Amazon, Banks, Insurers etc). So pay attention to the smaller suppliers who handle personal data. They are not always aware of the legislation mentioned in this blog. This is a big risk for the ‘responsible parties’ because any penalties are difficult to recover from the often smaller processors! I have not yet seen the fines, but I am familiar with the circumstances.

 

Gerco Kanbier
Independent Information Security Guru