The digital world is constantly changing and developing which is exciting and interesting, especially for online marketing. However, it is also the main reason that the legislation on personal data is due for an update. The European Commission and the European Parliament have decided that current legislation is no longer in line with developments in the digital world. The General Data Protection Regulation will enter into force on 25 May 2018.
From WBP to AVG
Until now, countries within the EU have based their legislation on the protection of personal data on European Union directives based on Directive 95/46 / EC. A new European regulation entered into force on 25 May 2016: the General Data Protection Regulation (AVG). This regulation will really come into effect on 25 May 2018 following which everyone within the EU must comply with these European regulations. The national legislation (Personal Data Protection Act and the Basic Personal Data Registration Act in the Netherlands) is no longer in force.
This means that we are currently in a phase where organisations can prepare for the new situation. Until May 25, 2018, the WBP and the Wbrp still apply. In this blog, we explain what exactly is going to change and how you can prepare for the new regulations. Especially for organisations that collect personal data, a lot of change may be necessary to comply with the new laws.
What is changing?
The biggest changes you have to take into account when the AVG enters into 2018 are:
People’s privacy rights are strengthened and expanded
- For example, the AVG describes the conditions for organisations to get valid permission from people to process their personal data. Organisations must be able to prove that they have received valid permission and people must also be able to withdraw that permission.
- People have the right to have their personal data removed from an organisation (right to be forgotten).
- People also have the right to request (under certain conditions) their personal data in a standard format so that they can be easily forwarded to the same type of supplier, for example, a social media network.
Organisations get more responsibilities themselves
Organisations that process personal data are held responsible by the AVG to demonstrate that they are complying with the law. There is a documentation obligation, which means that they must be able to demonstrate with documents that they have taken the right measures to comply with the new regulations. The AVG also offers organisations tools for complying with the law, such as model provisions for transfers of personal data.
These responsibilities include the following consequences:
- Organisations no longer have to report the processing of personal data to the Dutch Data Protection Authority. They must keep an overview of all their processing of personal data themselves.
- Organisations can be obliged to carry out a Privacy Impact Assessment.
- Organisations may also be required to appoint a data protection officer.
- In Article 24, the WBP also banned the processing of identification numbers (such as the BSN). This will be lifted in the AVG, which means that from now on the use of identification numbers is more freely permitted. Local authorities may, however, impose additional conditions on their use.
The same regulations for the protection of personal data in all EU countries
Powers become the same for all European privacy regulators. For example, they all have the authority to impose fines (up to 20 million euros, or 4% of the general annual turnover).
- In contrast to Directive 95/46 / EC, on which the current directives are based within the EU, the AVG is a regulation and not just a guideline. This means that the AVG is directly valid and the same in all EU countries.
- Local authorities can adapt the legislation to their own needs regarding the protection of personal data. Think of the Dutch Data Protection Authority or perhaps the involvement of several agencies.
- For organisations that are not established in the EU, but do offer services or products within the EU or monitor the behaviour of individuals within the EU, the AVG also applies.
How do you prepare for this?
The changes in the regulations mentioned above require quite a bit of an organisation that collects, manages and uses personal data. Until May 2018 you have the time to comply with these new regulations. Consider the following processes:
- Provide a good overview of the types and amounts of personal data that your organisation maintains and how you do this.
- Be prepared for data leaks: know which steps to take in the event of a (suspected) data breach incident.
- Check whether it is necessary to appoint a Data Protection Officer or Privacy Officer. For organisations that process special personal data (such as health data) that is in any case mandatory.
- Does your organisation have more than 250 employees, or is sensitive data processed? Then create a register in which various processing operations within the organization are kept, including the purpose, the basis and the security measures were taken.
- The privacy statement of your organisation must now contain much more detailed information than was previously required and must be written in a comprehensible language.
- Check the agreements with hosting and cloud providers and other suppliers that need to process personal data. In these agreements much more has to be established that has been prescribed up to now.
- Do you already have an internal policy on implementing a Privacy Impact Assessment (PIA)? If due to the new way of processing, a large risk for the privacy of individuals can arise, an investigation must first be made into the privacy effects. Only then can a new technique be used for processing personal data or linking data sources.
With just under a year to go, we hope that with these tips we have helped a lot on the way to comply with the new regulations. Collecting personal data is a very valuable but also sensitive activity that we have to deal with carefully. In this way, online marketing remains a fascinating and challenging profession!
Revenue Creative delivers business value by thinking along with the entrepreneur, sales and marketing goals. We advise B2B customers about their (digital) sales and marketing strategy and the organizational impact thereof. Our hybrid team provides support in the implementation of the digital improvements and the achievement of the marketing and sales objectives. www.revenuecreative.nl.