So from May 2018 there will be one European law and organisations will only have to affiliate with one Data Protection Authority (DPA). The national DPAs, such as the Dutch Data Protection Authority (CBP), will then be coordinated by one European Data Protection Board (EDPB). An exception to this may be national legislation regarding employee data.
Below is a non-exhaustive checklist of the main implications of the GDPR for all businesses that are active in the field of online and/or data. I will focus on the perspective of publishers, advertisers and e-commerce businesses.
1. Editor Agreement
Concluding a processing agreement is nothing new in itself, because it is now already mandatory within the Wbp. Unfortunately, in daily practice I see a questioning look when I ask about it during a project. This will now be called a processing agreement with the GDPR, and applies between the controller of the personal data, and the party that processes the personal data for him (now known as processor, soon processor).
From now on, the processor will no longer be allowed to engage an external party to process personal data without the prior written consent of the controller.
2. Rights of the data subject (right to access & to be forgotten)
Transparency is paramount: the consumer must be informed about what happens to his personal data. Everything must, as mentioned above, be communicated in simple and clear language. In addition to the well-known right to object, access and rectification, the data subject also has the right to be forgotten in the GDPR.
Also read: What does the European Privacy Regulation mean for you?
The data subject has the right to object at any time to the processing of his data for direct marketing purposes. If the data subject makes such an objection, his data may no longer be processed for marketing purposes.
During the entire development process of products and services, privacy must be taken into account. This can be done by applying techniques such as pseudonymization and by processing only necessary personal data.
This necessity requirement also applies to mapping the accessibility of the data (who has access to which data?) and the period for which the data is stored. The default settings of a product or service must also always be as privacy-friendly as possible.
In short: products and services must be hong kong phone numbers developed and configured in a 'privacy-proof' manner.
Products and services must therefore be developed and set up in a 'privacy-proof' manner.
4. Data breach reporting obligation
We already know this in Dutch law: reporting obligation for data leaks. This is also included in the GDPR.
In concrete terms: if data is accidentally (or deliberately) lost or ends up on the street, this must be reported to the supervisor within 72 hours. Is the leak likely to pose a high risk to the persons to whom the data relates? Then they must also be informed of the leak.
5. Privacy officer
The privacy officer was not mandatory in the Wbp, but is under the AVG in some situations. This is new for several EU countries, and is criticized as an additional administrative burden.
The privacy officer is a person who supervises the handling of personal data within an organization. He or she also checks whether the organization complies with the law and applicable regulations. The privacy officer must be able to function independently as a privacy information point and may be appointed both internally and externally. This person must be an expert and his or her contact details must be known to the CBP.