From May 25 2018 the General Data Protection Regulation (GDPR) is a fact. From this date on the same privacy regulations are applicable throughout the entire EU. Anyone who collects and processes personal data through a website, CRM, internal database, etc, will be required to comply with the new regulations.
What's the purpose of the GDPR?
- Strengthening and expansion of privacy rights
- More responsibilities for organizations
- The same authorizations for all European privacy supervisors, for example the authorization to be able to impose fines of up to EUR 20 million
Impact on SSL
Due to the GDPR, HTTPS will be required when you collect personal data through online webforms. This ensures the traffic between your website visitors and your servers cannot be intercepted. Without HTTPS, the security of personal data transmitted cannot be guaranteed. Use of a SSL Certificate is part of the measures you can take to comply with the regulation. For this, any type of SSL certificate is sufficient.
What will change for Xolphin customers?
What will change for Xolphin resellers?
Do you (also) buy products from us for your customers? Because we save and process certain data from your customers, we are required to enter a so-called Processor’s Agreement with all our resellers. In this Processor’s Agreement our legal obligations in this area are specified clearly. You can easily digitally sign the agreement in the Control Panel. Note: If you buy products from us for other parties with a default (not-reseller) account, legally spoken you're a reseller.
Which steps do you need to take according to the GDPR?
Step 1: Awareness
Make sure that for example policy makers within the organization are aware of the new privacy rules. They have to estimate the impact on the current processes, services and goods. It's also important that they are aware of the adjustments they need to make according to the GDPR. The implementation of the GDPR can take a lot of time, so start early. The Supervisory Authority can help you with this.
Step 2: Data subject' rights
People whose personal data are processed will get more and better privacy rights due to the GDPR. Make sure that they are able to exercise their privacy rights. They might complain at the Supervisory Authority about the way you will take care of their personal data. The Supervisory Authority is required to report these complaints.
Step 3: Overview the entire process
Report your data processing. Document which personal data you are processing and for what purpose. Find out where you have got this data from. According to the GDPR you have an accountability. This means you have to indicate that you work in accordance with the GDPR. Part of the accountability is that you have to keep a record with processing activities. You may also need this record when people use their privacy rights. They can ask you to change or delete their data. You also have to report this to authorities you shared the data with.
Step 4: Data Protection Impact Assessment
According to the GDPR you might be required to do a Data Protection Impact Assessment (DPIA). This is a tool to see the privacy risks of a certain data process. According to this it might be necessary to measure and reduce the risks. It might be required to do a DPIA if the intended data process has a high privacy risk. You can already estimate if you have to do DPIA's in the near future and even more important how you will address them. If a DPIA shows that your data process will have a high privacy risk, you can contact the Personal Data Authority. This authority will look if the data processing is in conflict with the GDPR. If it is, the Supervisory Authority can provide you with a written advice.
Step 5: Privacy by design and Privacy by default
Make sure your organization is already familiar with the starting points of privacy by design and privacy by default of the GDPR. How can you realize these points within the organization. Privacy by design means that you take account of personal data when designing products and services, but it also says that you will not collect and process more data than necessary. Privacy by default means that you take technical and organizational measures to make sure you only process personal data for that specific purpose.
>Step 6: Data Protection Officer
According to the GDPR it's possible that you will be required to designate a Data Protection Officer. Determine if this is necessary for your organization. It's also possible that your organization voluntary designates a Data Protection Officer.
Step 7: Reporting data leaks
The requirements to report data leaks will stay almost the same with the GDPR. The GDPR has strict regulations about the registration of data leaks within your organization. You have to register all your data leaks so the Supervisory Authority can check whether you have fulfilled the duty to report.
Step 8: Processor agreements
Maybe a Processor does your data processing. Do the existing contracts meet the requirements of the GDPR?
Step 9: Managing Supervisor>
Has your organization, branches in different EU Member States? Or has your data processing impact in different Member States? According to the GDPR you only have one Privacy supervisor; the Managing Supervisor.
Step 10: Permission
For some data processing operations you need to have permission. The GDPR has strict requirements to grant permission. It's important that you evaluate, the way you ask, get and register permission. If necessary adjust that procedure. According to the GDPR you have to show that you have got permission to process personal data. People can give and withdraw permission very easily.
Hereafter you will find some extra information about the above mentioned terms.
What are Personal Data
With personal data you can identify a person, for example name and address, e-mail address, passport photo, fingerprint, IP-addresses. Someone's IQ is also a personal data.
Wat are special Personal Data
Special personal data can seriously affect someone's privacy. Such data can only be processed under very strict conditions.
What's a processing register
This register contains information about processing personal data. The GDPR can help you with the information you should mention. If the Supervisory Authority asks for it, you have to show this register immediately. Does your organization determines the purpose and the means of the personal data processing? If yes, your organization is the Controller (responsible for the processing). The law indicates the register contains the following information:
- Name and contact information of the organization and any representatives of other organizations
- Information about the Data Protection Officer
- Any other international organizations you share your personal data with
- The goals for which you process personal data
- Description of the categories of persons from who you process personal data
- Description of the personal data categories
- Categories of receivers for who you process personal data
- Information about the general technical and organizational measures you took to ensure the personal data processing
How can I prove that I have received permission?
Do you need permission about the data process from the persons involved? According to the GDPR you have to prove the Supervisory Authority that you actually have this permission. That's part of the accountability. Two of the permission requirements from the GDPR are 'informed' and 'specific given'. Do you ask online permission to obtain the personal data? In that case you can capture the information about the customers website visit, where they gave permission. You can combine this information with the documentation about the procedure in which you have mentioned the way you capture and receive permission. Refer to automatic registration of permission on your website is insufficient to show valid permission. The information from the persons who are involved is then missing. Finally you have to make sure that you have sufficient data, so you can make a link which shows the processing and the permission from the persons who are involved. Please note that you may not collect more data than necessary to show valid permission.
What has to be in a Data Protection Policy?
In the GDPR is not exactly defined which data has to be in a Data Protection Policy. The policy has to show in what way you meet the GDPR. That's part of the accountability. According to the GDPR you have to add the following information:
- A description of the Personal Data you process
- A description of the purposes for which you process personal data and what's the legal basis.
- How you can meet the principles of processing personal data, such as the obligation not to process more data than necessary
- Which rights are there, such as the right to submit a complaint at the Supervisory Authority, but also the right to inspect, change, delete and receive all the registered data.
- Which organizational and technical measures you have done to ensure personal data
- For how long you keep personal data
Due to the GDPR the importance of website security will grow even more. From the end of May 2018 having a SSL certificate will be required when you collect personal data through online web-forms. Dutch privacy law required the use of HTTPS by webshops for quite some time, but not complying to the GDPR will have significantly more impact. Complying to the GDPR will be necessary in order to avoid the maximum sanction of 20,000,000 Euros or up to 4% of your annual worldwide turnover.
The legal information on this website is informative and serves to give an impression of the legal issues. No rights can be derived from the content.