Privacy law

PrivacyBlox supports you by providing the right tips and tools

Try PrivacyBlox

1. YOUR ACTIVITIES ARE MORE LIKELY TO BE AFFECTED BY PRIVACY RULES The key concept of ‘personal data’ changes: on top of names, addresses and the like, other data relating to information such as IP and MAC addresses, and cookies will be subject to privacy rules. Even if you don’t know the person behind a cookie, you are expected to treat such information as privacy sensitive.

2. PRIVACY STATEMENTS MUST BE EVEN MORE TRANSPARENT In a privacy statement, you will need to fully explain what you are doing with personal data in clear and accessible language. You will also need to notify people on their rights, such as to modify their data, access their records or even have them destroyed. If you make profiles of people’s interests, then they will have to be deleted on their request. You are also obliged to point out the possibility to file a complaint with the national data protection authority.

3. YOU MUST KEEP AN INTERNAL RECORD OF ALL DATA BREACHERS Under the current privacy rules, you only need to register data breaches when there is a duty to report hem to the data protection authority. On the contrary, it is mandatory to register all data breachers under the GDPR, even those that do not need to be reported. And do you process personal data for your client(s)? Then it will be required by law to notify them about all data breaches, so they can report it to the authorities on their turn.

4. YOU NEED TO REGISTER ALL DATA PROCESSES, EVEN THE OBVIOUS ONES SUCH AS PERSONNEL ADMINISTRATION OR NEWSLETTER This register needs to include information on which personal data are being processed and for which purposes, and also on how they are secured.

5. YOU MUST TO CONCLUDE A DATA PROCESSING AGREEMENT WITH ALL YOUR SUPPLIERS AND CUSTOMERS The data processing agreement is used to make specific arrangement on how parties deal with personal data. It is important to keep in mind that you will need consent from your customers when you outsource activities that involve their personal data.

6. THE FINES ARE IMMENSE Under current privacy rules, the fine is capped to €900,000 per violation (under the Dutch regime). With the arrival of the GDPR, this will change to €20 Million or 4% of an organisation’s worldwide turnover. There will also be a European Data Protection Board that monitors the correct application of the GDPR regime.

7. YOU MIGHT NEED A PRIVACY OFFICER The privacy officer, in other words a data protection officer (DPO), is an independent expert within the organisation that advises and reports on compliance with the GDPR. A DPO is mandatory for organisations that process sensitive personal data (such as health related data) on a large scale, or if you structurally observe people (physically or digitally). A DPO can be an employee of the organisation, or hired externally, such as a (virtual) privacy officer from Legal ICT.

8. IN THE CASE OF RISKY DATA PROCESSES, YOU ALSO NEED TO PERFORM A PRIVACY IMPACT ASSESSMENT (PIA) A PIA is an extensive investigation to map all privacy related risks and eliminate these as much as possible. Only after you have completed the PIA and implemented all the results, you are allowed to proceed with the risky processing activities.

9. MINIMISE THE COLLECTION OF PERSONAL DATA AND REMOVE THESE AGAIN AS SOON AS POSSIBLE The GDPR’s rationale of risk management requires that you only keep a minimum of personal data. You will therefore need to destroy information as soon as it lacks relevance – and you must implement a policy to inform when data is (not) relevant and how they are removed securely.

10. PRIVACY IS KEY TO YOUR SOFTWARE AND SERVICE’S WHOLE LIFE CYCLE This is also referred to as ‘Privacy by design’ or ‘Privacy by default’. In short, this means that in every step of the development of your activities, privacy issues are taken into account. In addition, all default settings of a new settings should be as ‘privacy friendly’ as possible.

11. YOUR SECURITY MUST BE – AND STAY – SHIPSHAPE Security of personal data is of vital importance these days. Without encryption, two-factor authorisation or the separation and secure removal of personal data, you take an enormous risk. You IT systems also need to be regularly checked on new risks.

12. YOU MUST HAVE AN INTERNAL PRIVACY POLICY, STATING WHO PLAYS WHICH ROLE IN DATA PROTECTION MATTERS It is important that employees are aware of this policy. You will have to train them regularly to keep them up to date.

13. YOU MUST BE ABLE TO DEAL WITH REQUESTS FROM INDIVIDUALS, SUCH AS TO PROVIDE ACCESS TO OR CORRECT THEIR DATA And if such data is outdated, you will even have to remove them on request. Such requests from individuals usually need to be handled within a month. Is your helpdesk already prepared for this?

14. DO PEOPLE USE YOUR ONLINE SERVICES TO STORE PERSONAL INFORMATION? If you provide online services that are used to store personal data, than users should be able to export their information in a standard format in order to transfer this to another organisation. E.g. think of photos, messages on social media or forum posts..

15. PLEASE CHECK WHETHER YOUR (FOREIGN) PARTNERS STORE PERSONAL DATA INSIDE OR OUTSIDE THE EU Transfer of data outside the EU is only allowed when such activities comply with certain strict rules. This can be the case if the country in question is certified by the European Commission. This has been done for the US: the so-called Privacy Shield offers the necessary guarantees for use by American companies. Please note that your customers may require that their data do not ‘leave’ the EU at all. 

16. DO YOU PERFORM PROFILING OR RISK ANALYSES ON YOUR CUSTOMERS OR OTHER PEOPLE? If you do, you will have to explain, on their request, the process: how is this done and what are you using it for? This is already the case when you use cookies for advertising purposes.

17. DOES YOUR ORGANISATION USES FINGERPRINTS OR BIOMETRICS, E.G. FOR ACCESS RESTRICTION? This is a sensitive topic under the GDPR, because such biometric data is subject to a strict set of rules for protection.




Are you seeking support for your implementation of the GDPR or do you want a (virtual) privacy officer? Please contact the privacy lawyers of Legal ICT. They can help you with the integration of PrivacyBlox in your current or future business activities.

Start privacy compliance today

Try PrivacyBlox
Contact Mark Hoogewerf
+31 (0)20 229 33 45 or [email protected]