The General Data Protection Regulation (GDPR) is a European law designed to protect people's privacy. The GDPR stipulates what businesses and organisations can and cannot do with the personal data of their customers, staff and other persons. For example, you must have a good reason for processing personal data. In this overview you find examples that may occur in your business: Example: to be able to carry out an agreement. Example: to send a newsletter, you do need an email address, but not a date of birth. Example: you have requested an email address to send an invoice. You may not use that email address for marketing purposes. Example: for your business administration, you must store your data for 7 or 10 years. After that, you no longer need it. Example: what data you store, why, and for how long. Example: by securing your website with https and by updating your software. The GDPR applies to all businesses and organisations that process personal data, including freelancers and SME entrepreneurs. You must take the GDPR into account when sending a price quotation, invoice, or newsletter. But also, for example, when you hire staff. When you store employees' personal data you must follow the GDPR. Personal data is data that directly concerns someone. Or that allows you to find out who it concerns. Such as name, address, and telephone number. Processing it includes everything an organisation can do with data. Think of collecting, storing, and forwarding it. This can be done manually or automatically, for yourself or for someone else. Read more about processing and passing on personal data. Are you unsure whether you are complying with the GDPR? Or would you like to know what the GDPR entails? Follow these steps to help you comply with the GDPR. Read more about the GDPR or get informed. Do you have staff? Then involve employees who process personal data. You cannot just process personal data. You must have at least one of these 6 reasons: It is necessary to carry out an agreement. For example, you must process address details to be able to deliver your product to someone. It is necessary to fulfil a legal obligation. There is a legitimate interest. For example, you must process personal data in your personnel administration to pay salaries. You have permission from the person in question. It is necessary to protect someone's life or health and you cannot ask that person for permission. It is necessary to perform a task in the public interest. Read more about the different reasons (in Dutch). Your customers have many rights when it comes to privacy. You must ensure that they can easily exercise these rights. For example, your customers may: view, modify, and delete their data restrict and withdraw consent they have previously given request their data so that they can easily switch to another business; this is called the right to data portability Your customers may file a complaint with the Dutch Data Protection Authority (DPA). The DPA is obliged to process these complaints. Record in a processing register which personal data you process and why. Make it clear where this data comes from and with whom you share it. In the register, you also record the date after which you must delete the data. You use the register when customers ask you to change or delete their data. You must also pass this on to the organisations with whom you have shared the data. This register falls under the so-called accountability principle. You must always be able to explain how you handle data. Do not process more personal data in your products or services than is necessary. This is also called ‘privacy by default’. Examples of this are: Do not allow an app to register the location of users without good reason. On your website, do not pre-check the box ‘yes, I want to receive offers’. When subscribing to a newsletter, do not ask for more data than is necessary. If you are designing new products or services, make sure that personal data is properly protected in the design phase. This is known as ‘privacy by design’. The GDPR states that you must properly secure the personal data you hold. However, personal data can get out without this being intentional. This is called a data breach. Examples of data leaks are: You lose a laptop, tablet, USB stick or paper with unencrypted personal data on it. You email personal data to the wrong person. The personal data you are processing is stolen in a cyberattack. Your system is infected with ransomware,making the personal data no longer accessible. You must report all data breaches immediately to the Dutch Data Protection Authority, DPA. You must also document all data breaches, including internal leaks that you do not have to report. Check the DPA website to see which data breaches you must report. You should only inform the persons whose personal data has been breached if the data breach has serious consequences for their rights and freedoms. Do you process privacy-sensitive data for your clients? Then you must report all data breaches to them so they can report them to the DPA. Do you work with businesses that process personal data on your behalf and according to your instructions? If so, make sure you have a processing agreement with them. This also applies if the processor is a subsidiary or is based abroad. An external helpdesk viewing your company’s personal data is already considered a form of processing. Do you process data that carries a high privacy risk? If so, you must conduct a Data Protection Impact Assessment (DPIA). This is an extensive investigation to identify the risks of data processing. Based on this DPIA, you can take measures to reduce the privacy risks. Does your company process a lot of personal data? If so, check whether you are required to appoint a data protection officer (DPO). This is someone who monitors whether you are doing everything according to the GDPR within your organisation. Your organisation may also voluntarily appoint a DPO. You are only allowed to transfer personal data to a country outside the EEA if that country observes the privacy rules. The EU has listed 14 countries as compliant. You can use this checklist for those countries. Do you want to exchange personal data with a country that is not on the list? The person processing the data in that country must make an official statement that they will process the data according to the GDPR. This is called ‘an appropriate safeguard’. You can use a model contract for this (pages 7 and onwards). Does your organisation have branch offices in non-EEA countries? You can draw up binding corporate rules on how to deal with personal data. Read more about the rules and exceptions for transferring personal data outside the EEA. Watch this video for an example of how to apply the GDPR. The video takes an e-commerce example, but gives a sense of how all entrepreneurs can think of their customer's data and privacy.What does the GDPR mean?
GDPR in practice
Who is subject to the GDPR rules?
When do you process personal data?
Steps to help you comply with the GDPR
Transferring personal data outside the EEA
Video GDPR: Privacy and personal data
