GDPR roadmap
Are you a business owner and are you unsure what the GDPR means for you?
For a quick and visual overview of the most relevant questions to ask yourself, check out our roadmap attached.
Below, we will help you further with answering those specific questions:
- Do you use personal data for your business?
Personal data is basically any information about a person that you can use to recognise that person. The easiest example is someone’s name, which is personal data. A postal code can also be personal data, but only in combination with a house number, for example. The important thing is that the information can tell you who the person is. With just the postal code, you don’t know yet, but in combination with a house number, it could.
- How do you use personal data?
Quite a few things that you can do with personal data are considered ‘processing’ data. This could include: collecting, recording, organising, structuring, storing, updating, modifying, retrieving, consulting, using, forwarding and deleting.
- Are you using personal data on behalf of clients or just for your own business?
If you process data just for your own company, e.g. if you maintain a customer database, then you are a data controller.
If you process data on behalf of customers, then you are a processor. You probably then also maintain your own customer database, which makes you both data controller and processor.
The difference between the two is that the controller makes all the decisions about the processing. Among other things, it determines the purpose of the processing (why) and the means (how). The processor only performs the tasks on behalf of the controller. The controller, therefore, bears more responsibility.
- Do you have a good reason to process personal data?
There are various reasons for using data about people. The following reasons may apply to your business:
- You have obtained permission from the person about whom the information goes, for a specific purpose (e.g. if that person wants to become a member of something);
- You have an agreement with the person about whom the information is about and you need to fulfil commitments from that agreement (e.g. deliver an ordered product, you need to know to which address to take it);
- You have to comply with an obligation from the law (e.g., keeping financial records for the Tax Office);
- You are trying to protect or save someone’s life (e.g., doctors need to process data to provide the best care for their patients);
- You have to process data for the whole community, as part of the public interest or exercise of public authority (e.g., the municipality installing camera surveillance to make sure everyone on the street is safe);
- You need to ensure that things are fair and proper, these are also called legitimate interests (e.g., to prevent fraud, you need certain data).
- Do you have a privacy statement in understandable language?
A privacy statement explains how you manage people’s data. It describes what data you collect, for how long, why, how, with whom it is shared and how it is protected.
- Can you meet the rights of the data subject?
The people whose data you collect have certain rights. For instance, they can ask you if they can see the data, you have collected or, for example, if you want to delete their data. You must comply with these rights in most cases.
- Do you take technical and organisational measures to secure personal data?
To ensure that people’s data does not leak out and information does not get into the hands of the wrong people, you need to take certain measures. You need to keep personal data safe. To do so, you can take technical and organisational measures.
For technical measures, you can think about using strong passwords and two-step verification. For organisational measures, you can think about having procedures ready to respond to a data breach (i.e., when personal data gets into the hands of the wrong people).
- Do you outsource the processing of personal data? If so, do you have a processor agreement?
If you outsource the processing of personal data, it is important that you cooperate with the processor to protect people’s data. In a processor agreement, you lay down a number of things. You can lay down that the processor must keep the personal data safe, and that the processor only uses the data in ways that you have explicitly permitted.
- Do you process sensitive personal data or systematically track people? If so, do you ever carry out DPIAs?
Sensitive personal data are sensitive data such as ethnicity, gender, political views, and medical data.
Systematically tracking people means that you continuously collect data from people (often in an automatic way). This could include the use of tracking cookies or GPS.
A DPIA (short for data protection impact assessment), is a tool used to estimate privacy risks. In other words, it is an assessment tool. You should do such an assessment in advance if you are going to process sensitive personal data or if you are going to systematically track people. These two activities may pose certain privacy risks. You can use a DPIA to see what measures you need to take to mitigate these risks.
- Are you familiar with ‘privacy by design’ and ‘privacy by default’?
Both privacy principles ensure that data is secure.
Privacy by design can mean requiring people to use a strong password when creating their accounts. This way, other people cannot easily enter their accounts and access their data.
Privacy by default can mean turning off the automatic sharing of location data in an app unless the user explicitly gives permission to share it. The default settings of your app or website thus protect people’s privacy. This means that, on a web form, the cookie consent boxes should not be ticked by default.
- Does your organisation have more than 250 employees? If so, do you keep a processing register?
In a processing register, you can keep track of what data you have collected and how you use it. You can include the following points in such a register: i) the activity ii) the purpose iii) the data subjects iv) the type of data v) the recipients vi) the reasons vii) the retention period and viii) the security measures.