GDPR – What Do I Need to Know?
Categories: Latest News,Legal
If you are new to The Netherlands and Europe, you may not know about the EU’s new General Data Protection Regulation (GDPR), also known in The Netherlands as AVG. GDPR has been the buzz du jour here since at least 2016 and has companies scrambling to meet strict privacy measures or risk the threat of stiff fines from regulators, loss of customers and partners, or brand damage. It’s just the early stages of an evolving space and work in progress for organizations of all sizes to improve their consumer data protection capabilities and compliance over time. While complexity and challenges are expected, it’s a positive step for digital commerce, society and the rights of individuals.
GDPR is an update to a prior EU data protection law 95/46/EC created in the 90’s when the Internet and digital commerce were just emerging. The new law which goes into effect on May 25, 2018, adapts to changing technologies and trends in digital commerce. The new law is more specific about how and when companies must report information to individuals about how their personal data is used. The information must be simple to find, read and understand, and requires organizations to be transparent and report data breaches (loss or theft). While other countries have their own privacy laws and industry regulations, the GDPR is considered to be one of the most comprehensive and robust.
Since moving back to Amsterdam and launching our office here, I’ve had a number of small business owners, ex-pats and friends ask me who’s covered by GDPR, what they should know, how their job could be impacted and where to get more information. While most hype has been around helping companies prepare for GDPR, training lawyers and data professionals or just scaring the heck out of people, I’ve seen less simple advice for individuals (“data subjects”) whose data is protected . This responsibility has been left to governments and their privacy authorities (“PA’s”) tasked with implementing GDPR regionally. I hear that there are marketing campaigns planned for news and radio but we shall see. While there’s a lot of information floating around the Internet, some good and some not, your EU member country PA’s are the definitive sources for questions and complaints. You could also speak with a privacy and compliance officer or a lawyer at your company. I’ve attended a number of conferences, seminars, webinars, talked to lawyers and data privacy officers and have done my own research and want to share some tips.
A Summary of EU Individual Rights Under GDPR
- Right to Information
Organizations must inform their customers about the personal data they use and what they do with it. It must be easy to find and understand, usually in the form of a data privacy policy. If you are a new customer, it should be provided to you before your personal information is used. The organization must provide you with its address and contact information. It must make you aware when your information is shared or processed with other parties. Organizations are required to notify a supervisory authority of a data breach within 72 hours from when a breach is identified. Organizations should formally notify individuals of a breach and their plan of action if their personal data and rights are in jeopardy.
- Right to Inspection, Correction, Erasure
Individuals have the right to view the personal information an organization has about them and how it is used; they do not need a reason for the request. They have the right to request correction of their personal data. They may ask to modify, supplement or shield sensitive data. People have the right to request erasure (deletion), also called “Right to be Forgotten,” also a good name for a classic alt-country song.
- Right to Restrict Processing
Individuals have the right to request that an organization or partner no longer use their personal data. A primary use case is direct marketing and unsolicited advertising. One may lodge an objection based on personal circumstances.
- Right to Data Portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different IT services in a safe and secure manner. An example may be using data collected for comparison services or shopping.
- Right to Automated Decision Making and Profiling
Generally, individuals have the right not to be subject to a decision based solely on automated processing, including profiling that produce legal impacts to them without their consent or which is authorized by the member state government where the individual and or organization reside; they may request a manual review.
Who is protected by EU GDPR privacy laws?
Beyond citizens, who else is covered? Residents, visa-holders, guests, workers? The answer is GDPR applies to everyone located in the EU regardless of citizenship. Privacy and data protection are considered to be fundamental human rights, and thus apply to everyone. GDPR laws are said to be triggered when a main office (“establishment”) of an organization providing goods or services (“data controller”) or its customers (“data subjects”) are in the EU zone.
How to File a Complaint
Always approach the organization or service provider with your questions or complaints first. A good place to start is to review its privacy policy online and then contact customer care. If the company does not respond appropriately or you feel you are treated unfairly, there are other avenues you can take. You can hire a lawyer familiar with privacy law and take an organization to court and you can contact the governing Privacy Authority (PA) in your country of residence and file a complaint or a “tip” about the organization. Consumers should communicate with the PA in their country of residence regardless of the home office location and country of the organization. The PA may launch a formal investigation with an organization located in the same country or forward the complaint to the DPO or PA of the organization in another EU member country. Further action could be driven by the presence of multiple complaints filed about the same organization. Complaints regarding government laws and procedures may be filed with the National Ombudsman in your country of residence.
How Does GDPR Impact Me and My Job?
Your rights as individuals also apply as job applicants, current employees, former employees and contractors. Organizations, companies, recruiters and HR departments must protect your personal information in the same way as a consumer. As a worker (employee or contractor) it would be useful to read and understand your company’s data privacy policy. You should know how to contact your Data Privacy Officer (DPO), Compliance Officer (CO) or individuals responsible for data privacy compliance. This is sometimes a member of the legal department.
If you are working with an EU company, partner or EU customers, you should learn about your company’s GDPR and privacy program. You should receive training on GDPR and basic data privacy principles such as data classification, data handling for your role and how to recognize and report a data breach. Employee training is required by GDPR. You should work with your management over time to identify how and where you may interact with personal or sensitive consumer data across your 4P’s (programs, products, process and partners). Learn how you can become a better data privacy steward and implement “privacy by design” best practices. These skills will be useful for career development and to add to your LinkedIn profile and CV.
Always Check Your Sources
It’s always good practice, especially these days, to check your information sources and get multiple opinions. Look for the author of a blog in LinkedIn or elsewhere and check their background and blog responses. Do they have experience and seem credible? Some companies will hire freelancers and copywriters with no background in legal, privacy or IT. Do you want to base your job or cross-border strategy on this advice? It depends. I don’t think anyone I’ve met claims to know everything about GDPR as this is a grand effort with details still unfolding. That said, there are some great resources to tap into so go find them.
Feel free to contact us if you have any questions. Stay Calm and GDPR On
Some Good Resources:
https://autoriteitpersoonsgegevens.nl/nl
https://hulpbijprivacy.nl/#onderwijs
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
https://www.dlapiperdataprotection.com
http://globalitc.bakermckenzie.com/eu_gdpr/
Here at Potentia Concepts, we provide digital privacy tools and security awareness education services to global organizations to help them meet regulatory compliance, mitigate risk and protect their brand and stakeholders from digital threats.
Adam Hoey is CEO and Founder of Potentia Concepts based in Amsterdam and Washington DC. He can be reached at [email protected] or https://www.linkedin.com/in/adamhoey/